My answer to that question is this:
"if it looks like a duck, walks like a duck, and talks like a duck…well it’s probably a duck."
Firstly, I want to point out I’m not a lawyer or an accredited DPO, I’m just a privacy tech enthusiast and data practitioner who has dedicated the last 7 years to reinforcing trust, by rethinking personal data to help deliver positive outcomes for individuals, commerce, and society.
Figure 1. Final TIGRR Report (Taskforce on Innovation, Growth and Regulatory Reform in a post-Brexit UK)
I read the government’s TIGRR report which first gave us a taste of what the consultation paper would deliver. I also read all the comments on LinkedIn; the authors don’t know their a5$e form their elbow, repeat after me cookies are regulated under PECR not GDPR, the government wants to throw our data to the wolves, outsourced DPO firms should be worried…
I therefore started to read the paper in trepidation as I expected much of the hard work that myself and the team at DataGuard had put in to protecting the people behind the data, to be ripped up.
In this article
- A more pragmatic framework
- The report's highlights
- Chapter 1 - Reducing barriers to responsible innovation
- Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
A more pragmatic framework
In summary my opinion on the new proposals is positive. Anything that delivers a more pragmatic framework, that more businesses are likely to understand and adopt, that protects more people behind the data, will always get a thumbs up from me.
The consultation paper includes a detailed, intelligent, and thought-provoking set of suggested amendments and proposals to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR). If just a few of the suggested amendments are implemented, we will potentially see a significant change to existing frameworks, but not enough for businesses who have embraced the UK GDPR to worry.
We have until the 19 November 2021 to feedback as part of the consultation process. This provides a great opportunity for organisations and individuals to influence the future direction of the UK data protection framework.
Why has this consultation paper been published? It is part of the UK’s so called ‘Brexit Dividend’, to take advantage of the UK’s new-found regulatory freedom, to support innovation and growth. The UK government believe that by allowing data to flow more freely huge societal and commercial benefits can be gained.
Will it deliver? In a nutshell, I think so. Paragraph 11 sets the scene and the context in which the paper should be read.
The reforms presented for consultation deliberately build on the key elements of the current UK General Data Protection Regulation (UK GDPR), such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement. These key elements remain sound, and they will continue to underpin a high level of protection for people's personal data and control for individuals over how their data is used. Organisations have invested in understanding, complying with and implementing this regime, and the ICO's toolkit for supervision is fundamentally fit for purpose. The reform proposals offer improvements within the current framework, while maintaining the UK's worldwide reputation for high data protection standards and securing public trust.
The UK government do appear to be committed to working with all stakeholders and the ICO to secure a pro-growth and an even better and trusted data regime.
The report’s highlights
I’m not going to focus on every chapter or section of the report, after all there are 5 chapters, 410 paragraphs over 146 pages. I’m going to highlight the sections and paragraphs that are of interest to me. I have purposefully not commented on certain sections, such as Adequacy as there are far better qualified people to do this than me.
Chapter 1 - Reducing barriers to responsible innovation
Chapter 1 focuses on clarifying the circumstances in which data can be used for further processing, when legitimate interests can be applied to give data controllers greater confidence and it seeks to give greater clarity of when AI and Machine Learning leading to automated decisions can be used.
Re-use of personal data
The Government heard from stakeholders that the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.
This reminds me of research published by Boston Consulting Group back in March 2018 which highlighted companies are being recklessly conservative about data usage. They are failing to use data for new purposes that are acceptable to consumers because of fear of breaching regulations because they are often not defined enough.
With a lack of case law or regulatory guidance which would likely take years to develop, it would make sense to provide greater clarity and certainty for organisations about when and how they can use personal data. The consultation paper even suggests that the laws should better reflect the people’s views about how they expect their data should be used and when they should actively give their consent. Amen to that!
I do however have some concerns with how far these legal clarifications will go, especially in paragraph 54.b which is about when personal data may be re-used by a different controller than the original controller who collected the data, and whether this constitutes further processing. I fear Google DeepMind and NHS data all over again.
Providing a limited, exhaustive statutory list of specific low-risk purposes for when Legitimate Interests can be applied by default would help address the consent paradox we see today, which ultimately leads to less control of personal data. It will reduce the burden on organisations as the balance test will not be necessary. However, for all activities not on the list the balance test would still be required.
The consultation paper reinforces the requirements to deliver transparency and meaningful control to individuals on how their data is processed. My response to these proposed changes for Legitimate Interest is that the processing activity must be clear to the individual and not buried in lengthy privacy notices and they must be given the chance to object, at the point of data collection, or have a simple mechanism to handle the objection at a later date.
AI and Machine Learning
The paper outlines a number of potential reforms to regulate AI and automated decisioning systems. This area is crying out for public consultation and the Government recognises it doesn’t have all the answers. Recognising that organisations developing and deploying AI tools responsibly would benefit from the freedom to experiment where it does not cause harm. The Government is considering how to develop a safe regulatory space for the responsible development, testing and training of AI.
The paper addresses Article 22 of the UK GDPR which contains specific provisions on automated individual decision-making and profiling. On the basis not all AI systems automatically trigger the application of 22, there is often confusion leading to a lack of innovation.
My read of the paper is that whilst the TIGRR report has recommended scrapping Article 22 the Government wants to work with stakeholders to ensure the decision is informed and safeguards individuals. This consultation paper is the perfect opportunity to provide that feedback.
My view is that whilst Article 22 is likely to be replaced, the fundamentals will remain - protect individuals, give better clarity to organisations on what can and can’t be done and ensure innovation in this exciting field delivers societal benefit.
Innovative Data Sharing Solutions
As a founder of a consent management and compliant data sharing solution it was pleasing to see the Government is keen to encourage innovation in the way data can be shared, and the growth it can bring, both economically and for society. This section invites views on the Government’s work to support innovative data sharing solutions whilst maintaining protections for individuals.
The topics covered include the role data intermediaries can play ensuring individuals’ rights are observed and respected, whilst also helping with the data stewardship of managing data collection, sharing, access and responsible use, all in an efficient manner.
The paper also addresses what lawful basis other than consent may be applicable to data intermediary activities. This is an area of debate I’ve often found myself in with fellow MyData Global members. I’m a fan of enabling data to be shared transparently for fair and lawful purposes, and not always using consent. If a consent only model is adopted the data set will undoubtedly be heavily biased and lacking in volume, limiting innovation and growth. Ensuring data subjects are aware of the value or social dividend their data is generating is key, whilst also having meaningful control of that data, will deliver the best outcomes for all.
Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
This chapter is probably the one grabbing all the headlines, as the government is proposing substantial changes to the current accountability standards, which may lead to revoking existing obligations to perform data protection impact assessments (DPIAs), maintain records of processing, and appoint a data protection officer.
Reform of the Accountability Framework
Whilst the Government remains committed to high standards of data protection, the paper concludes that the current model of prescribing a series of activities leads to a box-ticking compliance regime and therefore proposes to place a new duty on controllers to implement a risk-based ‘privacy management programme’ (PMP).
A PMP would essentially be a form of compliance governance framework, which is intended to introduce a more ‘holistic’ and less rigid approach to accountability.
And this where the, if it looks like a duck, walks like a duck and quacks like a duck, it probably is a duck comes in. If small business owners think they no longer need to bother with data protection, the consultation paper suggests that the PMP would need to include, clear roles and responsibilities including who is designated as the responsible individual(s) for the privacy management programme and overseeing the organisation's data protection compliance. It goes on to say the designated individual(s) will also be responsible for representing the organisation to the ICO and data subjects where necessary.
Looks like a duck!
The PMP would need to include measures that include personal data inventories, internal data protection policies, risk assessment tools, procedures for communicating with data subjects about their data protection rights and the organisation's policies and processes, as well as plans to monitor, assess, review and revise the PMP.
Walks like a duck.
Whilst the requirement for a ROPA is being removed (well not really), I found when organisations were implementing GDPR in 2017/2018, they found the ROPA process extremely valuable in delivering efficiency and generating greater value from their data. The new requirements under a PMP would still require certain records be kept and Articles 13 and 14 of the UK GDPR will still require much of the same information to be recorded in privacy notices.
Quacks like a duck.
If a PMP makes it easier for a business to understand what is required, and can be certified just like an ISMS (ISO 27001), then I’m all for this approach, as it will mean more businesses adopt it, leading to a higher level of protection for individuals.
Business benefits for having high standards of data protection too - Cisco’s benchmark study in 2020 showed that over 70% of organisations receive significant business benefits from privacy such as operational efficiency, agility, and innovation.
Subject Access Requests
The Government are proposing to introduce a fee regime for subject access requests, primarily to reduce the burden on organisations. I did find conflict here with the proposal to reduce the burden on the ICO from the number of complaints they receive, by getting the data subject to take their complaint up directly with the organisation.
Personally, I’m against both these proposals as SARs keep organisations accountable, and complaints keep them on their toes. Making the general public aware when a complaint will and won’t be followed up, just like the proposal to better define when a reportable breach is not a reportable breach, is likely to deliver the same result, whilst allowing ‘free’ SARs to continue.
Privacy and electronic communications (mainly Cookies)
Removing the obligation under PECR to obtain consent for analytics cookies makes a lot of sense. Organisations can get back to better understanding how their website is performing, how individuals interacted with the site so better experiences can be delivered, is all good, subject to the correct safeguards being place. Analytics cookies added to the statutory list of Legitimate Interests is likely to be a good thing.
However, the Government is also considering the collection of information for other purposes that is necessary for the legitimate interests of the data controller, but only where the impact on the privacy of the individual is likely to be minimal. The paper does state that these options would not permit privacy-intrusive technologies such as micro-targeting, real-time bidding, and invasive tracking. Analytics cookies are easy to explain, everything else is vague and shouldn’t be considered.
Aligning the maximum fines for infringements of PECR (which are currently set at £500,000) with those under the GDPR, will certainly help maintain accountability.
One final point on PECR, and one for my charity friends who have often complained about the unfairness of not allowing charities to use the soft opt-in for email. The consultation paper proposes to extend the soft opt-in to organisations other than businesses where they have previously formed a relationship with the person. This feels like a big, potential win for charities.
In summary, this paper details a sensible set of proposals with the overarching goal of improving the UK GDPR and the protection of data subjects. It focuses on building trust and transparency to deliver better outcomes for individuals and society. Its driving towards a more pragmatic accountability framework which is likely to be adopted by more organisations.
These are only my opinions and comments on the paper, and I’m sure many people will have different views - we all have until 19th November to submit our comments and get our views heard. Data: a new direction