Page 27 - PWM2023_November EBook

P. 27

BETTER BUSINESS

duce ‘legal or similarly significant’ to their UK-only data processing
effects on data subjects may only be activities which may reduce costs”.
carried out where it’s necessary for
entering into or performing a con- Data protection trials
tract between a controller and a data One of the biggest data protection
subject, it’s required or authorised by bugbears for organisation can be
law or the data subject has given their dealing with data subject access
explicit consent”. requests (DSARs). DSARs can be a
As she reads it, the bill amends the significant burden, and while this
law so that automated decision mak- right is maintained under the pro-
ing is not restricted to these circum- posed new regime, there are new
stances which might make it easier protections for organisations. Modiri
for organisations to use AI in some says that “there will be a proposed
situations, for instance when screen- amendment to the exemption that
ing job applications. However, businesses can use to charge a rea-
Burgess points out that “a ‘significant sonable fee or refuse to respond to a
decision’ based entirely or partly on
special category data which covers, request that is vexatious or exces-
sive”. This change not only has the
for example, race, religion, sexual potential to reduce paperwork and
orientation, etc, may not be taken
based solely on automated process- costs, but can help guard against dis-
ing unless certain conditions are gruntled individuals seeking to weap-
onise their data. However, Burgess
met”. There is one other change that
Burgess wants to highlight: the rules cautions that “it will be the data con-
around website cookies which are to troller’s responsibility to prove that a
be relaxed as part of the drive to cut request is vexatious or excessive. As
‘red tape’. This means that “a website the bill is currently drafted, it is antic-
operator would be able to place cer- ipated that there will be debate on a
tain types of cookies, including statis- case-by-case basis as to whether the
tical and location cookies without the threshold has been met”.
need for obtaining the current ‘pop-
up’ consents”. New penalties proposed
regime, the obligation to maintain records of data processing will only apply Of course, for legislation to be
to organisations that carry out high-risk processing activities”. More cost? effective it needs to be able to wave a
Further, the role of the data protection officer will be replaced with that of It should be said that while the stick at offenders. Currently, there is
the senior responsible individual (SRI). On this Burgess says that “organisa- government seeks to ease the burden a disconnect between harsh penalties
tions will only need to appoint an SRI where they are a public authority or on UK firms, those with operations for pure data protection breaches and
otherwise are engaged in high-risk processing. As the name implies, the SRI in the EU will still need to comply those for infractions of electronic
must be a senior person in the organisation but can carry out this role in with the EU GDPR, and so, as marketing under the Privacy and
addition to other functions”. Interestingly, Modiri notes that “there will be Burgess notes, “it may be cheaper for Electronic Communications
no requirement for that individual to have any particular data protection them to continue to follow the cur- Regulation (PECR).
expertise. Rather, that individual can seek advice and outsource functions to rent regime in the interests of con- The bill proposes changes that
organisations as they see fit”. And in a move to speed up certain business sistency - to the extent that is possible Modiri approves of because they seek
processes, the bill proposes a ‘digital verification services trust framework’ under the new bill. If they choose to to “align the fines for nuisance calls
with providers of digital verification services being accredited and listed on a adopt separate compliance pro- and texts under PECR with those
DVS register. Burgess explains that ‘verification services’ means “services grammes for their EU and UK opera- under the UK GDPR”.
provided at an individual’s request that involves ascertaining or verifying a tions, that is likely to increase, rather The bill is not in finalised form yet,
fact about the individual from information provided by another source”. than reduce, costs”. however it does highlight the main
In essence, this means that once an individual has created a digital iden- Modiri holds a similar view saying areas of planned reform. The changes
tity, they may be able to re-use it to assert their identity (or something else that “those doing business solely in introduced are not radical, however
about themselves). Burgess is thinking here about an individual’s age or the UK, who do not have expansion data protection is a serious matter
address with the ability to share certain facts rather than a whole document. plans to EU, may find it easier to and organisations should ensure they
And there are changes to rules around the use of artificial intelligence comply only with UK laws once the fully understand the implications of
(AI) – a concern for Burgess. She explains that under the UK GDPR as it cur- bill is finalised; any multinationals the current law and the proposed
rently stands, “solely automated decisions (including profiling) that pro- may choose to do the same in relation changes.

www.printweekmena.com November 2023 PrintWeek MENA 25

22 23 24 25 26 27 28 29 30 31 32