On January 1 2021, the UK formally and effectively left the European Union. As a result, the EU GDPR no longer applies in the UK. Currently, the UK DPA 2018 sets out the data protection framework in the UK.
Are you UK-DPA compliant? What are some of the expected data protection reforms from UK authorities?
Join our panel in this webinar as we explore the current rules on transfers of personal data between the UK and the EU and how your company can comply.
This webinar will review:
- What the Brexit changes in terms of data privacy
- The main differences between the UK-DPA and the EU-GDPR
- How to become compliant in both the EU and the UK
3. 3
3
Agenda
• UK history 1984 Act, 1998 Act. 2018 Act
• DPPECR amendments 2019 and 2020
• UK GDPR vs EU GDPR
• DCMS data transfers assessments and EU vs UK adequacy targets
• Consultation on UK DP reform
• Potential UK Data Reform Bill Queens’ speech announcement
4. 4
4
Long History of respect for Privacy - and long before the EU!
“The poorest man may in his cottage bid defiance to all the
forces of the Crown.
It may be frail; its roof may shake; the wind may blow through
it; the storm may enter; the rain may enter;
but the King of England cannot enter -- all his force dares not
cross the threshold of the ruined tenement!”
William Pitt the Elder “Prime Minister” (speaking against taxation, Cider Bill 1763)
5. 5
5
UK Data Protection History
Data Protection laws
12th
July
1984
Data Protection Act
Only Computerised data
Based on CoE Conv 108
16th July
1998
Data Protection Act
Manual data, more rights
Based on 95/46/EC (EU DPD)
(Later the PECR in 2003, in
response to EU ePrivacy
Directive 2002)
HRA 1998 - general right
24th
May
2018
Data Protection Act
Accountability, DPOs, DPIAs,
ROPAs. Based on 679/2016 (EU
GDPR)
Sets up ICO Powers, National
Security, Law Enforcement, Legal
Basis, Exemptions etc.
New Data Protection Charges
and Regulations. Fees.
1st
January
2021
EU Exit Amendments
Jan 1st 2021 - “UK GDPR”
processing earlier subject to
“EU GDPR”
The Data Protection, Privacy
and Electronic
Communications
(Amendments etc)(EU Exit)
2019 and 2020
Amends DP and PECR
??
???
2022
Data Reform Bill
announced in Queen’s Speech
June 2022
Based on DCMS Consultation
“Data: A new Direction” Sept
2021
6. 6
6
UK GDPR versus EU GDPR
UK’s DATA PROTECTION ACT 2018…
AS AMENDED BY...
THE DATA PROTECTION, PRIVACY AND ELECTRONIC
COMMUNICATIONS (AMENDMENTS ETC)(EU EXIT)
REGULATIONS 2019 made on 29 February 2019
AS AMENDED BY…
THE DATA PROTECTION, PRIVACY AND ELECTRONIC
COMMUNICATIONS (AMENDMENTS ETC)(EU EXIT)
REGULATIONS 2020 made on 14 October 2020
KEELING SCHEDULE = A TRACK CHANGES DOCUMENT
EVERYTHING AND NOTHING CHANGED!
7. 7
7
REAL CHANGES…
ICO no longer an EU supervisory body, Cannot attend EDPB.
Where previously ICO was lead EU SA, have to change to new, get any “approvals” re-approved by EU SA (such as BCRs
etc).
UK now a “Third Country”, granted six months to gain adequacy by European Commission.
UK DCMS takes on “EC role” including the power to grant UK adequacy decisions.
UK achieves Adequacy in 2021 for LED and GDPR, and promptly announces intention to… “unleash data’s
power across the economy and society for the benefit of British citizens and British
businesses”
New ICO John Edwards takes up post in Jan 2021.
ICO issues IDTAs (UK alternative to EU SCCs for int data transfer) with SCC “add on” annex.
1st January 2020+ = UK GDPR
8. 8
8
DCMS Adequacy Process
The jurisdictions listed as high priority for UK adequacy decisions
are: Australia; Brazil; Colombia; the Dubai International Financial
Centre; India; Indonesia; Kenya; the Republic of Korea;
Singapore; and the U.S.
Apart from S Korea, these are all not EU adequate creating
possibility of EU “onward transfer” risk.
DCMS position is “why should our adequacy be less valid than
EC’s”
(NOTE: EU and EEA Member States are already recognized as adequate by the
UK, in addition to EU adequate jurisdictions at time of exit such as Argentina,
Canada, Japan, Switzerland, New Zealand and Israel).
“Could be we are doing the EC’s homework for them”
9. 9
9
Adequacy Process
• Gatekeeping stage: consideration of whether to commence an adequacy assessment in respect of a country, by
reference to policy factors, including high standards of data protection and the UK's strategic interests
• Assessment stage: collection and analysis of information relating to the level of data protection in another
country; this will look at questions based on key principles of the safeguards in the UK GDPR, while recognising
that countries protect personal data in different ways
• Recommendation stage: officials will make a recommendation to the Secretary of State for Digital, Culture,
Media and Sport, who will, after consulting the Information Commissioner and any others considered
appropriate, decide whether to make a determination of adequacy in respect of a specific country
• Procedural stage: making relevant regulations - and laying these in Parliament - to give legal effect to an
adequacy determination
10. 10
10
Data Protection Reforms
Remove barriers to innovation, easier use of
algorithms, AI, machine learning and
research/analytics data
Removing transparency requirements for
research, making further uses of data for research
always legal
List of “pre approved legitimate interests”
Remove or restrict article 22 rights regarding
automated decision making
Re-introduce fees for subject access requests
Extend marketing soft opt in rule
Key Proposals from Data:A new direction consultation, published Oct 2021
Reform Accountability provisions (restricting or removing DPOs,
DPIAs, Prior Consultation, PbD, ROPAs, Breach Reporting etc etc) as
“EU redtape” introducing costs without benefit
Permitting analytics and other similar cookies/tech without
consent/notification
Add extra lawful basis for “democratic engagement”, and
“substantial public interest” extended
Risk based approach to Adequacy decisions
More govt oversight of ICO including powers to overturn ICO
decisions where not in “economic growth and innovation” of the
UK and SecOfState to carry out reviews of ICO performance
.
DON’T PANIC!
12. 12
12
Response to Consultation, published June 17 2021
1. DPOs, DPIAs, Prior Consultation, ROPA - replaced by risk managed privacy programme, must have senior
representatives responsible for DP, may still have data inventories, and ensure risk assessment for high risk
activities.
2. Breach reporting and DSARS, Automated Processing - no changes or charges, but add “clarity”, and expand on
exemptions for “manifestly unfounded” and “vexatious and excessive”
3. PECR and Cookies - aim to remove cookie banners by long term adding a browser based solution, short term
change to opt out (opt-in for kids), extend purposes where no consent required (analytics?). Expand soft opt in for
charities and political parties. Raise PECR fines from £500k to GDPR equivalent (£17.5m or 4% GAT)
4. Anonymisation - add a risk based approach relative test and “clarify”.
5. Legitimate Interests - taking forwards a “carefully defined” list where LIAs no longer required, crime/safeguarding
mentioned. Gov can add to list with parliamentary scrutiny.
6. Data Transfers - Keep DCMS target list. Change to risk and outcome based. Remove 4 year periods for ongoing
monitoring. SecOfState can create more mechanisms.
7. AI and ML - New sensitive data legal basis to allow for monitoring/correcting bias in AI systems. Add “clarity”
around safeguards for AI and Automated Decision Making.
8. ICO - add chief exec and management board, DCMS appoint non execs, add an experts panel, publish KPIs,
potential name change, potential for more government oversight and approval of codes of practices and guidance.
https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation
13. 13
13
One last word…
“...Now that we are no longer part of the European Union, we have the
opportunity to create an agile, light touch and forwards looking
regulatory eco-system for digital tech. This will stimulate innovation
and allow our tech sector to thrive, while protecting businesses and
consumers…”
A US word, EU focuses on fundamental human rights, poor drafting or deliberate choice…?
“…A person/human has rights, A consumer has only a small amount of choice and control… (Heather Burns)”
Is this sentence is indicative of a new UK gov approach, less EU, more US?
DCMS new Digital Policy strategy June 2013
14. 14
14
Thank You!
See http://www.trustarc.com/insightseries for the 2022
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.