What Does the Consultation on Reforming the Data Protection Laws in the UK Mean for Employers?
In order to “create a more pro-growth and pro-innovation data regime, while maintaining the UK’s world-leading data protection standards,” the government of the United Kingdom (UK) initiated a consultation on proposed changes to the country’s data protection law on September 10, 2021. This was done in conjunction with the launch of the Consultation on Data Protection Law Proposed Changes. The recommendations are intended to improve on the existing data protection framework in the United Kingdom, which is contained in the General Data Protection Regulation (as it applies in the United Kingdom after Brexit) (UK GDPR), as well as the Data Protection Act 2018.
The consultation will remain open until November 19, 2021, following which the United Kingdom Government will review all of the answers received and provide a response, most likely in the form of new legislation to put the proposed changes into effect.
Employer organisations will be especially interested in the following proposals:
The authorization of data controllers to collect a modest fee in exchange for the processing of data subject access requests (DSARs) (i.e. requests by individuals to see a copy of their personal data processed by a company). This was okay to do before the General Data Protection Regulation came into effect. In addition to this, the suggestions call for the establishment of a costs limitation, according to which organisations would not be required to react to a DSAR if the expenses involved exceeded a specific threshold. When the context and history of the situation are considered, data controllers have the right to refuse a DSAR on the grounds that it is a “vexatious request” that is likely to “cause a disproportionate or unjustifiable level of distress, disruption, or irritation.” This is one of the reasons why it may be permissible for data controllers to refuse a DSAR. However, the Consultation does not state explicitly that the same cost ceilings and principles would be adopted under the new data protection rules. These principles are reflective of the regime that is currently in place regarding access to information held by public bodies (under the Freedom of Information Act 2000). Responding to DSARs can be a very time-consuming exercise, taking up significant levels of resource. The proposals aim to address both the significant burden that is often placed on businesses in this area and, in particular, situations in which a DSAR may be used by a potential claimant (such as a current or former employee) for early disclosure in the context of a dispute. This is because responding to DSARs can be a very time-consuming exercise. This use of DSARs occurs rather frequently in our experience. It is therefore anticipated that the majority of organisations will look favourably upon the implementation of these ideas.
Changing the way that the United Kingdom handles international data transfers so that when the data protection rules of other jurisdictions are being evaluated (for the purpose of determining whether or not the United Kingdom’s regulations are adequate), a “risk-based” approach that is “focused on outcomes” is used, rather than making stringent comparisons of the text of the respective legislation. In light of the decision that will be handed down by the European Court of Justice in 2020, which will render the EU-US Privacy Shield adequacy arrangement null and void, this will be of particular relevance to American businesses who have a presence in the United Kingdom. This is the first step toward the government adopting a more flexible stance regarding the adequacy arrangements issue; the government had previously identified the United States as one of its primary destinations for adequacy arrangements. In addition, the suggestions include the introduction of an exemption with regard to “reverse transfers,” which are transactions that take place in the opposite direction of those that take place across international borders (i.e. when personal data sent to the UK is being sent back to the country of origin).
The Information Commissioner’s Office (ICO), which is the regulatory body responsible for monitoring and enforcing compliance with the UK’s data protection laws, should be required to implement a requirement that requires complainants to attempt to resolve their complaints with the data controller before filing a complaint with the ICO. The Information Commissioner’s Office (ICO) hopes that this would make it easier for them to handle complaints and cut down on the amount of frivolous complaints they get. In addition to this, a new obligation would be imposed on data controllers, stating that they must establish a complaints handling mechanism that is both straightforward and open to the public in order to address concerns raised by data subjects. Additionally, the ICO would be granted the authority to decide whether or not to examine a specific complaint on the basis of a set of criteria. Employers are likely to be receptive to these proposals, which would bring data privacy complaints in line with employment complaints. Employment complaints must be brought up as an internal grievance and also with ACAS before a claim can be filed with an employment law Glasgow tribunal. These proposals would bring data privacy complaints into line with employment complaints.
The necessity to carry out data protection impact assessments will no longer be necessary (DPIA). An organisation is required by Article 35 of the UK General Data Protection Regulation to conduct a data protection impact assessment whenever the processing of data is likely to result in a high risk to individuals. This includes situations in which special category personal data, such as information about an individual’s health, is processed. In the event that this responsibility is violated, enforcement action, which may include significant fines, may be taken. The Consultation takes into account the fact that organisations may discover other risk management approaches that are more effective in achieving the desired results; hence, it recommends to do away with this requirement. The absence of the necessity to carry out a DPIA should make it possible for organisations to deal with fewer formalities and less “red tape” than they do at the moment.
Separately, but also of importance to employers, the Information Commissioner’s Office (ICO) just finished a consultation on proposed modifications to its employment practises code, supplemental advice, and fast guide, all of which were developed before the GDPR went into effect. Materials that are accessible to users and up to date provided by the ICO would be very much appreciated.
The repercussions of failing to comply with the regulations
The Information Commissioner’s Office (ICO) is authorised, among other things, to examine complaints of violations of data protection legislation and to issue hefty fines for violations of the UK General Data Protection Regulation (GDPR). It all depends on the specific violations that were committed, but the maximum amount of a punishment may be up to 17.5 million pounds or 4% of an organization’s entire yearly revenue from all over the world. In addition, workers themselves can file claims for damages if their data privacy is violated. The Consultation does not contain any recommendations to change these sanctions, which emphasises the fact that compliance will continue to be a major priority even if the UK’s data privacy law for employers is simplified.
What should we do now?
The United Kingdom is getting ready to go on a new course with regard to the protection of personal data, and while it is being motivated by a need for adaptability, it will also want to keep its data adequacy agreement with the European Union. Because of this, it will be fascinating to observe the extent to which any proposed adjustments deviate from the core principles that are already in effect.
In the meanwhile, companies should do a thorough examination of their policies and processes to determine whether or not they comply with the regulations that are presently in effect. Since the General Data Protection Regulation (GDPR) went into effect, there has been a discernible rise in the number of data privacy claims and challenges brought against employers. The consultation indicates that organisations that are compliant with the current data protection in the UK can expect to be compliant under the new regime. As employers continue to address the challenges posed by the pandemic, they should make sure that their privacy notice accurately reflects the personal data collected on employees, as well as the manner in which that data is processed and stored. This includes ensuring that the notice addresses how health data is handled.