We are waiting for the 2nd reading date for the Data Protection and Digital Information (No. 2) Bill to be announced, and we plan to arrange some free webinars on its impact.
As it stands, it may be that it does not actually make much difference, and certainly, you should not have much to do if you can demonstrate compliance with the current UK GDPR.
A few observations for now:
- The requirement to keep records of processing activities is lessened, but a RoPA/Information Audit is a business asset, and it is difficult to see how you will be able to demonstrate compliance without it.
- The requirement to conduct DPIA’s is lessened unless your processing is high risk (but how will you know unless you conduct a DPIA?). DPIA’s are a useful tool, to help frame the right questions when thinking about a new use of personal data, new technology, or new project or campaign.
- The role of DPO may change to a SRI (Senior Responsible Individual) but their responsibilities look siimilar.
- When relying on the lawful basis of legitimate interests, in some cases the balancing test will no longer be needed for situations which confirm to one of a series of pre-approved templates.
- The requirement for cookie banners will be eased, which will come as a benefit to those who dislike having to accept the settings from each new website they visit.
- Probably the most significant for our sector, the PECR ‘soft opt in’ option for consent is being extended to non-profits (as well as lobbying groups and political parties). This is likely to have a significant impact, but currently the legislation looks like it will only apply going forwards. A consequence is that our CRM or fundraising databases may need to store the difference between relying on consent for direct marketing by electronic mail (email, SMS, DM, etc) and on soft opt in. There may also be a question of how acceptable this change is to supporters and the public in general.
More soon …