Reform of data protection law has been firmly on the UK Government’s agenda in recent years, and, following Brexit, is being presented as an opportunity to move away from some of the less popular elements of the EU’s regime towards a business-friendly, “common-sense-led” approach.
If enacted, the Data Protection and Digital Information (No.2) Bill (‘the Bill’) will amend the UK’s retained version of the EU General Data Protection Regulation (‘UK GDPR’), the Data Protection Act 2018 and the Privacy and Electronics Communications (EC Directive) Regulations 2003. The Bill supersedes the Data Protection and Digital Information Bill that was introduced to Parliament last year (and subsequently paused for further consultation), although the substance of the two is largely similar.
Rather than representing a complete overhaul of the UK’s data protection regime, the Bill aims to reduce bureaucracy and improve flexibility around the use of personal data by organisations, including charities. Too much of a departure from EU legislation carries the risk of impacting the flow of data between the UK and the EU, especially if the new rules aren’t seen as being adequate for EU GDPR purposes.
Here are some (potential) changes for charities to take note of:
At the moment, commercial organisations can take advantage of a rule permitting them to send electronic marketing communications to existing customers by using information which they have collected at an earlier time (during the sale or negotiations of a sale of their goods/services). This is known as the “soft opt-in” to receive electronic marketing communications, and it is not yet available to charities.
The Bill proposes extending this exemption to non-commercial organisations, including charities. The benefit of this is that when contact details have been gathered from individuals in the course of them expressing an interest in or offering or providing support for your charity’s objectives, the charity would then be able to send them marketing communications for the purpose of furthering the charity’s objectives without needing consent every time. Where this is the case, individuals must be given a clear and easy way of opting out.
Organisations need to have at least one of the six lawful bases set down in the UK GDPR for processing personal data. A somewhat (but limited) catch-all basis is that processing is necessary for the purposes of the “legitimate interests” of the organisation or a third party. However, this interest has to be balanced against the fundamental rights of the individual data subject.
Under the Bill, there would be a new list of ‘recognised legitimate interests’ which do not require a further assessment of the legitimate interest to be carried out, for example safeguarding vulnerable individuals. Such recognised interests cannot be commercial in nature.
This is potentially good news for charities whose processing may fall within one of these specified interests.
Your charity may be subject to the requirement to have a designated Data Protection Officer (‘DPO’), for example, if it processes a lot of special category personal data (relating to health, religious or philosophical beliefs etc).
The Bill, if brought into law, would replace the DPO position with a Senior Responsible Individual (‘SRI’), required when an organisation’s processing is likely to be high risk to the rights of individuals. The Information Commissioner’s Office (‘ICO’) is expected to be required to publish a list of high-risk processing activities, where an SRI will need to be appointed.
While the role of the SRI will be largely similar to that of a DPO, the difference is that an SRI has to be part of your charity’s senior management. A DPO may still be needed, however, if your charity remains subject to the EU data protection rules (for example because it processes data relating to supporters who are based in EU countries).
The Bill seeks to reduce onerous record-keeping requirements in respect of data processing activities by amending the current rules to only make this mandatory for organisations carrying out high-risk processing. Again, we’ll have to wait for guidance from the ICO as to what might constitute high-risk.
While this might give charities who do not carry out high-risk processing more choice and flexibility, the decision to not record activities should still be carefully considered. While it may become optional for some organisations, it is still good practice to record processing activities so that your organisation can evidence its compliance with other data protection rules.
Data protection laws apply to information which relates to an identified or identifiable natural person. The Bill seeks to clarify that information will be classed as personal data where the organisation processing it can: (a) identify the individual by reasonable means; or (b) knows or ought reasonably to know that another person is likely to obtain the information as a result of the processing, and the individual is likely to be identified by that person by reasonable means at the time of the processing. Under the current rules, when deciding what qualifies as personal data, account has to be taken of whether the data controller or ‘another person’ could identify an individual from the information. What is proposed effectively raises the bar from situations where a third party might, in theory, identify the individual, but in practice won’t be able to do so without spending considerable time and effort.
If brought into force, this definition could limit what information falls within the scope of the rules. The “reasonable means” assessment is likely to depend on factors such as cost and time and could be a welcome addition for smaller organisations with fewer resources.
It will be some time before the Bill becomes law, and it is far from the revolutionary overhaul of data protection law that it has been portrayed by the Government, but it does contain some changes of interest to charities. There will likely be further changes along the way. In the meantime, charities are still required to comply with the UK GDPR and Data Protection Act 2018 (as well as the EU GDPR in certain circumstances, for example, if your charity wants to carry out fundraising activities or collaborative projects targeted at individuals the EU).
For further information on how we can assist your charity with its data protection obligations, please contact Douglas McLachlan, Sophie Byrne, Lorraine Currie or your usual Anderson Strathern contact.