On October 6, 2021, the UK Information Commissioner’s Office (ICO) published its response to the Department for Digital, Culture, Media, and Sport’s (DCMS) consultation on UK data reforms that was launched in September. The DCMS’ consultation sets out the UK Government’s plan to drive innovation and economic growth through the trusted use of data in the UK as well as simplifying data use in the development of AI and similar technologies.
The response from the ICO welcomes the proposal from the DCMS as well as the chance to respond to the consultation on future data protection reform in the UK. The ICO’s response addresses each of the five chapters found in the DCMS’ consultation paper:
- Reducing barriers to responsible innovation
- Reducing burdens on businesses and delivering better outcomes for people
- Boosting trade and reducing barriers to data flows
- Delivering better public services
- ICO reform
As part of her foreword, UK Information Commissioner Elizabeth Denham stated “We need a legislative framework with people at its heart and I am pleased to see the consultation recognise the importance of maintaining and building public trust. It is crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards.”
How have the ICO responded to DCMS proposals on cookies and similar technologies?
The DCMS outlined two proposals for amendments to consent requirements for cookies and similar technologies. These included permitting organizations to use analytics cookies and similar technologies without the user’s consent and permitting organizations to store information on or collect information from, a user’s device without their consent for other limited purposes.
In its response, the ICO has stated that it supports the proposals to explore new solutions for capturing users’ consent preferences. However, to ensure these preferences are respected, the ICO notes that effective enforcement will be necessary and would welcome further discussion with Government to ensure the ICO has the enforcement powers required.
While the DCMS did not rule out the possibility of removing requirements to have a cookie banner, the ICO has urged the DCMS to consider the pros and cons of legislating against the use of cookie walls.
What is the ICO’s take on removing requirements for DPO appointment?
In its data reform proposals, the DCMS suggested the removal of existing requirements to appoint a data protection officer and replacing them with requirements to designate a suitable individual, or individuals, to be responsible for the privacy management program.
The ICO’s response notes that it is reasonable for organizations to assess the most appropriate way of assigning responsibility for their data protection compliance. However, it also highlights that the benefits of appointing a DPO should not be lost within the reforms. These benefits include the increased visibility of corporate governance at board level and the skills and professionalism that an experienced DPO can provide.
Furthermore, the ICO highlights the potential economic impact of removing DPO appointment requirements stating that the role of the DPO is now a well-developed and skilled profession.
Does the ICO support the removal of DPIA requirements?
Removing the requirement for organizations to undertake data protection impact assessments (DPIA) was another notable proposal in the DCMS’ data reform consultation paper. The DCMS proposed that removing DPIA requirements would allow organizations to take different approaches more suitable to their specific circumstances when identifying and minimizing risk.
The ICO agrees that there is the possibility for more flexibility regarding DPIAs. However, it is also noted that any reform to risk assessment requirements should not result in a reduction of quality in such assessments and the ICO has called for further details on how businesses can assess data protection risk, particularly in cases of new or novel processing or where new technology is involved.
Will the ICO support removing Article 30 record keeping requirements?
The government considers the risks presented by removing record keeping requirements under Article 30 to be minimal. The DCMS proposals will still require some records to be kept, however, the aim is to give organizations more flexibility in their approach. Again, this would allow organizations to take an approach more suitable to their specific circumstances, the volume and sensitivity of the personal information they handle, and the types of data processing they carry out.
Although the ICO acknowledges that there is an opportunity to reduce strict record keeping requirements, it also highlights that “keeping good records is a key element of good privacy management and high standards of privacy.” The ICO addresses the potential for the removal of Article 30 requirements to impede effective enforcement and welcomes the DCMS’ calls for developing clear guidance for meeting any new requirements.
While there is general support from the ICO on the DCMS’ proposed data reforms in the UK, it is noted that the Government must make sure that the final versions of these reforms clearly maintain individuals’ rights, minimize burdens placed on businesses, and ensure the independence of the regulator.
Further reading on the ICO’s response to the UK data reforms:
- UK Information Commissioner’s Office: Response to DCMS consultation “Data: a new direction”
- Department for Culture, Media & Sport: Data: a new direction
- OneTrust DataGuidance News: ICO welcomes DCMS consultation reviewing UK data regime
- OneTrust Blog: UK Government Launches Consultation on Data Reform