In March, the UK government reintroduced the Data Protection and Digital Information Bill. First mooted in July 2022, the original bill was withdrawn to allow ministers to consider the legislation further.
This is a comfort to Holmes-Lewis as she says the complexity of data protection law has meant some organisations have taken five years to fully understand the 2018 legislation.
As the use of AI in HR has grown, so too have the risks. Burgess points out that under UK GDPR, solely automated decisions that produce ‘legal or similarly significant’ effects on people may only be carried out where it’s necessary for entering into or performing a contract between a controller and a data subject; if it’s required or authorised by law; or the data subject has given their explicit consent.
However, she considers it helpful the bill amends the UK GDPR so automated decision making is not restricted to these circumstances, which might make it easier for employers to use AI in situations such as screening job applications.
“Safeguards will create greater public confidence in AI and how data is used”
Though a promising development, Potts says the bill changes very little in respect of AI. He adds that it may allow broader data sets to be used in the course of research and development, without the burden of requiring renewed opt-ins each time the research purpose evolves.
Timeline of UK GDPR law
14 April 2016 – General Data Protection Regulation (GDPR) is adopted by the European Union, including the UK. It sets out the rights and obligations for most employers when processing personal data.
23 May 2018 – UK grants royal assent to augment GDPR including criminal aspects of recklessly obtaining personal data without consent.
25 May 2018 – GDPR law becomes enforceable in the EU.
31 December 2020 – The Brexit transition period ends. Vestigal EU law is transposed onto UK law including GDPR, now known as ‘UK GDPR’.
11 March 2021 – Government announces intent to reform GDPR, to help drive economic growth.
18 July 2022 – Proposed GDPR reform bill laid before parliament.
6 September 2022 – Liz Truss takes over as prime minister, government delays second reading of GDPR reform bill.
8 March 2023 – GDPR reform bill withdrawn. A new version, the Data Protection and Digital Information Bill (No. 2) Bill, is introduced.
What the bill does not do, Potts says, is provide any codification of the law around AI. He says that this remains an unlegislated area, with the closest provisions to any kind of guidance being the EU’s regulatory framework proposal on AI.
From a legal standpoint Burgess says the bill addresses certain AI-related risks. She gives the example of a ‘significant decision’ based on special category data – race, religion, sexual orientation, etc. – that may not be taken based solely on automated processing unless certain conditions are met.
Importantly, such significant decisions require safeguards for a person’s rights, freedoms, and legitimate interests. These include providing a data subject with information about decisions made about them, enabling them to make representations about the decision, ask for human intervention and to contest it.
These safeguards are essential says Holmes-Lewis. She cites plans for an AI rule book to run alongside the bill that will be regulated by Ofcom and the Competition Markets Authority. She says: “Safeguards will create greater public confidence in AI and how data is used to ensure that it’s safe, technically secure, transparent and fair.”
Burgess too is hopeful that by clarifying the circumstances when robust safeguards apply to automated decision making, confidence in AI technologies will increase.
Another part of the bill deals with what Potts refers to the as the ‘weaponisation of data’ by employees – a frequent frustration for HR managers. Potts says: “The bill will assist HR managers in shielding their businesses from vexatious data subject requests and will also give the ICO the power to reject complaints relating to such requests.”
In more detail, Burgess says that under the proposed new regime, businesses will be entitled to charge a fee for or refuse to act on requests considered ‘vexatious or excessive’. She adds that it will be the data controller’s responsibility to prove that a request is vexatious or excessive.
Interestingly, Holmes-Lewis doesn’t see the bill giving employees more rights over their personal data. In fact, she thinks the opposite is true as the bill describes what is a reasonable request.
While many aspects of the reform bill clarify existing law which has become muddied in places, the basic principles of GDPR are unaffected and companies that already comply with the current law won’t need to make radical changes. It’s hoped that the burdens on employers are eased, but the results will take time to become apparent.
The full article of the above first appeared in the March/April 2023 print issue. Subscribe today to have all our latest articles delivered right to your desk.