Ilan Jones and Kate Wilson, Solicitors in the Corporate Commercial team discuss Data Privacy Day.
Today is Data Protection Day, also known as Data Privacy Day, marking 43 years since the first international treaty dealing with data protection and privacy came into force.
What is data protection day?
It is an opportunity to create international awareness around the importance of privacy and the protection of personal information. Specifically, Data Protection Day is aimed at highlighting the importance of respecting privacy and safeguarding personal information, promoting transparency on how organisations collect and use personal information, as well as educating on management of personal information and best practices.
A key starting point for organisations is to ensure that they have up-to-date knowledge around data protection and privacy legislation.
What is data protection and privacy law – how have things changed?
One of the fundamental milestones in UK data protection law was the introduction of the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, along with the Data Protection Act 2018. It is also noteworthy that the Privacy and Electronic Communications Regulations 2003 (PECR), which sets out privacy rights relating to electronic communications, was also last amended in 2018-2019 and continues to sit alongside GDPR. However, we have come a long way since 2018, with the departure of the UK from the European Union to developments in technology, including Artificial Intelligence. Such changes has led to significant reform, for instance, there now being two GDPRs (the EU GDPR and UK GDPR) and most recently, the introduction of the Data Protection & Digital Information (No.2) Bill.
What is the data protection & digital information bill?
Divided into 6 parts (including data protection, privacy and electronic communications regulations and the Information Commission), it is considered that the Data Protection & Digital Information Bill (“the Bill”) will “create a new UK data rights regime tailor-made for our needs” and reduce the burdens on businesses, while maintaining high data protection standards. It has been said that this will boost the economy by £4.7 billion over the next decade.
Multinational organisations with operations in the EU will still have to comply with EU GDPR, but it has been indicated that compliance with EU GDPR may be considered sufficient under UK data protection and privacy laws, even after the Bill is enacted. That said, organisations conducting business solely in the UK may wish to comply only with UK laws once the Bill has been enacted. UK organisations therefore need to monitor the Bill’s progress and consider if they will need to make any changes in line with the Bill, once enacted.
It is suggested that the Bill will, for example:
- clarify certain concepts around legitimate interests, automated decision making and scientific research, which makes it likely that organisations will find it easier to explore new technologies and increase confidence in Artificial Intelligence.
- reduce formalities and paperwork, which should improve efficiency and reduce compliance costs.
- increase fines for nuisance calls and texts under the PECR.
- update the PECR to cut down on “user consent” pop-ups and banners.
- reform the governance structure and powers of the Information Commissioner’s Office (i.e. the data protection regulator).
Companies will still need to be clear about what personal data they process and how they comply with their obligations, but it is intended that the administrative burden will be lessened. It cannot be predicted when the Bill will become law, but currently it appears likely that it will be this year.
Further detail on the Bill and how to get ready for the reform will be considered by Kate Wilson and Ilan Jones in our upcoming Information Law webinar and blog series.