Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. September 2022
  6. Corporate: Developments and divergence in data

Corporate: Developments and divergence in data

The UK’s data protection regime is in line for a shakeup, principally through a significant bill now before Parliament – which could mean an overall increase in complexity for some businesses
19th September 2022 | Emma Arcari

Recently there have been several developments in relation to data protection. On 18 July, the Government introduced the Data Protection and Digital Information Bill, together with a policy paper on artificial intelligence, and the next day, the Information Commissioner’s Office put forth its strategic three-year plan (“ICO25”) at its annual conference. On 21 July the US and UK released a joint statement announcing their intention to bring into force the Data Access Agreement.

Data Access Agreement

Taking the last development first, the agreement (signed in 2019) aims to further co-operation between the UK and US, by allowing investigators in both nations to gain better access to vital electronic data, and law enforcement agencies to access evidence needed to “bring offenders to justice”. Although the statement declares the agreement will not “compromise or erode… human rights and freedoms”, it will allow the US to access personal data and it is uncertain how this will affect the UK’s EU adequacy status. The agreement will come into force on 3 October 2022.

ICO25

ICO25 is open for consultation until 22 September and will be finalised in the autumn. One of the main initiatives proposed involves reducing compliance costs for businesses by publishing previous advice and additional compliance templates. However, given that the new bill will overhaul the ICO and its operations, how ICO25 progresses after the consultation should be carefully considered.

Data Protection Bill

The bill is long and complex, and aims to allow more innovation and reduce compliance burdens (but see below). Focusing on the many changes to existing data protection and privacy legislation, some of the notable changes currently proposed include:

Personal data – A more subjective approach would determine whether information is personal data or anonymous. This could have the effect of certain data being regulated in the EU but not the UK, and could affect the UK’s EU adequacy decision.

Cookies and tracking proposals – Again, contrary to the European route, the bill proposes to relax consent requirements regarding cookies, particularly for information collected for statistical purposes or in order to improve a website or service. Web users are also to be given the choice of opting in or out of cookie tracking while in a browser.

Data protection impact assessments (“DPIAs”) and records of processing activities (“ROPAs”) – DPIAs are proposed to be scrapped and replaced with the need to carry out an assessment of high risk processing (in what way this will differ from DPIAs is yet to materialise). Similarly ROPAs are to be replaced with a “record of processing personal data”.

DPOs – The obligation to have a data protection officer in some circumstances is to be removed. Instead, public bodies and high risk processing entities are to appoint a “senior responsible individual”, to be a member of, as opposed to reporting to, senior management. Without further guidance, this could mean external/outsourced DPOs will face issues.

The ICO itself – Significant changes are proposed here, with the abolition of the office of Information Commissioner, a new governance structure and the transfer of functions to a new statutory body, the Information Commission, with new powers (such as to compel individuals’ attendance at criminal/civil interviews). In short, the Government is proposing much more involvement with the new body (it has been described elsewhere as political control), which is along the lines of other regulators but again potentially at odds with the EU, should it consider there to be no UK independent regulator of personal data.

Automated decision making – The right of individuals to challenge automated decision making is proposed to be reframed and restricted to significant decisions, as opposed to decisions that produce legal or similarly significant effects. This will form part of the next discussion in relation to AI systems and proposed regulations on these.

DSARs – At the moment data subject access requests are to be treated as “purpose blind”, a right available no matter the purpose behind the request and in the majority of cases at no cost to the individual. The bill proposes a broader range of circumstances in which organisations can refuse to respond, or charge a fee where DSARs are regarded as “vexatious or excessive” (such as requests not made in good faith, intended to cause distress, or an “abuse of process”).

International transfers of personal data – Several significant changes are proposed, including a new “data protection test”, met if the standard of protection for processing is “not materially lower” than that of the UK GDPR and parts of the Data Protection Act 2018. However the requirement to consider whether the country has an “independent authority” (an EU requirement) would be removed; there would be a new requirement to consider “the constitution, traditions and culture of a country”, on which no guidance is available as yet.

Privacy and Electronic Communications Regulations 2003 – The level of enforcement fines is to be on the GDPR scale (£17.5 million or 4% of global turnover, whichever is higher), among other changes.

Legitimate interests – The existing balancing test for some activities would be dropped.

Access to customer/business data – Regulations can be proposed to make data holders disclose customer and business data to customers or third parties (as well as in relation to the processing/retention of such data).

The bill is at an early stage and we recommend paying close attention to its progress. If it passes, although there will be some wins for organisations (such as in relation to DSARs), they come at a cost of lowered standards for individuals, a potential dual regulatory approach for entities which operate internationally, greatly increased fines for marketing breaches and overall a general increase in complexity. Given some organisations are still reeling from GDPR, we remain hopeful that the UK will not lose its EU adequacy decision in relation to data, but taking into consideration the aims of the bill together with the US/UK Data Access Agreement, does this seem likely?

The Author

Emma Arcari, associate, Wright, Johnston & Mackenzie LLP

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • Book reviews: September 2022
  • People on the move: September 2022
  • Reading for pleasure: September 2022

Perspectives

  • Editorial: Tribute to HM The Queen
  • President's column: September 2022
  • Opinion: Gordon Dangerfield
  • Viewpoints: September 2022
  • Profile: David Gordon

Features

  • Losing our grip on power
  • Arbitration: an institution?
  • Defamation in the modern age
  • A pledge against the consumer? A reply
  • Back together again!
  • Taxi?
  • Families across frontiers

Briefings

  • Civil court: Pointers to the future
  • Intellectual property: Data mining for all
  • Agriculture: The next land reform package
  • Corporate: Developments and divergence in data
  • Sport: Lessons from the Whyte review
  • Scottish Solicitors' Discipline Tribunal
  • Property: Registration – over a decade?
  • In-house: The top team – three more years

In practice

  • Public policy highlights: September 2022
  • Dare you enter the Dragons Glen?
  • Hey CPD!
  • Risk: Avoid the curve balls
  • The Eternal Optimist: Optimism in crisis time
  • Tradecraft tips
  • AML: two key stages
  • Ask Ash: Worried for a colleague

Online exclusive

  • Lessons on life and liberty from America
  • Charities: the investment dilemma
  • Bribery: a ground of claim?
  • “Are they still together?”: Settling the relevant date
  • Menopause: the mark of discrimination?

In this issue

  • Thinking of starting your own law firm?

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited