Since Britain’s departure from the European Union, there have been no changes to its data protection laws. The UK is well within its rights to detach from Europe's privacy laws, whether that be a revised set of provisions, or an entirely new privacy law. Stepping away from what is considered to be the gold standard of data privacy regulations globally is not something to be considered lightly, and provisions will be subject to adequacy standards under the GDPR whatever direction the UK decides to take. However, the question still stands, will the UK be making the big move away from the GDPR?
The short answer to this question is yes, the UK will be moving away from the European GDPR and forming their own provisions surrounding data privacy. On the 26th August 2021, the UK government released its plans for a reformation of privacy laws. The ways in which these provisions are proposed will affect every school, Trust, and business within the UK. Although the proposition is newly announced, it is important to understand the ways in which data handling may change in the near future.
For all of the latest privacy and cyber trends, download our Education Privacy and Technology Magazine!
Some of the Proposed Changes to the UK’s Data Protection Regime
1. Legitimate Interest
The government suggests enacting legislation to allow organisations to rely on the “Legitimate Interests” legal basis, without the uncertainty they currently face, and without the need of carrying out the balancing test. This would be achieved by a limited, exhaustive list of legitimate interests that businesses can use, leaving the balancing test as mandatory only when processing children's data (even if the processing corresponds with an activity on the list).
Under the proposed regime, the accountability framework would require, among other things, to (1) implement a privacy management programme (PMP) with certain policies and processes to ensure that data protection roles and responsibilities are properly allocated, and legal expectations are outlined in an easy to understand manner, (2) establish monitoring procedures to regularly assess the PMP’s effectiveness so that it can be adjusted as needed to ensure full alignment between business practices and regulatory requirements.
3. International Data Transfers
Adequacy decisions will be assessed from a different perspective. Currently, the European Union’s standard to deem a country as adequate is based on whether said country provides an essentially equivalent level of protection for transferred data. The UK government has indicated that the country misses out on £11 billion due to the stringent level to which adequacy levels are held. That is why it intends to add more countries to its adequacy list, and establish ongoing monitoring of countries' relevant laws and practices instead of a mandatory review of adequacy regulations every 4 years.
4. Subject Access Request Fee
Pursuant to the European GDPR, data subjects must be given access to their information free of charge. The UK government proposes establishing a fee for providing data subjects with access to their personal data.
5. The Data Protection Officer Requirement
The proposed changes suggest that existing requirements to appoint a data protection officer will be removed. Instead, schools will be allowed to designate a suitable individual(s) to be responsible for the organisation's PMP and data protection compliance.
6. Data Privacy Impact Assessments
The UK government intends to remove the DPIA requirement so that organisations may be free to determine how to best identify and mitigate data protection risks, based on their specific circumstances.
7. Reformation of the ICO
The data protection authority within the UK, the Information Commissioner's Office (ICO), will be subject to reformation including the ways in which they handle data subjects’ complaints against organisations. Under the proposed framework, data subjects may be asked to submit complaints to businesses before they resort to the ICO. In order to support this change, schools may have to introduce a complaints-handling system.
What does this all mean for schools?
One of the overriding changes that could affect the ways in which schools operate is the need for a comprehensive PMP that is able to demonstrate compliance should you need to address incidents with authorities. In many ways, accountability is heightened through the PMPs as schools will need to make the right decisions themselves, and ensure that they can evidence their compliance appropriately. It is likely to be some time until these changes are implemented, some may not even be implemented at all. However, it is important for schools to understand what adjustments are needed in their compliance programmes to ensure compliance with any upcoming changes in law.
How can 9ine help?
The 9ine Privacy Academy is a training programme for data protection professionals in schools. Through this programme, data protection teams access applicable and instructional training and resources they can implement into their school’s PMP to align with regulatory expectations, and rest assured that compliance requirements will be met and upheld throughout the process of changing laws in the UK.
The 9ine App implements a successful and effective data privacy framework into the school PMP in a natural way. Through the use of risk assessments and documentation, schools are given everything they need to ensure that they can evidence compliance now, and when new provisions are implemented by the UK government. By using the App, schools will be better prepared to demonstrate compliance efforts.
If you would like more information on how 9ine can help your school in the build up to new privacy laws
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.