GDPR changes in the UK: reform of the ICO

The UK government is planning significant changes to the UK’s data protection regime. From re-orientating the Information Commissioner’s Office (ICO) to new ways for businesses to process data, these far-reaching GDPR reforms are set to have a significant impact on business. We covered these changes in depth in a previous article and webinar

High on the government’s agenda as outlined in their consultation is reform of the ICO – the Information Commissioner’s Office. This has been on the cards for sometime, with the government keen to align the ICO towards delivering the National Data Strategy. The Department for Digital, Culture, Media and Sport (DCMS) has outlined their proposed changes to the regulator.

What will the ICO’s new remit be?

Beyond being the data protection regulator, the proposals outline new duties for the Commissioner to consider factors relating to economic and public safety issues, as well as discrete areas of government policy when the ICO is exercising their enforcement powers against a controller. For example, a serious complaint against an international tech company could result in a very large monetary penalty under the DPA 2018. But enforcing such a penalty could have a negative impact on the company, potentially turning away investment from the UK which could result in job losses. It’s an extreme example, but the ICO could, or perhaps should be expected to take this into account when considering enforcement actions and financial penalties. 

But does this duty to consider economic factors prevail over the requirements to protect individual rights? This will be up to the ICO to consider. They are expected to balance their decision and consider both the duty to promote economic growth and the duty to protect data subjects. However, there is no right of appeal for data subjects against the ICO’s actions, so the balancing act is up to the regulator.

Does the ICO have to consider the economic impact?

A more controversial change is the fact that ministers will set the strategic objectives and duties of the ICO, and the regulator will be required to fulfil these. Because government has set out that the ICO will need to consider economic growth, this may trump individual rights in many respects. The requirement on the ICO to consider “competition, innovation and economic growth” could mean they take little to no action against companies or industries who are violating individual rights under certain circumstances. 

This extends to ICO enforcement actions as well. For example, a data controller could have improperly obtained and processed a large database. After complaints, the ICO investigates. Under the current system, a straightforward enforcement action would be for the data controller to delete the database. However under the new system, this could put the controller at an economic and competitive disadvantage. The data controller could appeal the decision to delete their database if they felt the ICO did not take into account economic, innovation or competition grounds.

How will data protection be regulated in the UK?

This economic principle extends internationally. The government outlined that the ICO should consider the government’s “wider international priorities when prioritising and conducting its own international activities.” This means that the ICO could decline to investigate international transfers to certain countries if it could have an impact on the government’s ability to negotiate a trade deal, for instance.

The government is also proposing a requirement for the ICO to have due regard to public safety when carrying out its functions. This could impact on controllers, particularly public sector ones such as the police or a local authority, who are controlling a CCTV system. The requirement to consider public safety could outweigh data protection rights. This could also impact private companies who maintain CCTV systems which capture public spaces. There have been GDPR fines in Europe against companies who recorded members of the public without appropriate consent. If this were to happen in the UK under the new system, the public safety regard would likely take precedence. 

Overall, the ICO is coming under the government’s policy objectives of empowering businesses to use data for economic growth, with much less restrictions and oversight than under GDPR. The ICO, as the arbiter for when things go wrong, will now have guidance approved by the government, along with a government-appointed CEO and board to ensure that data protection enforcement remains in line with these priorities for promoting economic growth.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.