In our previous blog, the Queen’s speech from 2021 was discussed, in particular the plan of the Government to reform the data protection legislation in England and Wales. Observant readers will note that the title of the previous blog mentions the Data Reform Bill and that the title of this blog contains ‘No.2’. This makes it clear that the current draft before Parliament is in its second form and actually on this occasion is sponsored by a different Government department than the first.
Whilst the Government has sought to make a big splash with this Bill, they have made it clear that those organisations compliant with GDPR ought not to have to make significant changes to their approach if this Bill is passed.
What does The Data Protection And Digital Information (No.2) Bill propose?
The Bill seeks to introduce more flexibility in the approach adopted by organisations when complying with their data protection obligations rather than the one size fits all approach adopted by the UK GDPR. The idea is for organisations to analyse their risk in respect of data and take appropriate measures in terms of security measures relating to data protection, current record keeping, and accountability.
One significant shift is the removal of the Data Protection Officer role and replacement of the same with a ‘senior responsible individual’ (SRI). Unlike DPOs, the SRI must be part of the senior management team but each of the tasks required of the SRI is expressly stated as being capable of delegation. There is further no longer a requirement for the SRI to be proficient in data protection. This is likely to be particularly useful in smaller organisations. It will mean that organisations can appoint one of their senior management with no prior expertise in data protection and appropriate tasks could well be outsourced to third-party organisations, such as Nelsons, to ensure compliance with the appropriate legislation.
There is a further proposal to bring the legislation in line with the Freedom of Information Act, in terms of changing the basis upon which an organisation can refuse to comply with a data subject access request (i.e. a request for the organisation to provide a copy of all data that is held on them) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. Whilst this appears to be a minor change, ‘manifestly unfounded’ essentially means the request being without merit, whereas ‘vexatious’ implies an ulterior motive behind the request.
Given that this Bill is already in its second inception, there is no guarantee that it will not undergo further changes and accordingly, further changes may be made before the legislation becomes active.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us