The DPDI is Dead, Long Live the GDPR

The dissolution of parliament on 30 May before the General Election heralded the demise of the DPDI (Data Protection and Digital Information) Bill. The Bill, which was meant to bring changes to the UK GDPR, DPA 2018 and PECR, was thought to be getting Royal Assent this year, possibly before the summer recess. However, the Bill wasn’t included in the government’s ‘wash up’ period and, under the widely accepted assumption that the Conservatives’ time in government is over, it’s likely to be a long time before we see any updates to data protection law in the UK.

Some organisations we’ve spoken to were delaying taking action while they wait for the DPDI’s key changes, such as removing the requirement to have a UK representative. So, with the UK GDPR sticking around as-is for now, let’s look at how organisations can ensure they are GDPR compliant in 2024.

DPOs are here to stay, as are UK representatives

The DPDI would have watered down the requirement of a DPO (data protection officer), to be replaced by a senior responsible individual. Under the UK GDPR, a DPO plays a crucial role in ensuring an organisation’s compliance with data protection laws. A DPO is required in certain circumstances, including if your core activities involve large-scale processing of sensitive data or monitoring individuals systematically. The DPO’s responsibilities include informing and advising the organisation about their obligations under the UK GDPR, monitoring compliance, training staff, conducting audits, and acting as a contact point for data subjects and the ICO (Information Commissioner’s Office). Many organisations choose to appoint a DPO even if it’s not required, and most have somebody who is responsible for data protection across the organisation, even if that isn’t their main role or job title.

Similarly, UK representatives are essential for organisations outside the UK that offer goods or services to, or monitor the behaviour of, individuals in the UK. The UK representative acts as a local point of contact for data subjects and the ICO, ensuring that the organisation complies with the UK GDPR. They can also help facilitate communication with the ICO in case of data breaches or compliance issues.

Both of these roles can still be outsourced to external agencies such as law firms or consultancies (such as DQM GRC), which allows the role to be filled by an experienced data protection practitioner without the associated cost of employing someone full-time.

Compliance is still risk management-based

Many organisations mistakenly view the UK GDPR as a set of rigid rules. However, it is principles-based and operates on a risk management framework. This means that instead of following a strict checklist, organisations must assess their specific circumstances and take proportionate actions to mitigate risks.

Data protection compliance involves understanding that higher risks require more stringent measures. For instance, conducting DPIAs (data protection impact assessments) and possibly appointing a DPO are necessary steps for high-risk processing activities. The UK GDPR provides a flexible framework that must be tailored to fit the context of each organisation’s operations, but many organisations struggle with this concept. We discussed this in-depth in another blog, in which our Head of Consultancy Louise Brooks gives her expert tips for practical GDPR compliance.

Protecting data subject rights

The UK GDPR grants several rights to data subjects, each outlined in different articles of the Regulation. Although amendments to these were proposed in the DPDI, they were substantively the same. Now, there will be no changes at all.

  1. Right to be informed (Articles 13 and 14): Organisations must provide transparent information about how personal data is collected and used.
  2. Right of access (Article 15): Data subjects can request access to their personal data and information about how it is processed.
  3. Right to rectification (Article 16): Individuals can request corrections to their inaccurate or incomplete data.
  4. Right to erasure (Article 17): Also known as the ‘right to be forgotten’, this allows data subjects to request the deletion of their personal data under certain circumstances.
  5. Right to restrict processing (Article 18): Data subjects can request the limitation of their data processing under specific conditions.
  6. Right to data portability (Article 20): Individuals have the right to receive their data in a structured, commonly used format and transfer it to another controller.
  7. Right to object (Article 21): Data subjects can object to the processing of their data in certain situations, including for direct marketing.
  8. Rights related to automated decision-making (Article 22): Individuals have rights related to decisions made solely by automated means, including profiling.

Organisations must establish procedures to respond promptly to these rights requests within stipulated timelines. It’s essential to not only create these processes but also test them to ensure that the data subject’s request is handled correctly. We’ve developed a Data Subject Rights Testing service to allow our customers to thoroughly test their processes and ensure compliance.

How can DQM GRC support your organisation?

Now that we know the law won’t be changing any time soon, we’ve highlighted some of the ways that DQM GRC can support organisations in delivering on their compliance agenda and making the most of the personal data they process.

  1. Using data protection compliance to support innovation

Proper data protection compliance can be a catalyst for innovation, as illustrated by our case study with KSS (Air Ambulance Charity Kent Surrey Sussex). KSS faced complex data protection challenges due to its life-saving operations and stringent regulatory environment. By engaging DQM GRC for bespoke consultancy, KSS was able to navigate these challenges effectively. This support enabled KSS to pursue innovative projects confidently, such as live streaming incidents to dispatchers, drone-delivered defibrillators, and robust project management systems. As a result, KSS has improved its compliance and enhanced its life-saving capabilities. To learn more about how data protection compliance can drive innovation, download the full case study from our website.

2. The importance of a GDPR gap analysis

A GDPR gap analysis evaluates an organisation’s current data protection practices against the requirements of the EU and/or UK GDPR. Whether you conduct this internally or with support from an external consultant, this analysis helps identify areas where your organisation may be falling short of compliance and highlights opportunities for improvement. Conducting a GDPR gap analysis annually is crucial for maintaining ongoing compliance. Here’s why:

  • Regulatory changes: As data protection laws and regulations evolve, an annual analysis ensures your organisation remains up to date with any new requirements.
  • Organisational changes: As your organisation grows or changes, new data processing activities may arise that require compliance checks.
  • Risk management: Regularly identifying and mitigating compliance gaps helps prevent data breaches and avoids potential fines and reputational damage.
  • Continual improvement: Annual reviews foster a culture of continual improvement in data protection practices, ensuring your organisation remains resilient and trustworthy.

By conducting a GDPR gap analysis every year, organisations can proactively manage their data protection responsibilities and maintain the trust of their stakeholders. For more information on how a GDPR gap analysis can benefit your organisation, contact us today.

Author

Add a Comment

Your email address will not be published. Required fields are marked *