Data subject access requests
The Bill provides for amendments to the grounds on which organisations will be able to refuse to respond to, or charge fees for responding to data subject access requests (DSARs) in their entirety, where it is determined that such requests are "vexatious or excessive". This would replace the current threshold of "manifestly unfounded". Additionally, the Bill includes examples of what would amount to a "vexatious" and "excessive" DSAR. Currently, however, there is not sufficient detail for organisations to clearly understand when a DSAR meets this threshold, and we expect further guidance to be issued by the Information Commissioner's Office (ICO) once the Bill has been passed.
The hope is that the Bill will make dealing with DSARs more manageable for organisations in the future, however based on the current draft it is difficult to determine whether, in practice, the burden on businesses associated with responding to DSARs (which in our experience can be time and cost intensive) will be reduced.
Several changes have been proposed under the Bill in an attempt by the government to reduce certain administrative burdens on organisations in complying with the UK GDPR. These changes include:
- Replacing the requirement for organisations to have a Data Protection Officer (DPO) (where relevant) with an individual responsible for management of that organisation's privacy framework. The appointment will only be required where processing is carried out by a public authority, or where an organisation carries out high-risk processing. The senior responsible individual(s) will need to be part of the organisation’s senior management.
- Removing the need for data protection impact assessments (DPIAs) and allowing organisations to assess privacy risks in their own way unless high risk processing is likely. The ICO is expected to publish a list of the kind of processing that will be deemed to be high risk and simplifies aspects of the assessment process where an assessment is required.
- Removing the formal requirement for organisations to maintain records of processing. In practice organisations will likely find it useful to maintain this in some guise.
- Raising the threshold requiring organisations to report data breaches to the ICO.
The Bill also seeks to introduce a requirement for organisations to maintain "privacy management programmes", which is something that organisations have not previously had to have. However, the government has said that in most instances if an organisation is already complying with its obligations under the UK GDPR, the organisation will not need to make any changes to comply with the Bill.
The lawful basis of legitimate interests is to be reformed under the Bill, with a recognised "white-list" of legitimate interests being provided by the government which, when relied on, would not require a legitimate interest assessment to be carried out (e.g. processing necessary in the public interest or for safeguarding vulnerable individuals).
The new version of the Bill also examples of processing that may be deemed to be in the legitimate interests of an organisation, this includes processing for the purposes of direct marketing (it remains to be seen how this would interplay with PECR) and intra-group sharing of personal data for administrative purposes. Organisations will, however, still be required to ensure its interests are not outweighed by the data subject's rights and interests when conducting such processing which will mean carrying out legitimate interest assessments for the majority of their processing activities which rely on legitimate interests as a lawful basis.
In addition to the points raised above, there are some more technical changes being proposed in the Bill, such as an amendment to the definition of "personal data" which, if implemented, could be beneficial to organisations by making it easier to achieve anonymisation. There is also a proposal to reform the Information Commissioner's Office by renaming it the "Information Commission" and providing it with new duties such as safeguarding public and national security.