The law is often criticised as being outdated and archaic. As a profession we often rely on statutes and case law which are many years old and which haven't been amended for long periods of time – not a criticism that can be levelled at data protection law.
In fact, many organisations struggle to make sense of the constantly changing data protection regime and how best to comply. The introduction of EU GDPR, the Data Protection Act 2018, UK GDPR and the wider implications of Brexit on data protection compliance have caused uncertainty about exactly what organisations need to do, and when. For those organisations that send personal data overseas, the road to compliance has been particularly bumpy.
Further proposed changes in the form of the Data Protection and Digital Information Bill were also formally shelved on 8 March 2023 when the Bill was withdrawn and replaced by the Data Protection and Digital Information (No. 2) Bill. According to the UK Government press release "the new regime [is] built on the UK's high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the 'one-size-fits-all' approach of European Union's GDPR". In contrast to some EU legislation the Bill places emphasis on the value of personal data to UK business. It remains to be seen how data privacy and business needs will be balanced in practice, but the change in mood music is clear.
While the raft of changes to data protection legislation over the last 5 years has presented challenges for organisations trying to comply with data protection law, it is also interesting to note the change of tack from the Information Commissioner's Office and how this will affect individuals concerned about the way in which their data has been used.
In a speech given on 8 March by the Information Commissioner, he referred to a number of key areas where the ICO has "done a lot over the past year to make a difference to those we regulate". The Commissioner was clear that this also meant that "we've also had to stop doing some things, to ensure we can focus our attentions and effort on the issues that matter most to people. We needed to be more conscious of the choices we were making and the consequences of these. Part of this means being more deliberate about what we investigate".
The indication seems to be that individual complaints about isolated incidents will not be a priority. With limited resources and an increasingly data rights aware society, it is inevitable that the ICO cannot investigate every complaint made, however, that will be of little comfort to individuals who feel they are without recourse, particularly those without the resources to litigate.
A date for the second reading of the No.2 Bill has yet to be fixed but no doubt further changes to the UK's data protection regime are on the horizon.
Oriiginally published 10 March 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
