Change to UK Data Protection

GDPR Changes: What’s Happening With the Digital Protection and Digital Information Bill?

The UK Data Protection Bill is back and much of it offers hope for UK businesses. If it can make it through Parliament, that is… something its predecessor failed to achieve. GDPR Local founder Adam Brogden looks at the challenges and opportunities it could offer.

Everyone loves a sequel. The Data Protection and Digital Information (No.2) Bill is, as you might imagine, the successor to The Data Protection and Digital Information Bill, whose passage through Parliament was halted when Liz Truss’ premiership began and has since been rebooted under Rishi Sunak.

Finally, it looks like it’s making real progress and, as the UK Government is desperate for some good business news, I suspect the bill will make it over the line and into law this time. That is, providing it’s through Parliament before the next election cycle gears up, in which case it may still get kicked into the long grass.

That would be a real shame because, having studied the bill, we think there are some very important and useful changes. Fingers crossed, then…

Cutting the complexity

GDPR is way too complicated. The regulations, documentation and processes are the same whether you are a sole-trader or a huge company – which can’t possibly be correct. We often start training courses by reminding people that although GDPR is a legal requirement, there is very little information on how a company should actually implement it or how they should demonstrate compliance. This can make compliance difficult to achieve and always leaves some element of risk.

Any reduction in complexity is good news for UK businesses – so let’s hope the new bill makes all our lives a little easier.

What changes will the new data protection legislation deliver?

According to the headlines of the draft bill, there’s a lot of simplification promised, including: 

1. Reduced complexity
2. Reduced paperwork
3. Reduced cookie pop-ups
4. Removal of the need to process vexatious (a notable downgrade from the “manifestly unfounded” language of the Data Protection Act 2018) subject access requests (SARs), with the potential for easier rejection and the ability to charge a fee
5. Simpler international data transfers
6. Increased fines for spam texts and calls
7. Greater clarity over new technologies such as AI
8. Removal of the need for a UK Representative. This will be replaced by the need for some companies to appoint a Responsible Person who, according to the bill, will have a broader and more clearly defined role than the existing Article 27 representative.

What’s missing from the GDPR changes?

What seems to be missing from the bill is anything about enforcement. Until now, the Regulator’s approach to fines has been quite brutal. Although the ICO talks about being fair and proportionate, in practice the fines have often seemed punitive and disproportionate. The ICO’s response has frequently been unpredictable. Sometimes it has been just plain baffling. 

Also, it’s not clear how the UK version of GDPR will run alongside its EU counterpart. EU GDPR will still apply to any organisation processing the data of EU citizens so companies can’t simply dump all their EU GDPR processes. It would be chaos if a company had different rules for processing SARs relating to UK and EU citizens.

The Digital Protection and Digital Information Bill – our take

Overall, and subject to the notable caveats above, we are encouraged by the bill. Any reduction in complexity will make all our lives easier. My personal favourite changes are the removal of the need to respond to vexatious SARs – something that’s long overdue – and the removal of cookie banners.

In terms of our mission at GDPR Local – to increase awareness and understanding of data protection laws, to improve data security for citizens and make life easier for businesses that deal with data – we believe any change in regulation will result in increased GDPR awareness. More companies are likely to review their position regarding data. More companies are likely to change their approach. All of this is good for business and good for their customers.

The Article 27 elephant

Perhaps the most eye-opening change in the bill is the removal of the requirement for companies outside the UK who process UK citizens’ data to have a UK-based Article 27 Representative. 

In reality, we don’t expect this to impact our service negatively. GDPRLocal provides so much more than just a UK Representative service and we will continue to support our clients in all aspects of GDPR and other data protection frameworks. 

In addition, the need for some companies to appoint a Responsible Person will in many cases result in more companies looking for data protection officer services to support this  important and challenging role. Practically speaking, if (or when) the UK Article 27 requirement is removed, we will replace this service with our ongoing compliance service to ensure our clients have access to the support they need.

In the meantime…

Until the bill’s progress is complete, GDPR will continue as ever. SARs will still be raised. Supplier questionnaires will still need to be completed. Staff will need to be trained and the Regulators will be just as unpredictable as they’ve always been. 

Our EU Rep service will still provide reassurance, and our consultants will still provide the support, guidance, and practical help you need. For help, access all our GDPR consultancy services here.

I’ll be watching this this bill with interest….

Find the bill here:

https://publications.parliament.uk/pa/bills/cbill/58-03/0143/220143.pdf