By Brian Taylor, Head of Information Governance, Hymans Robertson
Don't panic
This isn’t another GDPR, and the provisions are largely positive for organisations, while maintaining protections for individuals. Some action will be needed, including updating privacy notices, amending complaints processes and reviewing internal policies, procedures and guidance.
Other changes won’t require immediate action, but may present some opportunities for innovation, with updated rules on scientific research and automated decision-making.
What are the key changes?
DUAA contains wide-ranging measures, some of more interest than others.
Parts 1-4 of DUAA deal with things like Smart Data schemes, Digital Verification Services and national registers. Part 5 contains the data protection changes and part 6 deals with the Information Commissioner.
Parts 7 and 8 contain additional data-related measures and final provisions.
Perhaps the most interesting changes are in parts 5 & 6:
Data Subject Access Requests (DSARs): Controllers need only conduct a search for data and other information that is “reasonable and proportionate”.
Complaints: An additional, statutory right for individuals to complain to the controller, and monetary penalties for organisations who don’t meet their complaints obligations.
International transfers of personal data: Controllers must apply a new “data protection test” instead of carrying out a Transfer Risk Assessment when transferring data from the UK to some countries.
Cookies exemptions and changes to fines under the Privacy and Electronic Communications Regulations (PECR): New exemptions for analytics and website presentation cookies, and increased monetary penalties for infringing PECR, including electronic marketing rules.
Automated decision-making (ADM): ADM will be generally permitted subject to certain safeguards, unless special category data is involved.
‘Recognised legitimate interests’ and purpose limitation changes: A list of five recognised legitimate interests, which may remove some uncertainty. Clarification that scientific research (which can include technology development) is generally compatible with the original purpose of processing.
Changes to the regulator: A new Information Commission will be established, which will be a corporate body similar to other regulators like the Financial Conduct Authority. The current Information Commissioner (John Edwards) will be the new Commission’s first Chair.
Timescales and guidance
Most of the changes are expected to come into effect in December 2025. You can check the current timetable for updates.
We also expect updated guidance from the Information Commissioner’s Office (ICO) over the coming months. The ICO has provided a summary of the changes in DUAA.
Now is the time to start thinking about what changes you might need to make to your own data protection compliance arrangements, including complaints processes, changes to privacy notices and other internal documentation. You may want to ask your legal advisers for guidance.
|
