As the UK grapples with if, how, when and exactly what it will replace GDPR with (or not), there’s some data which shows the wider compliance gap with whatever data protection regime the UK will come up with.
Data from the UK government’s own impact assessments paint some stark figures. There are over 4 million companies in the UK, each one of these registered with Companies House. There is just over a million companies registered as data controllers on the ICO’s public register.
Under GDPR, a data subject has the right to obtain confirmation as to whether or not their personal data is being processed. The right to receive data under a subject access request must not adversely affect the rights and freedoms of others. You cannot comply with a subject access request if it would adversely affect someone else’s rights. If the information is subject to legal privilege or concerns a third party, it may not be able to be released.
What is a subject access request?
Data subjects are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. The process of finding this out is known as a subject access request, or SAR.
A subject access request is not the same as a Freedom of Information (FOI) request. An FOI request covers all information held only by public authorities, but not personal information about the person making the request. If you are not a public body or otherwise covered by FOI legislation, an FOI request cannot be made to you.
The UK government has published its response to the data protection consultation
Response to the UK GDPR consultation published
The government have published the draft legislation to amend the data protection regime in the UK. The Data Protection and Digital Information Bill (DPDIB), which was introduced to Parliament just before the summer recess and before the appointment of the new government in September, would modify the existing UK version of GDPR and cause some significant areas of diversion with EU GDPR. Earlier this year, VinciWorks outlined the key changes that were expected to be made. The aim of the new UK data protection legislation is to ease GDPR requirements for companies and make them less burdensome.
What are the key changes the UK data protection bill seeks to introduce?
Among other things, the changes will:
amend the definition of personal data
use AI to process sensitive data and other information
add new legitimate interests
remove the requirement for cookie consent
amend accountability requirements
remove the need to appoint a data protection officer
charge fees to access your own data
remove record-keeping requirements
reform of the Information Commissioner’s Office (ICO)
raise fines for PECR breaches
Even though the bill proposes widespread changes, it actually preserves the existing UK GDPR and the PECR, as it was drafted as an amending act rather than a completely new legislative instrument.
In addition, there is a chance that political factors could stymie the bill. If an election is called prior to the bill receiving royal assent, it won’t become law. The UK’s adequacy status with the EU remains a question, even though the government has expressed the opinion it is entirely possible to retain it.
New courses and resources coming soon
VinciWorks is closely following the legislation and will, in the coming weeks and months, be releasing new updated resources, guides and a completely revised UK GDPR course that will reflect the changes and keep you and your organisation aware of everything you need to know about the updated bill.
Stay updated
You can keep up with the latest via our blog and through the Regulatory Agenda that we publish, which documents new and important compliance regulations.
The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. GDPR’s reach is global, and in the four years that it’s been in force, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.
Any company that offers goods or services to anyone in the EU is required to comply with GDPR, and any employee who collects, processes or stores data as part of their responsibilities, needs to be trained in data protection rules and regulations, including business owners, directors, managers, supervisors, staff and contractors.
But now it’s been over four years since GDPR came into force and some might be asking if it’s still relevant, and why they should still care.
Thank you to everyone who came along to last week’s GDPR webinar. We had a number of questions during the webinar and we’ve answered them all here in this blog. Please contact us if you would like a personalised discussion on your data protection compliance needs.
Top 12 GDRP questions and answers
How can I legally transfer data to the USA?
Right now the way to legally transfer data to the USA is using the standard contractual clauses, or the British equivalent mechanism. This means going through a risk assessment process, filling out all the paperwork of who the data is going to, who processes it etc.
Think of it like exporting physical goods. Paperwork needs to be filled out at the port of exit and properly done so, and data is unfortunately no different. But do the paperwork correctly and there shouldn’t be too many problems.
The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. During that time, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.
On the fourth anniversary of GDPR coming into force, we took a look at the last four years of GDPR, the effect the regulation has had on the way we collect and process data and what we can expect going forward.
The webinar covered:
A review of where businesses are falling short in GDPR compliance
What can we learn from recent GDPR fines?
How the UK’s data protection reforms affect UK GDPR
Best-practice guidance
How to implement an effective GDPR compliance programme
On May 25, 2018, the General Data Protection Regulation (GDPR), a law regulating how businesses must handle personal data, came into effect. The impact on how online user data had to be handled was massive. Shortly thereafter, on 28 June that year, the California Consumer Privacy Act (CCPA) was passed, going into force on 1 January 2020. On August 14, 2020, the final regulations were approved and it immediately went into effect. To the relief of those companies that were already GDPR compliant, CCPA is, in many ways, a more lenient version of GDPR. However, there are important differences.
GDPR recap
GDPR legislates how companies in the EU must handle personal data. This includes names, email addresses, location data, browser data, etc. This legislation places a responsibility upon companies to be transparent in their handling of personal data and maintain records of how they process that information. The law is meant to ensure that individuals always retain control over their information. Most importantly, consent to use personal information must be explicitly given before being collected and can be revoked whenever it is requested. There is no such thing as implicit consent. For example, browsing or scrolling through a website cannot be considered consent to collect and make use of personal information.
Have data protection authorities begun the great fightback against business? Perhaps they have been tasked with bringing in some much-needed cash to national coffers, because fines have become the next big trend in data protection and should seriously concern marketers in all sizes of business.
Some recent marketing-related fines have included:
Amazon – €746m for compiling data on customers
WhatsApp – €225m for failing to provide information in clear and plain language
Austria Post – €9.5m for failing to allow subject access requests by email
Grindr – €6.3m for sharing location services without consent because it was special category data on sexual orientation
Sky Italia – €3.3m for unwanted phone calls
Overall, there’s been a 113% increase in GDPR fines between July 2020 to July 2021, with 709 in total compared to 332 in the year before. Penalties for violations have more than doubled as well, from €130.69 million up to July 2020 to €293.96 million up to July 2021.
The UK government is planning significant changes to the UK’s data protection regime. From re-orientating the Information Commissioner’s Office (ICO) to new ways for businesses to process data, these far-reaching GDPR reforms are set to have a significant impact on business. We covered these changes in depth in a previous article and webinar.
High on the government’s agenda as outlined in their consultation is reform of the ICO – the Information Commissioner’s Office. This has been on the cards for sometime, with the government keen to align the ICO towards delivering the National Data Strategy. The Department for Digital, Culture, Media and Sport (DCMS) has outlined their proposed changes to the regulator.
The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.
Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.
In this short video, our Director of Learning and Content takes us through what the potential changes are and how they might affect the way we process data.
