The Data Protection and Digital Information Bill and the 2024 General Election
I’m typing this on thethird of July, the day before the 2024 general election.
Once a general election is called, Parliament is dissolved. Any unfinished business is lost at dissolution. Some Bills can be fast-tracked through to becoming Acts. Those that don’t, are considered failed. The Data Protection and Digital Information Bill is one of the failed Bills. That doesn’t mean it’ll never see the light of day though.
After the general election, a Labour government may resurrect the Bill as is, replace it with a new Bill of their own, or do nothing with it at all. If they choose to replace it with a Bill of their own, they may well cherry-pick elements from the Bill and include them in their new Bill.
If we have another Conservative government, the Bill will need to be re-presented. The journey of the Bill through to becoming law doesn’t simply carry on from where it left off.
So, what the future version of the DPDI Bill is going to look like, isn’t clear. That it’s probably going to change might not be a bad thing. There are many flaws with the DPDI Bill in its original state.
Benefits You’d Never Benefit From
Right now, you should have a data protection framework of policies and procedures to govern your data processing activities, in compliance with Data Protection Act (2018).
If you also (or may) process the personal data of European Citizens, then your framework must also satisfy the requirements of the General Data Protection Regulation 2016/679. And remember, just having a website accessible from Europe, with a Contact Us form on it, means you could gather personal data from EU citizens.
No one wants the overhead of running two data protection frameworks. Instead, you create your procedures so that they satisfy the most restrictive aspects of each framework. For example, if one regulation says you have 28 days to do something and the other one says you have a calendar month, you’d use 28 days in your procedures. That automatically satisfies both regulations.
The DPDI Bill adds a third regulation to the mix.
A lot of what’s in the DPDI Bill is a loosening of the DPA2018 requirements. But if you need to satisfy the tightest requirements of all the regulations you’re trying to comply with, a new, slacker, set of requirements won’t materially affect anything.
Continuing with our (fabricated) example, if the DPDI Bill said you’ve now got 40 days to do that something, it’ll make no difference to you. You’re procedures still need to work to the 28 days stipulation of the tightest regulation.
Less Clarity, More Judgement
The clearest parts of all legislative Acts are those clauses that are unequivocal. They’re black and white, and there’s no interpretation or judgement required.
The harder parts to work with are those that rely on judgement. If any of your data processing matters come under scrutiny, whoever is sitting in the role of arbiter may disagree with your judgement.
As it stood before the dissolution of parliament, the DPDI Bill requires more judgement calls to be made, even around such fundamentals as when personal data should and shouldn’t be treated as personal data.
Directly and Indirectly Identifiable Personal Data
Right now, any single piece of personally identifiable information, whether it is enough to identify the data subject or not, must be treated as personal data.
The DPDI Bill splits “identifiable” into directly identifiable and indirectly identifiable.
Directly identifiable means you have enough personal information to immediately identify the data subject.
Indirectly identifiable means you’d have to acquire additional personal information, or take some extra steps to be able to identify the data subject.
Data is only considered personal data if the data subject is identifiable at the time of the processing or another person who obtains the data could identify the living individual and the identification is possible using reasonable means.
That begs the question, what are “reasonable means”? The Bill defines that for you:
“…an individual is identifiable by a person “by reasonable means” if the individual is identifiable by the person by any means that the person is reasonably likely to use.”
That doesn’t really help because the techniques, resources, and expertise that “the person” is reasonably likely to use depends on who that person is and what skills and resources they have.
Here’s why this is important. If the data doesn’t directly or indirectly identify the data subjects, you don’t have to treat a breach as a breach because the data isn’t considered personal data.
But, if you’ve made an error of judgement and the data really should have been considered directly identifiable, you’re guilty of not reporting the breach, of not contacting the data subjects, and so on.
Likewise, if you’ve considered the data is not indirectly identifiable data within reasonable means, and your opinion is wrong, you’re guilty of not reporting the breach.
The only safe way around this is to categorise and treat all personally identifiable data - direct and indirect - as personal data, and process and safeguard it as you do now, according to DPA2018.
This is just one example from the DPDI Bill that we recommend you don’t put into service because the risks and penalties of a judgement of error are too high. Run as you are, satisfying DPA2018, and you’ll be compliant with both regulations.
The DPDI Bill is 212 pages long. So far, we’ve only discussed the first two pages of Section One!
Obviously we can’t go through all of it in this detail. But what we’ve discussed so far should give you a flavour of the problematic way this Bill has been put together.
There are many other areas where judgement replaces mandatory action. Do you need to perform a legitimate interest assessment, or a data protection impact assessment (now called an assessment of high risk processing)? Do you even need a statement of processing any more?
Crawling from the Wreckage
The only thing we can do is wait and see how much of the old Bill is brought forward by the new government, then apply the principles of writing your procedures to satisfy the most demanding aspects of the GDPR, DPA2018, and DPDI.
That’ll side-step most of the issues with DPDI. Even then, you’ll be duty bound to implement some of it, such as the new Right to Complain.
Let’s see how much of the DPDI Bill survives the mayhem of the General Election 2024.