by James Dungate
In 2022, the UK Government introduced a Data Protection Bill. This was to capitalise on benefits presented by Brexit and the subsequent decoupling from the GDPR, enacted in the UK as the Data Protection Act (2018).
The overarching goal of the bill was to reduce bureaucracy and improve flexibility around the use of personal data in UK organisations, as opposed to a comprehensive reframing of the UK’s data protection regime. There was also a concern about erecting further barriers to trade with the EU and single market.
What are the key proposals and how do they impact charities?
Charities will be allowed to make use of the soft opt in. This means that marketing emails could be sent to supporters who had provided details whilst supporting the organisation previously, but had not opted into marketing communications. Examples of support include but are not limited to donating, registering for an event, enquiring about volunteering or signing a petition. This relates to electronic channels, not postal communications as they are sent under legitimate interest as opposed to consent.
There will no longer be a requirement for organisations to have a Data Protection Officer (DPO). There will be a requirement to have a Senior Responsible Individual (SRI) instead. These roles are superficially similar, but differ in that the SRI must be a member of the Senior Management Team and can’t be outsourced to a third party.
Legitimate Interest as a basis for processing will potentially be expanded with the publication of a list of recognised legitimate interests that do not require balancing against the fundamental rights of the data subject. This is however unlikely to affect fundraising and engagement teams, rather interests such as safeguarding.
Record keeping requirements may reduce in certain situations where the processing is not “high risk”. However, there is no clarity on how “high risk” is defined and any decision to not record activities should be considered through a stewardship lens as well as a legal one.
Will the bill progress in the new parliament?
The bill has passed second reading in the House of Lords and had been scheduled to receive Royal Assent (i.e. become a law) before the summer 2024 parliamentary recess. However, this bill was not fast tracked prior to the dissolution of parliament ahead of the July 2024 general election.
As such, the bill will need to be re-introduced by the incoming government. On the assumption that polls are correct and the new government will be Labour, it is likely that there will be some form of bill tabled. This is to further the stated manifesto goals of developing the UK’s AI sector, removing planning barriers to build new data centres and co-ordinating data focussed research programs through a National Data Library. However it is not clear if any of the key issues mentioned above will be included in any bill presented.
In the event of a Conservative lead government, it is likely that the bill will be re-introduced, although this is not explicitly mentioned in the manifesto. Whilst the exact form in which this would happen is unclear, it is likely that the key provisions will be broadly similar.
The original bill was initially presented in July 2022 and had not passed in nearly two years. As such, it is reasonable to assume that any bill presented by the new government will not receive Royal Assent before 2026.
What does this mean for charities?
Fundamentally, this is in “watch and wait” status. Whilst there may be an evolution in regulatory frameworks, until there is more clarity on the future the best use of time for organisations at present is to make sure core data governance principles are being efficiently and effectively followed.
That means having a well managed consent program, a clearly documented and actioned retention schedule, clear SAR/Right to be Forgotten processes, publicly facing privacy policy (that is enacted in practice) and so forth.
Productle is very well placed to assist clients who would like any support in these areas. Please do not hesitate to get in touch with us for an informal chat!
Sources
What Happened to the UK’s Data Protection and Digital Information Bill? | Privacy World
Data Protection and Digital Information Bill - Parliamentary Bills - UK Parliament
Data Protection and Digital Information Bill (parliament.uk)
Change Labour Party Manifesto 2024