• The Act introduces a new requirement for data controllers to put in place a process to enable individuals to make complaints about breaches of data protection law.
• Controllers must facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically.
• Controllers must acknowledge receipt of each complaint within 30 days.
• Controllers must without undue delay take appropriate steps to respond to the complaint and inform the complainant of the outcome of the complaint. "Appropriate steps" include making appropriate enquiries into the subject matter of the complaint and informing the complainant about progress.

Action point: Put in place and follow a procedure for data protection complaints that complies with the Act's requirements.

• The Act's provisions on DSARs confirm rules that were previously set out in ICO guidance, which make it slightly easier to comply with DSARs.
• Where the controller reasonably requires further information to identify the information or processing activities to which a DSAR relates, eg because the controller processes a large amount of information concerning the individual, it may ask the individual to provide this information, and this stops the clock until the information is provided.
• The controller only needs to conduct a reasonable and proportionate search in response to a DSAR.

Action point: Review your DSAR procedure to consider whether you can update it to reflect the relaxed rules that were previously only set out in ICO guidance.

• The Act relaxes the rules on cookies, providing that consent is not required for cookies used for:
  
  • statistical purposes with a view to improving the service/website;
  • customising/enhancing a website's appearance/functionality; or
  • providing emergency assistance.
• In relation to the first two of these purposes, the operator must provide the user with clear and comprehensive information about the purpose of the tracking and the right to opt out free of charge. 

Action point: Review the relaxed rules on cookies and consider whether to update your cookie banner/notice to reflect these. The ICO has been focusing on enforcement of the existing rules on cookie notices, so compliance with the revised rules remains extremely important.

The Act gives the government powers to make regulations in connection with Smart Data schemes, which enable consumers to request that their data be directly shared with authorised and regulated third parties and establish a framework to ensure the security of the data. The government has stated that it initially intends to use these powers to extend Open Banking to a wider Open Finance scheme and make it easier for customers to compare energy prices.

The Act establishes a legislative structure for the provision of digital verification services, which are services which enable an individual's identity to be verified online without the need for physical documents.

Action point: Watch out for announcements about how the government intends to use these powers and consider how your organisation can use Smart Data and digital verification services.

• The Act brings the maximum fine for breaches of PECR's direct marketing rules into line with UK GDPR fines, by increasing it from £500,000 to £17,500,000 or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher.
• The ICO has remained active in enforcing PECR breaches so, while it remains to be seen how the new Information Commission exercises these increased powers, this change makes compliance with PECR's rules on direct marketing more important than ever.
• Note that this increase does not apply to fines for breach of the duty to notify the Information Commissioner of personal data breaches under PECR.

Action point: Note the increased fines for breach of PECR's marketing rules, bearing in mind that this has been a key enforcement area for the ICO.

• The Act relaxes the rules on automated decision-making. Previously, restrictions applied to all solely automated decisions based on personal data which produce legal or similarly significant effects on the data subject, but the amended restrictions only apply to such decisions ("significant decisions") which use special category data. Note that safeguards are required for significant decisions based solely or partly on personal data and based solely on automated processing.
• Significant decisions based entirely or partly on special category data may not be taken based solely on automated processing, unless one of the following applies:
  
  • the individual has given explicit consent;
  • the decision is necessary for entering into or performing a contract between the individual and a controller;
  • the decision is required/authorised by law; or
  • the decision is necessary for reasons of substantial public interest.
• Safeguards are required for all significant decisions based solely on automated processing. These safeguards must include measures which:
  
  • provide the individual with information about decisions taken in relation to them;
  • enable the individual to make representations about such decisions;
  • enable the individual to obtain human intervention; and
  • enable the individual to contest such decisions.

The Secretary of State has the power to introduce regulations supplementing these safeguards and clarifying how controllers can satisfy them.

Action point: Consider whether you can benefit from the relaxed rules, ensuring that you put the required safeguards in place. Monitor the publication of any regulations that supplement or clarify the requirements.

• The amendments set out a new "data protection test" for international transfers: the standard of protection for personal data processing in the destination country is not materially lower than the standard under UK law.
• This is a relaxation of the current standard, which requires the destination country to ensure an adequate level of protection essentially equivalent to that ensured within the EU.
• When making a transfer, the controller or processor, acting reasonably and proportionately, must consider that the data protection test is met in relation to the transfer.
• The test also governs whether the government will approve transfers to a country. In addition, the government may consider any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the UK.

Action point: Review your procedures for international data transfers to ensure that you follow the correct procedure. While the Act relaxes the test for the destination country's standard of protection for personal data processing for a transfer of UK data only and does not introduce new requirements, we recommend that you take this opportunity to check that you have implemented the changes required following the Schrems II decision and Brexit.