On the 23rd of June 2022, the government published its response to the consultation it prepared in September 2021. A comprehensive list of its intended changes to the current arrangements gives us the clearest view yet of what the forthcoming data protection bill may have in store. Here I will not attempt to address all the potential changes but instead focus on the areas where there may be the most immediate impact on small to medium sized organisations. Further information will follow on the other proposed changes in due course.
The consultation considers the implementation of a Privacy Management Programme (PMP). This is intended to create a more flexible approach to compliance removing some of the current GDPR mechanisms designed to assist the data controller when handling data and replace them with other means more at the controller’s discretion. For example, a controller may not need to complete a Data Protection Impact Assessment (DPIA) on a new project in the future but will instead need to ensure it has alternative means to establish a clear view of the impact such a project may have on data subjects’ rights. The same may apply to Records of Processing Activities (RoPAs).
The controller will be required to appoint a Senior Responsible Individual (SRI) (there are several difference references made such as designated senior individuals or accountable person) to oversee the processing activities, there may be more than one such individual. The individual(s) may need to have similar skills, knowledge, and expertise as to the role of the Data Protection Officer (DPO). These may include but are not limited to, being the point of contact with the ICO and the public, updating policies and procedures and delivering data protection awareness training. If you have appointed a Data Protection Officer, you may continue to rely on this resource and the officer will report to the SRI. Critically, the SRI along with the DPO must ‘independently monitor’ the processing activities of the controller which may cause some conflicts of interest depending upon who is appointed as the SRI. Nevertheless, where the appointment of a DPO may be an option in the future unless special categories of data are processed, the SRI will be a mandatory post. Having access to credible expert advice and guidance will be crucial to compliance. The new structure may enable the regulator to more easily identify failures in the controller’s decision making and focus on those responsible for it.
The overarching aim of this is to create better accountability by appointing an identifiable individual(s) and prescribing a structure that may encourage a stronger culture to privacy first and foremost.
Privacy Management Programme (PMP)
The programme may include a range of measure to ensure demonstrable compliance has been implemented into the organisation. This could include but is not limited to –
- Evidence of the senior management support for compliance. The roles and responsibilities of those individuals, how such oversight is conducted, documented, and reported. How incidents are addressed and concluded and how improvements have been met.
- Ensure a clear line of communication (which can be demonstrated) between the SRI and the DPO.
- Ensure the ICO have a clear point of contact for any concerns.
- Evidence of how staff and others are trained and informed of their responsibilities, the frequency of such training, content, effectiveness, pass rate and how any areas of vulnerability are addressed.
- The maintenance of data inventories, what assets are held, what these are used for (purpose) and where they are kept (storage location and type).
- Policies and procedures which are regularly reviewed and updated where required. This will include all policies and procedures concerning personal data or that use or that address issues involving data such as safeguarding.
- Evidence of how different types of data are protected especially how special category data is gathered processed and deleted over time.
- Evidence of appropriate security arrangements.
- Evidence of risk assessments where these have been deemed necessary. Where elevated risk has been identified, details of the remedies found to mitigate such risks and when these will be reviewed.
- Clear procedures for communicating with data subjects. Evidence of the privacy notices that may have been used, where and when and any updated information that may have been shared.
- A clear procedure for dealing with requests to access data or where a complaint has been received. A record of such events will be required.
- A clear procedure for dealing with data breaches and a decision tree for reporting incidents to the ICO.
- A plan for the regular review of the PMP.
- Implement steps to ensure the effectiveness of the programme and have in place measure to adapt the programme where this may be required.
- Ensure the PMP can be made available to the ICO upon their request within a reasonable time frame.
- Records of training, who was trained when and with regard to what aspect of the law.
- Evidence of how data is transferred outside of the UK in accordance with the UK data transfer regime, transfer risk assessments and the specific safeguards implemented.
It is likely that the information required to complete the PMP as outlined here already exists. The burden of creating such a programme may therefore be greatly reduced. The ability to keep clear records of improvements made, version control for policies and notices and any incidents along with the remedies found will be key to the development of a sustainable and effective programme. The appointment of a mandatory SRI may be more problematic. Identifying the right person with the requisite skills could be challenging.
Monitor the ICO website for further updates. The response to the consultation will lead to the publication of the bill in the coming months.
Consider your policy framework: is it up to date and does it provide a clear view of your intended processing activities? If so, this might lead to an easier transition to the PMP in due course.
Consider whether you have in house personnel capable of and willing to becoming the SRI. If not, consider your options as this will be an important appointment for the future. It seems entirely possible that the requirement could be outsourced in a similar way to the DPO.
Blog No.2 to follow shortly
Good news for Fundraising! – Potential changes to consent will allow a more flexible approach