Meet the expert: Henry Davies to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today. 

Henry Davies is Data Protection Lead at LikeWize. The role sees him responsible for all elements of the firm’s Data Protection Compliance programme in the EMEA region. He exclusively at PrivSec Global to discuss the UK government’s reform of Britain’s data protection regulation framework.

Below, Henry answers questions on his professional journey and the themes of his PrivSec Global session. 

NB: The views expressed in this interview are those of Henry Davies, and not the views of his employer.

Could you briefly outline your career pathway so far?

I was coming to the end of my Politics degree and was looking to start a career in anything other than politics. An opportunity as a Data Protection Analyst with Veolia UK & Ireland presented itself and I decided to take the plunge.

John Hield, the DPO, gave me a chance and I found myself in a career that I absolutely loved. Keen to take on more responsibility, my role expanded to Deputy DPO, and I took on significant projects including successfully implementing and managing the certification to ISO 27701 (Privacy Management) for the business.

I joined Likewize in May 2022 as the Data Protection Lead. The business was keen for me to refresh their data protection compliance programme ahead of their FCA authorisation. I now work within the Global Risk and Compliance team and am responsible for all data protection matters in EMEA. I also provide support in developing the privacy programme in APAC and US&C as well.

For me, hands-on experience comes first and qualifications come second, underpinning that experience. However, professional development is important to me and this year I finished my Master’s degree in Information Rights Law, achieving a score of 100% on my dissertation which was focussed on data protection implications of workplace monitoring. I also hold the CIPP/E and C-DPO certifications.

What are the primary changes to UK data protection law that will be introduced through the Data Protection and Digital Information Bill (No.2)?

Some of the key changes for me are:

• Legitimate Interests - there will be a list of “recognised legitimate interests”, inserted as an Annex. Processing under these recognised interests will no longer require a balancing test. There will also be more clarity around types of processing that might fall under the legitimate interests basis, by bringing some of the examples in the existing GDPR’s recitals into the text of the law itself.

• Data Subject Requests - the law will change the terminology around the threshold for refusing or charging a reasonable fee from “manifestly unfounded or excessive” to “vexatious or excessive”. The use of “vexatious” mirror’s the UK’s Freedom of Information Act.

• Data Protection Officers - the requirement for certain organisations to appoint a DPO will be scrapped. A new requirement to appoint a “Senior Responsible Individual” for organisations conducting likely “high risk” processing will be adopted. This is not a straight swap - the change to an SRI marked a change from the monitoring and advice focussed role of the DPO, to a person who will be actually responsible for data protection risks. 

• Records of Processing Activities - the requirement to keep a ROPA will be amended to only be required for likely high-risk processing, regardless of organisation size. The format and contents of the ROPA will also be less prescriptive than the current GDPR.

• PECR enforcement - the monetary penalties for infringements of the Privacy and Electronic Communications Regulations (cookies, direct electronic marketing, etc.) will be increased to the GDPR levels from the current £500k limit.

How do British businesses and data practitioners in the UK stand to benefit from these changes?

Well, this is a slightly controversial one! As is so often the case these days, a lot of the debate around these changes lack nuance. People seem to be so polarised; these changes are either going to save billions of pounds and make the UK a leader in data protection, or they’re going to bring about the death of data protection in the UK.

In reality, I really think that the Bill will have both positive and negative effects. On one hand, some areas that have been simplified and clarified will be useful to organisations - especially those without in-house expertise in data protection. 

For example, the change in terminology in the reason for a controller to refuse to handle a data subject request from “manifestly unfounded” to “vexatious” will give organisations more guidance (from the FOI use of the term) on when they can justify triggering this threshold. The clarifications around “compatible purposes” in relation to purpose limitation may also provide some much-needed certainty.

Many smaller organisations (especially charities) have been giving the DPO “hat” to an existing member of staff, often to someone whose role creates a clear conflict of interest (e.g. Head of IT, HR Director, etc.). As such, the change from a DPO to an SRI may be beneficial to these organisations. I certainly don’t think that the change will lead to mass DPO redundancies, or the death of DPO as a Service - if anything, these changes make it even more important to have data protection experts to advise your business.

As for some of the other changes, especially those which alter certain requirements, rather than remove them (e.g. DPIAs, ROPA), I am concerned that we risk creating an even more complex landscape - especially for organisations operating both in the UK and EU, which will now have to comply with two distinct regimes.

I also think there is an opportunity lost here not to consolidate the major data protection statutes (UK GDPR, DPA 18 and PECR) into one comprehensive Act.