… but a long way to go.
You’re probably aware that there is a new Bill going through Parliament regarding changes to personal data in the UK. The catchy UK Data Protection and Digital Information (No2) Bill has just had its second reading in the House of Commons, so still has a long way to go.
Here are some highlights.
A new concept is being introduced ‘identifiable living individual’, which means that someone can only be considered ‘identifiable’ from the data if those who are handling the data have the means to actually identify them.
DPOs are set to go. Instead, a Senior Responsible Individual (SRI) who is accountable for data protection compliance will need to be appointed if you’re a public authority or carry out ‘high risk’ processing. This person will need to be part of your senior management team.
An interesting move is the concept of ‘recognised’ legitimate interests. This means that you won’t need to do a balancing test for certain things like national security or preventing crime. But for other things, unfortunately including direct marketing, the test is still required.
Good news for non-commercial organisations! They will be able to use the soft opt-in exemption for direct marketing, even for their charitable or political work. But the recipient still has to be able to say no easily.
They’re also changing the rules about cookies. There will be more categories where they don’t need to ask for permission, for example, website analytics.
Finally, fines under PECR will be increased to match the UK GDPR, which means the ICO could issue fines of up to around £17 million or 4% of a business’s global turnover.
PS. Don’t worry too much about this; a lot could change before the bill goes anywhere near the statute books. It appears to be good news for most businesses, but we will have to wait and see.