The latest report from the UK Data Protection Index has just been published and one of the many key takeaways is that privacy professionals across the country are filled with a lack of confidence following the publishing of the proposed reforms to UK data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. set out in the Data Protection and Digital Information Bill (DPDI), as well as the proposed introduction of a ‘senior responsible individual’.
This quarter, we asked our panel of 523 UK based data protection officers about a range of issues affecting the industry, including:
The consultation’s results revealed that the proposal to remove the mandatory requirement for most organisations to appoint a DPO was to be retained. In the DCMS’s response, the department admitted that the majority of respondents disagreed with this proposal, but would proceed regardless. Many suggested that this would lead to a lack of independence and a “potential fall in trust and reassurance to data subjects”. Although, those who supported the move suggested that it could be beneficial to small organisations and those who do not processA series of actions or steps taken in order to achieve a particular end. sensitive personal dataInformation which relates to an identified or identifiable natural person..
In the Research Briefing, published on 31st August, the Government published responses to their consultation. The Open Rights Group argued that the removal of the DPO “would reduce the need to appoint an expert with sufficient autonomy and resources to ensure people’s data is protected”. This is reflected in this quarter’s responses from the Index’s panel of DPOs who unequivocally disagreed that this would be in the best interests of data subjects.
The overwhelming majority of respondents gave low scores, revealing that they do not believe the reform would be in the best interest of the data subjectAn individual who can be identified or is identifiable from data.. 41% of respondents gave the lowest possible score of 1 (out of 10), and 90% gave a score of 5 or lower.
When asked whether the proposal to remove the requirement for a DPO and replace it with a ‘senior responsible individual’ will simplify management of privacy within their organisation, 42% of DPOs surveyed gave the lowest score of 1.
The planned second reading for the DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR)., scheduled for the 5th of September was cancelled. The Leader of the House of Commons, Mark Spencer, announced that “the Government will not move to the Second Reading” just yet. Mr Spencer stated that the postponement would allow for Ministers “to consider the legislation further”. This does not mean that the proposed reform is ‘dead in the water’, but rather it could look different to the reforms currently planned.
One of Prime Minister Liz Truss’ campaign promises was to remove EU retained laws from the UK’s statute book in, what she described as, “a bonfire”. The current draft of the DCMS’s Bill had the intention of promoting evolution in data protection laws, not revolution. With the changing of cabinet and the resignation of Nadine Dorries, Minister for DCMS, it is possible that the Bill could see transformation. However, what these changes will eventually look like, is yet to be seen.
Despite the concerns around the future of UK Data Protection laws, confidence in the UK maintaining its EU adequacy status has risen, with 66% of respondents now predicting that the UK will maintain its adequacy status, compared with 62% last quarter and 63% in the quarter before that.
Artificial Intelligence (AI) and Machine Learning (ML) techniques are completely changing the way organisations gather, process, and protect data. These advanced algorithms are being used to process mass information in the form of ‘big data’. The challenge arises when organisations look to maximise the use of big data, while simultaneously safeguarding the information and privacy of individuals, and maintaining transparency in respect of the processing.
When it comes to decision making, AI can assist a human in making decisions, or it can be used to make decisions completely independently. These are often described as human-in-the-loop and human-out-the-loop decision making, with the latter often referred to as solely automated decision making. Where these solely automated decisions relate to individuals, Article 22 GDPR protects individuals where these decisions could present an adverse legal or similarly significant effect on them. Crucially, the GDPR requires that where such decisions are made, there must be an element of human review within the decision, and it is a requirement that this review be meaningful. You can read more about AI and Article 22 in our previous blog on the subject.
Given the considerable rate of advancement in the field of AI, DPOs were asked in the survey how confident (on a scale of 1 to 10) they were at being able to adequately advise their organisations regarding the regulatory, data protection and ethical implications of AI. A total of 26% of respondents gave a score of 8 or above, with 8 being the most popular score (provided by 16% of respondents).
DPOs were also asked how likely their organisations were to start using machine learning or AI in a “meaningful way” within the next three years. 38% of respondents rated this likelihood at 7 or higher, and 40% rated it at 4 or lower.
It will be fascinating to see how the Data Protection and Digital Information Bill progresses through Parliament, especially given the appointment of a new Secretary of State for Digital, Culture, Media and Sport, the changing of the cabinet, a new Prime Minister, and the cancellation of the Bill’s second reading. Therefore, as with Brexit and Schrems II before it, the data protection profession waits in anticipation for clarity to emerge from the current state of uncertainty and confusion.
The next DP Index report will be published in December 2022, where our panel of DPOs will again be asked for their opinions on the future of the ever-changing data privacy landscape.
If you are a data protection professional and would like to add your voice to future reports, do please apply to become a member of the panel.
Fill in your details below and we’ll get back to you as soon as possible