The “Data: a new direction” Bill is supposed to establish the UK as ‘the most attractive global data marketplace’, but will it?

By Rob Masson, CEO, The DPO Centre

What are the implications for the financial services sector?

In June this year, the UK government’s Department for Digital, Culture, Media and Sport (DCMS) published its response to the consultation entitled “Data: a new direction”. The Data Reform Bill will essentially replace the UK GDPR, a pivotal piece of EU legislation for the financial services industry, and one that caused great upheaval, including significant organisational change, when it was introduced in 2018.

Although the new UK Data Protection and Digital Information Bill was introduced to Parliament, its second reading has been postponed following election of the new Prime Minister, Liz Truss; further adding to the uncertainty. The DCMS consultation received a mixed reaction from many privacy experts across the country questioning some of the proposals.

In the latest UK Data Protection Index results, 81% of UK data experts indicated that the proposal to remove the current requirement on certain organisations to appoint a DPO and instead only designate a “Senior Responsible Individual” (SRI) to oversee the organisation’s privacy management programme will not be in the best interests of the data subjects (which includes customers, employees and suppliers). In addition, 69% of the panel indicated that they think it won’t save their organisation any money, something the DCMS stated as being their main justification for change. Furthermore, 82% of privacy experts indicate that they do not expect the new regime will simplify privacy management.

The DCMS consultation on data protection is continuing to cause confusion and, until more guidance is published on what these changes will mean for businesses, it is likely to remain that way.

The concern is that organisations will try to change before the new framework is in place. Organisations need to understand that any regulatory change is unlikely to be realised for many months, or even years from now. Therefore, businesses should be mindful of the fact that the UK GDPR still stands and still applies. This won’t change unless the Bill is approved along with a likely sunset period to adopt the new regime.

Whilst there are areas where the GDPR can be improved, there are concerns that a departure from the key principles of the GDPR will mean a significant operational and compliance burden for the financial services industry. It is likely going to have an impact on finance organisations that have operations within both the UK and the EU, and who rely heavily on transferring data between the two. Many have expressed their concerns that a new legislation could leave individuals confused about how their data is protected.

The purpose of the Bill is to provide clarity for data subjects, organisations, and the Information Commissioner’s Office (ICO) and to “establish the UK as the most attractive global data marketplace”. But will it? Here is a summary of three key areas financial services organisations should have on their agenda.

Accountability: Perhaps the most important of the GDPR’s seven principles. The accountability principle requires controllers to take responsibility for complying with the GDPR and documenting their compliance.

Despite the consultation response highlighting that the majority of respondents disagreed with the proposals to create a more flexible accountability framework, a more flexible accountability framework is what the UK shall be getting.

In essence, this means replacing the Data Protection Officer role in organisations with a “senior individual responsible” for the organisation’s privacy management programme; swapping Data Protection Impact Assessments (DPIAs) for alternative risk assessments; and trading in the requirement to maintain a Record of Processing Activities (RoPA) for other more flexible record keeping obligations.

We at The DPO Centre, and many data privacy professionals, are puzzled by this. The government’s consultation stressed in several areas how the proposals were similar to what already exists. Considering there was a clear indication that the industry believed greater flexibility was not necessary, it is difficult to see the benefit of the new proposals.

Data Subject Rights: Perhaps one of the most controversial suggestions raised in the original consultation document was the re-introduction of a nominal fee for individuals submitting Data Subject Access Requests (DSARs). Unsurprisingly, this suggestion was largely disagreed with as an affront to individuals’ right to their data and, fortunately, the government confirmed that this would not be going ahead.

However, this area is not devoid of change, with the response confirming that the “manifestly unfounded or excessive” threshold for refusing a request will be reduced to “vexatious or excessive”.

To our mind, this change of language is a positive thing, given the nebulous definition of “manifestly unfounded” that organisations are currently working under. We therefore hope that this will make it easier for all organisations to identify scenarios in which they are justified in refusing a request while ensuring that genuine requests are dealt with thoroughly and appropriately.

E-privacy: The biggest headlines largely centred around reforms to the Privacy and Electronic Communications Regulation (PECR). The main change will come with the relaxing of cookie banner requirements and an intended future move to an opt-out, rather than opt-in, model of consent, which will hopefully combat the ‘cookie fatigue’ that so many of us have. There are also plans to increase the fine levels for PECR breaches to align them with the GDPR (£17.4 million – up from just £500,000, or 4% of global turnover), and to increased powers of enforcement for the ICO.

The crack down on PECR non-compliance and the huge increase in the fine for breaches could have significant implications for organisations in the financial services sector, although it is likely to be welcomed by individuals. The proposal signifies that the DCMS is aware of the volume of fines the ICO has handed down due to nuisance promotional calls and messages and is keen to step up the deterrent. Banks and other providers of financial services are going to have to tidy up their Client Relationship Management (CRM) processes and ensure they have all the correct permissions to promote products.

The new reforms on cookies, on the other hand, are much more ambiguous. Whilst the government emphasises that it will not move to an opt-out model until the technology that would allow preferences to be set at browser level is in action, no timeframe is given as to when this may occur.

Despite aiming to provide greater clarity to both organisations and individuals in relation to personal data, to us it seems that the consultation response is largely going to create greater confusion for financial services organisations than it removes.