Themes and discussions from Ashurst Data Protection Roundtable

Ashurst Data Protection team held a Roundtable on 8th September 2022 where we invited a number of data protection officers and general counsel from a variety of different businesses to discuss their views on the proposed text of the Data Protection and Digital Information Bill. For an overview of the topics discussed at our Roundtable and of key changes proposed by the Bill, please see here. Our discussions focused on five areas and here we share with you key themes and concerns raised:

1. Legitimate interests whitelist

We discussed whether the UK government's intention to proceed with a very limited exhausted list of "recognised legitimate interests" was useful, welcomed, simply insufficient or whether organisations would want additional processing activities to be included.

Whilst some attendees welcomed the list of recognised interests, there was concern that a longer and more prescriptive list could make this lawful basis harder to rely on by defining the scope too narrowly. There was criticism that the initial proposed list was focussed on public sector tasks and had not considered any appropriate ones for the private sector. However, all attendees were in agreement that worked examples would be useful to ensure clarity and provide comfort to those relying on legitimate interests. Suggestions for additions to the list included (i) compliance with regulatory obligations such as those imposed by the FCA; and (ii) IT security purposes.

2. Anonymisation threshold

We discussed whether the UK government's intention to clarify the definition of personal data was helpful and whether it would make it easier to achieve anonymisation.

Members discussed that a change to the ICO guidance may have been more useful instead of implementing fundamental changes to the threshold, which may also impact UK adequacy. It was also agreed that the provision of practical steps and examples of successful anonymisation would be beneficial to help guide use of this new definition.

3. Approach to Cookies

The question posed for discussion was whether, in light of the government's proposal on cookies, organisations intended to changes its approach to cookies for UK websites/UK residents only or would continue to have a consistent approach across global websites, adhering to the higher standard under PECR.

Answers were the same across the board: they would all adopt a consistent approach across all global websites. Having two builds for cookie consent was unworkable, especially given that they had all invested considerable costs and resource in becoming compliant with existing PECR rules and didn't want to face any unnecessary cookie claims from groups such as NYOB.

4. Data transfers

Attendees were asked how they would approach data transfers and whether they would adopt the UK's 'Data Protection Test' or adhere to the EU's higher standard for assessing the laws and practices of a third country.

Members expressed a concern that the UK Data Protection Test may bring into question our adequacy decision if the UK could be seen as a "back door" for transfers of data out of the EU and UK to third countries.

Similar to cookie compliance, organisations in attendance had spent two years implementing 'Schrems II' compliant data transfer projects based on EDPB guidance so would not be carving up UK and EU transfers and having two assessments. However, some attendees spoke about being open to the possibility of adopting a more risk based decision making approach for UK transfers as part of the EU TRA process.

5. Reform of accountability network

The final question posed was whether attendees' organisation would look to have a separate UK regime and accountability for its UK entities/operations or would it continue as it.

Members discussed that such changes would create extra red tape, bureaucracy, costs and resource, which the Bill was initially trying to avoid and the proposed changes did not seemingly provide any benefit to consumers. Of particular concern was a new obligation imposed in the Bill to have more detailed records of processing than the requirements of the GDPR.

The overall consensus from attendees was that the Bill was not the answer for reducing burdens on business that it had been heralded to be. In fact, in many places the proposed changes would either be redundant and futile for global businesses or would require significant resource, time and efforts to implement changes which were simply in name, rather than substance.