The UK’s data protection laws affect all organisations that process the personal data of UK citizens — including property management businesses. In 2021, the UK Government held a public consultation to gauge response to a range of proposals to reform its data protection regime.
On 23 June 2022, it responded to this consultation, confirming which changes it wanted to take forward and the proposals it would scrap.
What does the Government want to achieve with these reforms?
According to the Government, the reforms are intended to create a system based on common sense, not box-ticking, and cement the UK’s position as a tech super-power.
The reforms are based on five key regulatory aims:
- Reducing barriers to responsible innovation
- Reducing burdens on businesses and delivering better outcomes for people
- Boosting trade and reducing barriers to data flows
- Delivering better public services
- Reform of the Information Commissioner’s Office (ICO)
The reforms generally relate to the UK’s version of the General Data Protection Regulation (GDPR), but as some data processing is regulated by other laws such as the Privacy and Electronic Communications Regulations 2003 (PECR) and the Data Protection Act 2018, reforms are suggested to these too.
What key proposals are the Government taking forward?
1. Removing the requirement for data protection impact assessments
The Government will remove the requirement for organisations with over 250 employees to have a record of processing activities. Although organisations will still need to be able to describe what and where personal data is held as part of their privacy management programme, they will not have to follow Article 30 of the GDPR. Instead, they will be able to document their processing activities in a way which is more ‘tailored’.
New requirements would still require certain records to be kept, but organisations would have “more flexibility about how to do this in a way that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out.” This means moving away from prescriptive tick boxes and more towards individual privacy management programme design.
2. Limiting subject access requests
Individuals have the right to find out what data is held on them and how it is being used by filing a subject access request with an organisation. Depending on the scope, these can take time and resources to process, and as no fee can be charged, the organisation is not recompensed for its expenses.
In its original proposal, the Government considered introducing a mandatory fee structure like that used for Freedom of Information (FOI) requests to public authorities to discourage time wasting.
After concerns were raised about how this would affect data subject rights, it has chosen not to take this forward. However, the threshold for refusing or charging a reasonable fee for a subject access request will change from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. This is intended to cut down on the number of requests designed to cause annoyance.
3. Different approaches to handling cookies
Currently, if a UK organisation would like to collect data on its customers by using cookies, the customer must consent to this by confirming on a pop-up banner. As these appear when visiting virtually any website for the first time, they can be annoying. What’s more, the ability of the customer to refuse to be tracked has frustrated businesses that would like to use audience data to improve their services.
The Government has now confirmed that it intends to remove the need for websites to display cookie banners to UK residents. Until this happens, it will allow cookies to be placed on a user’s computer or device without explicit consent for a number of what it calls ‘non-intrusive’ purposes.
In the future, it intends to move to an opt-out model of consent, where cookies could be allowed by default, but the user is given clear information about how to opt-out.
These changes could have major consequences for almost any business with an online presence by making it easier to gain data on customers.
4. Clearer guidance around the anonymisation of data
Current law prohibits organisations from processing personal data unnecessarily. They can ensure this through anonymisation, where an individual is not identifiable in data, or pseudonymisation, where the person can only be identified with additional information. The guidance around this is unclear, leading to some organisations believing they have anonymised data when in fact, they haven’t, leading to a failure of data protection responsibilities.
To provide clarity, the Government will establish exactly when and how anonymisation should be used. In legislation, it will create a test for when a subject should have their data anonymised using the wording set out in the explanatory report to the Council of Europe’s Convention 108+.
5. Clearer definitions of what constitutes legitimate interest
Currently, one of the grounds organisations can use to justify the processing of data is ‘legitimate interest’. The guidance on this can be unclear, especially around the balancing test, in which the need to process personal data is balanced against the individual’s interests, rights and freedoms. This has led to them asking for consent when it isn’t technically needed.
The Government proposes to create a limited list of legitimate interests for which organisations can use personal data without applying the balancing test. The initially limited number of processing activities will be allowed to be updated following parliament scrutiny.
6. Reforming the ICO
The Government will reform the structure of the Information Commissioner’s Office to bring it in line with other regulators like Ofcom (the Office of Communications) and the FCA (Financial Conduct Authority).
This means appointing an independent board and chief executive. It will also be providing the ICO with a clear framework of objectives and duties that it can use to prioritise its resources. This is intended to refocus the organisation on responsible data use and threats to public safety rather than the marshalling of individual complaints.
7. Reforms to adequacy regulations
The UK and EU have both agreed that personal data can only be transferred to another country if that country provides an adequate level of protection.
Following the UK leaving the EU, the EU adopted two adequacy decisions in June 2021: one for the protection of personal data and one for the processing of data for the purposes of law enforcement. These enable data to continue to flow freely between the countries. In response to the consultation, the ICO observed how important it is for the UK to maintain this status.
The EU’s current adequacy decision expires in 2025 after four years. The Government intends to relax the current requirement to review adequacy decisions every four years in favour of what it calls “a well-functioning, rigorous and ongoing monitoring process”.
Most importantly, any changes the UK makes to its data protection regime must be compliant with EU standards.
What’s been happening since the consultation ended?
With the reforms to be implemented confirmed, the next step for the Government is to put them into law. Unfortunately, the consultation does not give an idea of when this might happen.
Looking at the list of reforms, it is clear that the way organisations collect personal data will change substantially. Any lettings or block management agency that carries out marketing activity online and collects the data of UK citizens will need to take this into consideration as they plan for the future.
What other compliance changes will affect you? We ran down the year in regulations in Regulatory Changes Affecting Letting Agents and Landlords 2022, our ultimate guide to the new standards impacting lettings.