What we Expect to see in the Coming Months: GDPR
It looks like 2023 will be another busy year in data protection, with some significant changes expected to the UK data protection regime, as well as further guidance for employers from the ICO. We have set out some of the principal data protection themes relevant to employers below.
Updates to UK GDPR
In 2022 the UK government set out plans for a number of substantial updates to the UK GDPR. Discussions will recommence later this year. It is anticipated that the changes indicated by the Data Protection and Digital Information Bill will be the minimum changes made to the UK data protection regime. More far-reaching changes could be introduced in an attempt to reduce the burden on businesses.
The minimum changes that we expect to see that will affect the way in which employers deal with data subject access requests include:
- An amendment to the circumstances in which employers can say no and refuse to respond to a DSAR. The draft bill had proposed that employers can charge a fee or refuse to respond to a DSAR where the request is "vexatious or excessive". Previous governments had indicated a desire to move away from DSARs being processed where personal data or concerns about its processing are not the purpose of the request.
- A change to the definition of "personal data" so that it only needs to be considered whether an employer or others likely to receive the data are reasonably likely to be able to identify the individual in question. Essentially, this would be a more subjective test and may limit what is in scope of a DSAR.
Information Commissioner's Office Updates (ICO)
The ICO has indicated that it plans to provide individuals with a better understanding of how their information is used and accessed over the course of this year. Data subject access requests (DSARs) form a major aspect of this and the ICO has specified that it plans to introduce a new "subject access request tool" which will help individuals to identify where to send their requests and explain what they should expect from the DSAR process. It has also indicated that it will provide individuals seeking to exercise their rights with "easy to access answers" (that is, FAQs).
The ICO has also expressed its goal to reduce the burden or cost of compliance with data protection laws. It is seeking to accomplish this through a series of services, tools and initiatives "so organisations can benefit from the advice and support of the regulator when planning, innovating and managing information risk".
