Guest writer Judith Andrews is a data protection and GDPR specialist and founder of Business Tamer.
The ILFM invited Judith to share her insights into how the UK’s data protection framework including GDPR could change when the Data Protection and Digital Information (DPDI) Bill is passed later this year.
As a legal practice manager or support staff frequently dealing with sensitive client information, you’ll be familiar with the GDPR framework. First introduced in May 2018, GDPR imposes obligations regarding the handling of personal data, from collection to storage, use and deletion. It aims to strictly protect subjects’ privacy and security, ensuring data is used responsibly and for a lawful purpose.
The rules and jargon can be complex, but GDPR can be an extremely useful tool for targeted, more effective marketing to build trust with clients – essential in the legal industry. However, some of the unintended consequences of GDPR were the high costs to implement and manage new processes, alongside disproportionate compliance burdens. The Government is therefore using the opportunity of leaving the EU to increase opportunities around processing and using data, and reduce the compliance burden on companies, through the introduction of the Data Protection and Digital Information Bill (DPDI).
What is the DPDI Bill?
The Bill was first introduced to parliament in July 2022. It was paused in September that year and a new version was introduced to the House of Commons in March 2023. It will not replace the Data Protection Act 2018 or the UK GDPR; the intention instead, is to reform some of the restrictions of the pre-Brexit EU GDPR by reducing compliance costs and paperwork, giving businesses greater confidence when using their client data. It’s currently at Committee stage and is expected to be passed into UK law later this year.
Knowing what will change and how you can maximise the opportunities will mean you are ready to utilise it when it happens.
What could the proposed reforms improve for UK law firms?
The key points which could make data handling easier, more flexible and give greater value for law firms and businesses in general are:
1. Legitimate interest – more flexible marketing
Using the lawful basis of legitimate interest may give a practice more flexibility when contacting clients with information on products or services where they have not explicitly given consent.
Currently, when making contact on these grounds, it is necessary to apply the ‘balancing test’ - an assessment of whether the individual’s interests override that of the business or organisation. This can delay communication - frustrating when time is of the essence. The proposed reforms include creating a limited list of legitimate interests, making it easier to use personal information for direct marketing. The outcome will be greater confidence that further marketing will not always rely on consent, potentially saving on time and workload to improve efficiency and output. It will also open up marketing opportunities that deliver against the resources put in to achieve them – return on investment (ROI).
2. Cookies – more insight on website visitors
Any cookies that are not strictly necessary for the functioning of a website currently require consent from site visitors. The Bill proposes expanding the definition of ‘strictly necessary’ which could remove the consent requirement for analytics cookies.
Legal firm websites will still need to be clear about what cookies are in place, but it could negate the need for a consent pop-up if your website only has first party and analytics cookies. Removing consent pop-ups and banners will make your website more attractive and accessible to visitors and lessen your compliance burden without losing the valuable information on how your website is being used, for example who is using it, their journey around it and what pages are most visited. This allows your law practice to understand where any improvements could be made towards better content and conversion to an enquiry.
3. Data protection officer (DPO) change
A DPO is responsible for ensuring data compliance and overseeing data protection within an organisation, and in some circumstances, it is a legal requirement. This can necessitate creating a permanent role or outsourcing to an expert.
Under the proposals, a DPO could be replaced by an ‘SRI’ – Senior Responsible Individual – an existing member of staff at board or senior executive level in your practice. If you already have a DPO whether in-house or outsourced, they could potentially continue as your SRI.
4. Privacy management programme – more efficient
Reviewing the role of the DPO is part of the updated framework covering accountability to the legislative framework. The current rules require suitable processes for data record keeping, policy development, staff training, outlining privacy rights and protection of information, risk assessments and protocols around breaches, and assessments of how data is processed, stored and shared, and while these will be relaxed, practices will still need to fulfil all these obligations.
It may be that your practice’s processes and procedures will need some refining or updating, and it will be worth making sure that you’re still meeting your responsibilities under the legislation at the same time as enabling safe and ethical use of personal information.
5. Data Subject Access Request (DSAR) - easier refusal
An integral part of data protection is allowing individuals to understand what information is being held and used by organisations. The key process is called a DSAR which is a request to see all personal data held on them by data controllers. There are strict rules about how businesses comply with these requests, with risk that failure to comply can result in a fine.
There are technical changes to the definitions of requests under the new Bill which aim to deter requests where the intention is malicious, or to gain advantage over the data controller rather than simply to exercise one’s data rights.
A new requirement is that practices will be required to introduce a complaint handling procedure to allow individuals to complain to the business directly if they feel a refusal is not justified, and this replaces the previous step of making a complaint to the Information Commissioner’s Office (ICO).
What other data reforms should practices be aware of?
As all legal practice managers know, they need to be registered for data protection with the Information Commissioner’s Office (ICO). The ICO is the body that oversees and enforces UK data law and will also be subject to reform as part of the DPDI Bill.
The main impact for practices is that ICO fines for breaches of the Privacy and Electronic Communications Regulations (PECR), the regulations that govern electronic marketing such as email and telephone marketing, could increase to the same level as the UK GDPR. This would make the fines and sanctions for persistent rule-breakers more punitive
Are there any potential downsides to the Data Protection and Digital Information (DPDI) Bill changes?
There are concerns that some of the changes could lead to a weakening of data protection rights. In addition, the Bill does not provide any new oversight for developing AI technologies. It also weakens safeguards that protect individuals from existing AI e.g. automated decision making and profiling.
However, the biggest concern is that the UK could lose ‘adequacy’ with the EU, meaning it will no longer recognise the UK as providing an equivalent level of data protection. If the UK loses this status the processes around the flow of data between the UK and all individual EU member states will become more difficult. There are currently very few differences between EU and UK versions of GDPR meaning it is easy to provide services for UK and EU citizens, so any change in adequacy will have a huge impact on trade.
Although the changes mean strict data handling and management are still essential, the new Bill could improve the ability to use data for commercial gain. However, the details of the final reforms and whether they achieve the goal of saving British businesses billions as reported in a Government press release remains to be seen.
Judith Andrews CIPP/E, BSc Social Sciences with Politics and Economics, is the owner of Business Tamer, a company which provides advice and guidance on all aspects of data protection.
Comments