By Sandip Patel, Aliant UK. The UK government has now introduced the Data Protection and Digital Information Bill (the Bill). Key take-aways are:
—the definition of personal data will be changed with a new part that would limit the scope of personal data using a ‘reasonable means’ of identification test.
—new conditions for determining whether the reuse of personal data (otherwise known as ‘further processing’) is permitted in compliance with the so-called ‘purpose limitation’ principle.
—revision of the ‘legitimate interests’ test.
— a number of changes that redefine and recast a number of aspects of automated decision-making.
—the requirement to designate a DPO will be replaced with a requirement to appoint a suitable senior responsible individual’ to be responsible for data protection risks within their organisations or delegate that task to suitably skilled individuals.
—the data security requirement to implement ‘appropriate technical and organisational measures’ will be changed to with ‘appropriate measures, including technical and organisational measures’ in order to give data controllers more flexibility in terms of the measures they put in place to demonstrate and manage risk.
—the current record-keeping requirements will be replaced with a requirement to maintain an ‘appropriate’ record of personal data.
—DPIAs will be replaced with ‘Assessments of high risk processing’.
Organisations should keep track of the Bill’s progress in order to be able plan ahead for any changes that they may eventually need to make to their UK data protection compliance.
Lue lisää: https://bills.parliament.uk/bills/3322