GDPR Local Reforms

UK Pauses Data Protection Reform

Whether you are a UK business or a business that stores or uses the data of UK citizens, the proposed reforms to the UK’s data protection laws will affect you. But what are the changes, what will their impact be, and why the delay to their implementation?

GDPR policies set to change?

In July 2022, the UK government published the Data Protection and Digital Information Bill[1]. The bill proposes extensive changes to the existing domestic data protection framework. If implemented in their proposed format the changes would enable UK data laws to deviate from the standards that apply in the EU under the General Data Protection Regulation (EU GDPR).

In October 2022, Department for Culture, Media and Sport secretary Michelle Donelan told the Conservative Party conference that the government would be “replacing” GDPR policies, a position from which she has since retreated somewhat for reasons we explore below.

What do the proposed data protection changes include?

The bill introduced numerous changes to existing GDPR regulations, including:

• DPO role changes: The EU GDPR is accountability-centric and requires data controllers to maintain a record of processing and produce Data Protection Impact Assessments (DPIAs). Organizations that process data on a ‘large scale,’ must appoint a Data Protection Office (DPO). The bill will replace the formal DPO role with a “senior responsible individual” who will no longer need to conduct DPIAs. Instead, they will be required to implement assessments “of high risk processing” although the bill removes the list of activities (present in the GDPR) deemed to be high risk.
• DPOs now part of SMT: Where previously the DPO must have operated independently of senior management, now the responsible individual must be part of the organisation’s senior management team. This should make life somewhat easier for senior teams.

Expanded ‘legitimate interests’: The bill expands the number of “recognized legitimate interests”, that is, businesses able to demonstrate that their use of

• data is necessary as a legitimate business interest. These businesses will no longer need to balance the rights of individuals in the way GDPR policies currently require.
• Tackling unreasonable DSARs: Organisations will be able to refuse to answer or charge a reasonable fee for answering ‘vexatious or excessive’ data subject access requests (DSARs). The current ‘manifestly unfounded or repetitive’ threshold will be removed. The UK government’s anticipation is that this will make it easier for organisations to refuse requests that are clearly unreasonable, thus reducing the compliance burden on them.

• Necessary cookie category expanded: The categories of analytics cookies defined as ‘strictly necessary’, i.e. as no longer requiring user consent will be expanded. Notably, the UK government has also indicated its ambition for further reform of the UK cookie regime towards an entirely ‘opt-out’ model as and when the necessary technology becomes available (e.g. via browser settings).
• Fines increased: The bill brings the direct marketing penalties and ICO enforcement powers under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in line with those under the UK GDPR. Organizations carrying out direct marketing may need to reconsider their risk appetite in this area, as infringements could potentially incur a £17.5m / 4% turnover fine.
• ICO changes: The bill restructures and renames the ICO. It will become the Information Commission, operating as an independent corporate body with oversight by the government.

What was the reaction to the reforms?

It’s fair to say the bill prompted a range of views. Michelle Donelan described the reforms[1] as “our own business- and consumer-friendly British data protection system”. The government has suggested[2] the changes could save businesses £1 billion over ten years.

Some data protection experts have described the reforms as less of a replacement and more a small step away from existing GDPR policies. Tech UK[3], the UK’s technology trade association, described the bill as striking a “sensible balance between reform and upholding a high standard of data protection rights” although it encouraged the government to go further.

Some MEPs[1], however, have described the plans as “appalling” and have questioned whether the UK/EU data adequacy deal, which eases the passage of data between the two entities, can survive the reforms.

It seems the data adequacy issue has caused the government to pause the passage of the bill. In November, Owen Rowland, deputy director for domestic data protection policy at the DCMS announced a fresh round of consultations[2], stating that “data adequacy with the EU is at the heart of the approach we are taking going forward”.

Time to seek data protection advice?

Whatever the final shape of the UK’s data protection laws, change appears inevitable. For UK business, or any overseas business which uses data on UK citizens as part of its operations, now is the time to talk to our data protection experts to find out how the data reforms are likely to affect you, so you can start putting plans in place to be/remain compliant.

Talk to a GDPR Local data protection expert

Reference:

[1] https://bills.parliament.uk/bills/3322

[2] https://techcrunch.com/2022/10/03/uk-data-reform-bill-replace-gdpr/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAGAINc-TelRr0i1YxjfXIxT5WtZNEROoqfQxRGybNMLxO0UduKXaLfdPuHZIUV28jWIwIhMR9tl6T2J1uS3ci8UpeN-P_xrAoOA7B-0rWz7wRBF8euLno9urlOzLFqjCTysL1-w0BgWSozbG73Q1nyZ63IgxwZkGseRAS-sDeKpN

[3] https://techmonitor.ai/policy/privacy-and-data-protection/uk-gdpr-data-reform-bill-brexit

[4] Tech UK

[5] https://www.politico.eu/article/we-were-taken-for-fools-meps-fume-at-uk-data-protection-snub/

[6] https://techmonitor.ai/policy/geopolitics/data-protection-bill-uk-gdpr-replacement-brexit