A Fresh Take on Data Usage
The Data (Use and Access) Bill (DUAB) is the UK government’s latest attempt to modernize the data protection framework. Building upon its predecessor, the Data Protection and Digital Information (DPDI) Bill which failed to pass through Parliament under the previous government, this new bill aims to simplify data access and usage for businesses, while ensuring that personal data remains protected. The government believes that by refining these regulations, businesses can operate more efficiently and foster innovation, consistent with the government’s pledge to focus on growth.
The proposed changes appear to be significantly less radical than in the previous DPDI, and this could enhance the UK’s chances of retaining its adequacy decision from the EU when it comes up for review.
Key Changes in the DUAB include:
Legitimate Interests Expansion
Under the current UK GDPR, businesses often need to conduct a Legitimate Interests Assessment (LIA) to process personal data without consent. The DUAB introduces a list of "recognized legitimate interests," such as direct marketing and the transfer of personal data between companies within the same group “for internal administrative purposes”. If your processing activities fall under these categories, you may be exempt from conducting an LIA.
Automated Decision-Making Overhaul
The bill proposes changes to the rules around automated decision-making. While the specifics are still under discussion, businesses that rely on automated processes should stay informed about these developments to ensure continued compliance.
Data Breach Reporting Alignment
To reduce the administrative burden on businesses, the bill seeks to align the data breach reporting requirements under the Privacy and Electronic Communications Regulations (PECR) more closely with the UK GDPR. This means a more streamlined process for reporting breaches, which could save time and resources.
International Transfers
The governement is keen to encourage international trade, and data transfers can to some extent hinder organisations as they struggle with documentation required, in particular in respect of transfers to third countries with no adequacy decision. Under the DUA Bill it appears that the Secretary of State will have the power to decide if a country has a data protection environment that is "not materially lower" than that of the UK, rather than current adequacy decisions being based upon regimes being "essentially equivalent". This suggests that we will see a few more additions to the list of countries where data can flow freely.
What Should Businesses Do?
While the bill aims to simplify data usage, it's essential for businesses to:
Stay Informed: Keep abreast of the bill's progress and understand how the changes might impact your operations.
Review Data Practices: Assess your current data processing activities to identify areas that might benefit from the proposed simplifications.
Engage with Stakeholders: Consider providing feedback during consultations to ensure that the final legislation addresses the practical needs of businesses.
In conclusion, the Data (Use and Access) Bill represents a significant step towards modernizing the UK's data protection framework. By staying informed and proactive, businesses can navigate these changes effectively and continue to thrive in the evolving data landscape.
Comments