Proposed Data Protection Changes: What it means for your start-up
Christopher Bew, Employment and Immigration Solicitor, is a member of Cleaver Fulton Rankin’s Technology Sector team. Here, he discusses proposed upcoming changes […]
July 28, 2022
Christopher Bew, Employment and Immigration Solicitor, is a member of Cleaver Fulton Rankin’s Technology Sector team. Here, he discusses proposed upcoming changes to data protection law by the UK government and the potential impact it could have on start-up businesses.
The use of websites and social media, including user generated content, has become invaluable to start-up businesses for the promotion of products and services. The benefits of using digital media for marketing a new business are extensive; not only is it a cost effective way to reach a wide audience, it is also a two way process of communication with the customer which can help to assess the customer’s needs and plan for the future.
However, it is important to remember that this kind of marketing often involves the processing of personal data from consumers which must be handled with care. Publication on the internet and the use of social media platforms for marketing purposes can lead to both civil and regulatory consequences if personal data is misused or not adequately protected. Any business which processes personal data is considered a ‘controller’ and is subject to UK GDPR. Where personal data is misused, there can be civil claims by data subjects and complaints to and enforcement action by The Information Commissioner’s Office (ICO). User generated content may also lead to claims from the business in relation to fake reviews, intellectual property disputes, defamation and harassment.
In June 2022, the UK government published its response to its September 2021 consultation entitled “Data: a new direction” which provided an opportunity for an overhaul of UK data protection law in the wake of Brexit. Many aspects of the General Data Protection Regulation have been maintained. It is now known as UK GDPR.
Which key areas do the proposed changes cover?
Accountability: The UK Government indicates that we can expect an overhaul of the accountability framework and replacement with a privacy management programme. However, organisations already compliant with UK GDPR’s accountability requirements will not be required to make further significant changes, which provides some comfort for businesses.
Cookies Consent: It is anticipated that the UK will move away from cookie consent to an opt-out model, along with further exemptions for non-invasive cookies. In addition, fines for privacy and electronic communication breaches will be brought in line with UK GDPR.
DSARs: We could see the introduction of exemptions for data subject access requests “DSARs” where they are considered vexatious as opposed to requests being “manifestly unfound”, which may give organisations greater scope for refusing to respond to such requests.
Legitimate Interests: Proposals include limited exemptions to the legitimate interests balancing test. Further details were not provided, however, it seems that existing rules will continue to apply for most processing.
International Transfers: There will be more flexibility in the process for UK adequacy decisions of third parties and scope to introduce additional international transfer mechanisms (although no further details have been provided yet).
ICO governance reforms: There will be opportunities for the UK Government to influence ICO priorities by implementing a new regime over which the Secretary of State has greater oversight and control and greater discretion for the ICO in terms of investigations of complaints.
Proposed changes also cover: increased fines for nuisance calls and texts and other serious data breaches; further clarity on the re-use of data; artificial intelligence and machine learning data processing; anonymisation; privacy and electronic communications and measures to reduce the number of user consent pop-ups and banners on websites.
A draft Data Reform Bill is expected during the next few months before the usual parliamentary process gets underway.
What do businesses need to do?
The use of social media platforms for marketing purposes is here to stay. However it is imperative that both new and established businesses know how to manage the risks. The new proposed changes to data protection law in the UK continue to protect data subjects’ rights and balance the rights of controllers but they also may cause new compliance issues for data controllers. In order to stay on the safe side, anyone who has processed a significant amount of personal data should watch the progress of this new bill closely, and take legal advice if necessary.
If you would like to seek further information about any of the issues raised in this article, please contact our Technology team at Cleaver Fulton Rankin.
This article has been produced for general information purposes and further advice should be sought from a professional advisor.
For further information on our legal services, visit: https://cleaverfultonrankin.co.uk/
For guidance or information, please contact:
Michael King, Director
Dispute Resolution
For guidance or information, please contact:
Christopher Bew, Solicitor
Employment & Immigration