UK government and Direct Marketing Association receive feedback on proposed reforms to data protection legislation

We’re starting to get a better idea of how data protection will look over the coming years in light of the UK leaving the EU.

In September, the UK government published its proposed reforms to data protection. This covers many aspects of legislation currently in force to allow the UK to “reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country”.

The changes also intend to take account of lessons learned during the COVID-19 pandemic, when data processing systems had to be created and put into action on a scale and at a speed rarely seen.

A key aspect of ensuring the changes are effective will be to engage closely with both data controllers and organisations representing data subjects as the proposals develop.

With that in mind, the DCMS (Department for Digital, Culture, Media & Sport) hosted a roundtable discussion with the DMA (Direct Marketing Association) and some of its members, including Experian, Direct Line and Asda. This highlighted several issues.

Availability and use of legitimate interests

Of particular interest in the world of direct marketing is when and how the legal basis of legitimate interests can be used as part of campaigns.

Before the GDPR (General Data Protection Regulation) came into effect, organisations were concerned about how tightened rules on consent would impact their ability to communicate with customers. Cue the avalanche of reconsenting emails received by everybody in the run-up to May 2018.

However, there are circumstances where consent is not necessarily required for communications.

Organisations can also use legitimate interests when, for example, communicating with existing customers.

However, as the DMA notes: “The alternative in appropriate circumstances of using legitimate interests means that the controller takes greater responsibility for the way data is used and ensures that the processing has reasoning documented behind it.”

In the case of existing customers, this reasoning would be based on the idea that the customer has an interest in what the organisation offers, and the organisation has an interest in maintaining that relationship to encourage repeat custom.

Free download: Reviewing Data Protection Policies and Procedures – Guidance for practitioners

Find out more about your GDPR compliance requirements with our free green paper: Reviewing Data Protection Policies and Procedures – Guidance for practitioners.

Organisations of all sizes rely on data protection policies and procedures to conduct data processing operations in a consistent and effective manner.

All too often, however, these critical documents do not evolve with the business, eventually becoming a source of risk.

Read this paper to understand:

• Why it is important to periodically review data protection policies and procedures;
• How to conduct effective reviews; and
• How to effectively plan changes.

A problem for many organisations is that they don’t have in-house expertise to make a call on using legitimate interests and feel confident doing so. Some organisations may have used consent in the past and not be certain about if or how they can move to using legitimate interests.

A proposed solution is to include specific examples of when legitimate interests is an acceptable basis for communicating with customers. Some examples are included in Recital 47 of the GDPR:

“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”

However, the recitals are provided for guidance and do not form a legally binding part of the GDPR. As such, data controllers are sometimes not confident that they will be adequately protected if their decision is contested.

The nature of direct marketing means that thousands of organisations around the country conduct very similar activities in terms of communicating with customers. By enshrining in legislation what a compliant marketing campaign based on legitimate interests looks like, data controllers will feel more confident about using it as a basis.

Automated decision-making and data rights

The second issue discussed was whether greater clarity could be provided on when automated decision-making can be used by data controllers. The GDPR provides data subjects with the right to object to automated processing, particularly in situations where the decision has “legal or similarly significant effects”.

There are some circumstances in which clearly an automated decision is having a significant effect, such as when being used to determine whether somebody is eligible for a loan.

However, where a decision stops being considered significant is open to interpretation. The DMA members “felt it was extremely important to get greater clarity on what were ‘legal effects or similarly significant effects’”.

A potential solution is to include specific examples of common decisions to act as a guide for data controllers. There is debate about whether such a list should be made up of activities that are acceptable to leave to automated decision-making, or actions that cannot be left to automated decision-making.

While there are advantages to both kinds of list, the prudent approach would be to include only a list of permitted activities within the legislation. Creating a legally binding list of prohibited activities could lead data controllers to consider any other activity, or any prohibited activity tweaked enough to be legally distinct, as acceptable.

This raises the risk that as time goes by and technology develops, an increasing number of significant decisions will be automated and data subjects will have less power to raise objections because they have not been included in the legislation.

Including a list of permitted activities in the legislation would enable the government to address activities that are commonplace across industries. This has the advantage of providing reassurance to data controllers that their activities are legally permissible, while not harming data subjects when they are subject to a decision whose significance may be in a grey area.

Reducing burdens on business and delivering better outcomes

An issue faced by many organisations regarding GDPR compliance is the additional administrative burden.

This is particularly the case among small and medium-sized organisations, where there may not be staff with sufficient expertise to ensure compliance. The proposed reforms aim to “maintain high data protection standards without creating unnecessary barriers to responsible data use”. To achieve this goal, several solutions were discussed during the roundtable.

One significant change in the proposal is the reintroduction of fees for making DSARs (data subject access requests). The fee structure would be based around that currently used by the public sector when managing Freedom of Information requests.

The logic behind this would be to act as a disincentive to making unnecessary requests or where the intention of the request appears to be to cause disruption as opposed to a genuine desire to access the information.

The DMA members did not support the reintroduction of fees for making requests, stating that “if a company has implemented an appropriate privacy by design regime then responding to [DSARs] should be considered part of the customer experience”.

However, more clarity on when a request can be considered an abuse of the right to access in order to cause disruption was supported, particularly in situations where there is an ongoing dispute between the data controller and one of its employees.

Another issue discussed was loosening the legal requirements for when an organisation requires a DPO (data protection officer).

This has been an ongoing concern since the GDPR came into effect, particularly among smaller organisations where there is less likely to be a person who has data protection expertise and where conducting their DPO duties wouldn’t introduce a conflict of interest.

Many smaller organisations currently don’t have DPOs. Rather, they will create a ‘data protection manager’ role, or similar. This person is responsible for overseeing data protection within the organisation, but doesn’t have to meet the stricter requirements of a DPO as outlined in the GDPR.

The DMA members saw change in the legislation to reflect the reality on the ground would be useful for SMEs, particularly regarding the need for DPO independence. However, there was also broad support for maintaining the DPO role as currently set out in the GDPR.

Another area discussed regarding the administrative burden, particularly for SMEs, was the threshold for breach reporting.

While larger organisations liaise frequently with the ICO (Information Commissioner’s Office) and have a good idea of when a breach needs to be reported, greater clarity in the legislation on when a breach must be reported would help SMEs.

Impact of data adequacy with the EU

Since leaving the EU, the UK has become one of 13 jurisdictions around the world that are considered to have equal or better data protection regimes than the bloc. Therefore, data sharing can take place between them with a greatly reduced administrative burden.

All the attendees stressed the importance of maintaining this data adequacy. As such, any proposed changes need to be made with an eye on whether they would be acceptable to the EU.

Concerns were raised that “some of the government proposals such as removal of Data Protection Impact Assessments from the accountability framework could be triggers for the EU. Likewise removing Article 22 completely would likely be a trigger as would any significant reduction of ICO independence in Chapter 5.”

The roundtable provided a stark reminder to the DCMS of how important data adequacy is to business and that any decisions must be made with this in mind.

Clarity vs futureproofing

Although the proposal has the potential to help organisations by providing more clarity, it does introduce other concerns. The sometimes vague nature of the GDPR was designed to futureproof it against technological improvements.

If the Regulation lasts as long as its predecessor did, then it is going to need to remain relevant and enforceable until the late 2030s. Any legislation that is more specific will need to be reviewed on a more regular basis to take account of changing technologies and techniques.

The proposal also raises the risk of legislation and the ICO (Information Commissioner’s Office) becoming reactive to developments rather than leading the way. This doesn’t have to be the case, but it will require a significant commitment of government resources and legislative time to keep the law one step ahead.

The proposals are still at an early stage, and the roundtable has highlighted the importance of government working with all stakeholders while drafting its changes.