Changes to UK data protection rules on the horizon - here's what you need to know: Florence Maxwell

Changes to UK data protection have been in the pipeline for several years, causing a combination of trepidation and cautious optimism amongst many businesses. At the beginning of March, the Data Protection and Digital Information Bill was introduced to the House of Commons and so implementation of the new legislation comes ever closer.
Florence Maxwell shares her expert insightsFlorence Maxwell shares her expert insights
Florence Maxwell shares her expert insights
By Florence Maxwell
Published 17th May 2023, 05:45 BST

There are a number of key changes that are likely to be of interest to business processing personal data in the Yorkshire region.

The first relates to Subject Access Requests (DSARs); although an important tool to facilitate the rights of individuals, dealing with DSARs is an often time-consuming and costly process for organisations.

Hide Ad
Hide Ad

The intention of the new legislation is to ease the burden on businesses by allowing them to refuse to respond to or to charge a ‘reasonable fee’ for dealing with DSARs that are vexatious or excessive (replacing reference in the current legislation to ‘manifestly unfounded’).

The new legislation lists circumstances that should be considered when a controller is determining whether a request is vexatious or excessive.

As a result, the wider context may (to some extent) be taken into account when dealing with a DSAR which may prove a helpful tool to businesses in receipt of DSARs made, for example, as part of a litigation process.

Record keeping is another area earmarked for change.

Under current legislation, all organisations are required to maintain records of processing activities, with limited exemptions for organisations with fewer than 250 employees.

Hide Ad
Hide Ad

Under the new legislation, the requirements to maintain records of processing apply only to controllers that carry out processing which is likely to result in a high risk to individuals, and processors are required to maintain ‘appropriate records’, with some specified information that must be included.

The use of analytical cookies has been a hotly debated topic, with many businesses suffering from reduced collection of useful statistical information in order to comply with the Privacy and Electronic Communication Regulations 2003 (PECR).

Currently, consent must be obtained to use cookies except where those cookies are strictly necessary for the website to function. Under the new legislation, if the sole purpose of the cookie is to collect information for statistical purposes with a view to ‘making improvements to the service…or website’, the information is not shared except to enable the recipient to assist with making improvements, the website user is provided with clear information about the purpose of the storage or access and the website user has a simple means to object, then consent does not need to be sought from the user for cookies to be used.

There are many further changes which organisations should review and digest, including specified circumstances in which legitimate interests will be a suitable ground for processing, requirements to replace a ‘senior responsible individual’ (as opposed to a Data Protection Officer), changes in relation to international transfers of data, updates to safeguards in respect of automated decision making, and so on.

Plenty of bedtime reading for those responsible for or simply interested in data protection compliance at their organisation.

Florence Maxwell is a Legal Director at Clarion

Related topics:House of CommonsYorkshire