The UK government is proposing to amend its data privacy regime to make it easier for employers to comply with its requirements.
The main points that would impact employers (if implemented) are that it would be easier to reject or charge a fee for vexatious subject access requests, as well as some of the compliance and paperwork hurdles being removed and replaced with a more ‘flexible’ mechanism.
It is possible that, if the EU determines that this lessens the UK’s data privacy protections, it could revoke the UK adequacy decision, which would mean that businesses would need to put in place documentation when transferring EU data to the UK on the basis that the UK was a non-compliant third country (like the USA).
The European General Data Protection Regulation (GDPR) was implemented in 2018, when the UK was still part of the European Union.
Following Brexit, UK employers are required to comply with the UK version of GDPR (with some minor variations). However, now that the UK has left the EU, the UK government is looking to “reshape” the UK’s approach to data privacy now that it has its new ‘regulatory freedoms’.
You may remember that back in September 2021 the government launched a consultation on its proposed reforms. The government has now published the outcome to that consultation and has outlined the areas that it seeks to reform. The government’s objectives include “reducing the burdens on businesses” and giving “individuals greater clarity over their rights and a clearer sense of how to access” their data. The proposals build upon the foundations of GDPR with some variations.
Data: a new direction – but what direction is that and what does it mean for employers?
We’ve outlined below the main changes that would impact employers.
- Data Subject Access Requests (DSARs) – DSARs are one of the main rights which individuals have under GDPR and the one that causes HR professionals the biggest headache. The right enables employees to obtain access to copies of personal data which their employers process (which can be voluminous), as well as other specific information. DSARs are commonly used by disgruntled employees as a pre-litigation tactic and can be time-consuming and expensive for employers to comply with.
The government proposes to make it easier for businesses to refuse to comply with DSARs or to charge a fee. The government intends to lower the threshold for refusing to comply with a DSAR or to charge a reasonable fee from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. The government anticipates that this would make responding to DSARs more manageable for businesses, but it remains to be seen whether this will make any difference in practice or is just semantics. In UK law, the term 'vexatious' usually implies a very high hurdle to overcome e.g. a 'vexatious' litigant is usually a litigant who keeps suing people time and time again. This could mean a 'vexatious' DSAR applicant is only someone who makes many nuisance DSARs, not just one disgruntled employee.
The government also considered the following points, but declined to take them forward:
introducing a cost ceiling for DSARs; and
re-introducing a nominal fee for processing DSARs (as was the case under the previous pre-GDPR legislation).
Legitimate interests – UK employers that rely on legitimate interests as a lawful ground for processing are required to weigh up whether the interests in processing personal data outweigh the rights of individuals. This ‘balancing test’ can be perceived as complicated and risky for employers, as well as administratively burdensome. The government proposes creating a limited, exhaustive list of legitimate interests which businesses can rely on by default, without the need for this balancing test. There was some support in the consultation response for everyday business activities, such as HR functions, being added to that list, which would make processing of HR data under this lawful basis much easier for employers. It seems that, at first, the government proposal will only be implemented for a narrow list of public interest activities (which will most likely not include HR) but there would be a power for the government to broaden this list.
- AI/automated decision-making – automated decision-making is a growing area in HR practice and Mercer’s Global Talent Trends 2019 survey found that 83% of US employers use AI in their HR decisions. Littler’s 2022 Employer Survey Report found that nearly 70% of respondents say that they use AI an analytics tools as part of their HR processes.
There was some discussion about whether some AI activities would feature in the list of legitimate interests for which a balancing test is not required (see above), but the government does not propose to take this forward. GDPR gives individuals the right to human review where decisions are based ‘solely’ on automated decision-making and which produce legal effects or significantly affect individuals. The government consulted on whether it is necessary to clarify the scope of this provision and whether it needs amending more broadly. Following consultation, the government has said that it does not propose to remove the right to a human review but will consider how to amend the law to clarify the circumstances in which it applies to make life easier for employers. This is part of a broader approach to government AI-powered decision making, which forms part of a dedicated government workstream.
- Compliance reforms – the government also plans to take forward a number of compliance reforms, which if implemented, would make some of the documentation around accountability much easier for UK employers:
- Introduction of a new ‘flexible’ privacy management programme (PMP) to demonstrate compliance. This would be based on a number of elements, such as leadership, risk assessment, policies/processes, transparency, training and monitoring. We already offer data privacy training to our clients in order to increase awareness within their businesses. In turn, the proposal is that some of the GDPR compliance requirements would be removed (see below).
- Removal of Data Protection Officers (DPOs). Currently employers are required to appoint a DPO where their core activities include large scale monitoring of individuals or large-scale processing of sensitive personal data or criminal convictions. This requirement would be replaced by a new requirement to appoint a senior individual who would be responsible for the PMP.
- Removal of data privacy impact assessments (DPIA). At the moment, employers are required to undertake a DPIA before conducting ‘high risk’ processing. The government proposes to remove this requirement and to instead grant employers with greater flexibility as to how they identify and manage risks. The government also proposes to make the requirement for prior consultation with the UK data privacy regulator in the case of high-risk processing voluntary, rather than mandatory.
- Removal of the requirement to keep records of processing activities. Under GDPR, employers with over 250 employees, or which carry out high risk processing, are required to keep records of their processing activities. The government proposes to remove this requirement on the basis that it is duplicative of other GDPR obligations, and it plans to give employers flexibility in how to manage the data they process.
What does this mean for data transfer and the UK’s adequacy decision?
We previously raised concerns that any change to UK data privacy law could impact the adequacy decision which the EU granted to the UK in June 2021, which allows the free flow of data from Europe to the UK without additional data transfer documents.
The government specifically addressed this concern, and its view is that it is “perfectly possible and reasonable” to expect the UK to maintain EU adequacy as it designs a future regime and that the UK is “firmly committed” to maintaining high data protection standards.
The government observed that EU adequacy decisions do not require an ‘adequate’ country to have the same rules as the EU, and that its view is that reform of the UK legislation on personal data is compatible with maintaining flows of personal data from Europe.
We shall wait to see if the EU agrees.
We do not anticipate that these changes will come into effect any time soon, but employers are advised to keep an eye on developments. As proposed, the changes mean that it will be easier for UK businesses to comply with GDPR, but the current 'GDPR standard' of compliance will still be compliant under the new regime. It may be that international businesses which are grappling with GDPR in multiple jurisdictions, will choose to continue to comply with the current GDPR regime in order to harmonise their approach.
From our perspective, the main concern is whether this 'dilution’ will impact the adequacy decision which the EU granted to the UK. The UK government does not think this will be an issue, but time will tell whether the EU agrees with the UK government’s view!