A new approach to regulating corporate accountability in the field of data protection is set to unfold across the UK, pending draft legislation. Under government proposals, companies would be able to depart from the prescriptive stipulations of the current UK general data protection regulation (GDPR) and implement so-called Privacy Management Programmes.
Rather than requiring all UK corporates to observe the same set of rules, as per GDPR, the new system would enable each company to tailor oversight of its data protection measures to the nature and size of its business. In that more flexible context, companies would have to demonstrate accountability across broad areas such as leadership, policies and procedures, staff training and awareness, and continuous improvement.
However, in perhaps the most far-reaching change, the new framework would also remove the current requirements for each company to specially designate a data protection officer (DPO) and complete regular data protection impact assessments (DPIAs).
Instead, the framework encourages every business to appoint a ‘suitable senior individual’ to oversee and coordinate its Privacy Management Programme, and also implement risk assessment tools designed to assess, identify and mitigate data risks.
The proposals arrived in the government’s response to its recent consultation, Data: A New Direction. Launched last September, the paper explored whether the UK’s existing rules on data protection were working for the benefit of both companies and private individuals.
But do the resulting proposals represent a slackening of the law?
Change of emphasis
“It’s important to bear in mind how the proposals are framed,” says ICAEW Head of Data Analytics and Tech Ian Pay. “If you are happy with your DPO and filing DPIAs, you can stick with them. The proposals have simply removed the requirements around those features, in order to provide companies with greater flexibility.”
So what could a business hope to gain by switching from a designated, and ostensibly specialist, DPO to a ‘suitable senior individual?’
“There are currently three different approaches to appointing a DPO,” Pay explains. “In one, a large organisation that handles significant quantities of personal data will retain a full-time DPO. In the second, a smaller organisation that works with lower levels of personal data will have a management figure – perhaps an IT director, or similar – who also covers the DPO role. So, that person will wear two hats.”
In the third, Pay says, an organisation will appoint a DPO outside the business – someone based in an external consultancy who may serve as DPO for several different companies.
Each approach has its flaws though, says Pay. “In the first, there’s a risk not only that the role is siloed off from the rest of the business, but that it’s treated as more junior than it should be. In the second, the DPO has a competing brief. And in the third, the designated party is at one remove from the business.” Under the government’s proposals, he explains, the ‘suitable senior individual’ would be a member of the top team and responsible for enshrining scrupulous data protection as a key part of the organisation’s culture.
Nurturing trust
Mindful of its members’ regular contact with personal data, ICAEW submitted a response to the government’s consultation. “We had concerns that Privacy Management Programmes could raise burdens,” Pay says. “However, the government has clarified that the proposed framework is more focused on outcomes and risk factors, while adding flexibility.
“The proposed changes would move away from the ‘tick-box’ requirements of the GDPR to a system that individual businesses would be able to customise, based on their levels of data activity and types of data they work with. For example, you wouldn’t have to complete DPIAs if you’ve taken steps to incorporate other risk assessment tools into your organisation.”
Given the challenges that SMEs have faced with appointing DPOs, ICAEW’s thoughts on the proposed removal of that requirement are broadly positive. However, it notes, the DPO system has brought UK-wide consistency – and that there could be ambiguity in some companies around the identity of the ‘suitable senior individual’.
In light of the government’s response, Pay says: “As long as the legislation retains protections on an individual basis – which would be vital for nurturing trust in the system – removing DPOs isn’t necessarily an issue, providing you do have that senior engagement with the principles of data protection.”
Reflecting on the government’s response, he concludes that it has put forward some “balanced, pragmatic” ideas. “However, the devil is in the detail. Only when we see the precise legislative phrasing in the Draft Bill will we have a real sense of what these proposals will mean in practice.”