The reform of the UK’s data protection regime: what to expect?
Shortly after Brexit, the UK Government re-evaluated its data protection regime and cross-border data processing. The Government concluded that the EU General Data Protection Regulation (EU-GDPR) was incompatible with the UK and represented an unreasonable administrative burden on businesses, particularly small businesses, including start-ups. The rationale was simple: overregulation of personal data could hinder innovation and block the development of data-driven enterprises in the UK.
To increase the attractiveness of the UK as a global data market, as part of the UK’s National Data Strategy, the UK Government launched the ‘Data: a new direction’ consultation on 10 September 2021, to help informing its new proposals to reform the UK’s data protection regime, following exit from the European Union. After months of consultation, the UK Government has now published its response (the “Response”).
The Response has five main areas of consideration: reducing barriers to responsible innovation; reducing administrative burdens; increasing trade and lowering barriers to data flows; delivering better public services, and reforming the Information Commissioner’s Office (“ICO”). The Response also sets what will be included in the “Data Reform Bill” (the “Bill”) announced in this year’s Queen’s Speech, and how the new legislation will reduce red tape and safeguard citizens’ privacy, while mobilising the UK cross-border trade and establishing the UK as a tech superpower.
But, in practical terms, how would this new Bill affect businesses, if adopted? In this article, we have highlighted key takeaways for businesses as to how the UK data protection regime will likely be amended in the following year.
Accountability framework
In terms of accountability, the Bill will replace the existing framework with a privacy management program that would be more flexible and still ensure accountability. Some of the proposed changes can be summarised as follows:
- Data Protection Officer (DPO) (Articles 37 to 39): the requirement to appoint a DPO will be removed, and replaced with a “senior accountable individual” who would oversee data protection compliance. The requirement of “independence” would no longer be needed.
- Data Protection Impact Assessment (DPIA) (Article 35): the Response sets out the proposal to remove mandatory DPIA requirements, which will be most likely replaced by more flexible risk assessment tools (such as personal data inventory). These tools could show that the company has identified and managed the risks of data processing, in a much more flexible way.
- Prior consultation requirement (Article 36): with the new Bill, this requirement will become voluntary.
Right to access
The data subject access requests (“DSARs”) gives data subjects rights to request various information about data that companies held on them. According to the Response, the
plan is to lower the threshold for refusing to respond to a DSAR from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive,’ which would align with the Freedom of Information regime (which applies to information held by the public sector). This means that businesses could reject DSARs that are “vexatious or excessive”.
Privacy and electronic communications
Tracking technologies: one of the proposals from the Response allows businesses to use cookies and similar technologies without consent where there is a legitimate interest and where it follows an ICO-approved sector code of authoritative guidance. Analytical cookies and similar technologies could also be treated the same as “strictly necessary cookies”. Furthermore, the UK Government will assess moving to an opt-out model of consent for all cookies. However, companies would still have to respect browser preferences set by users.
Read also
Direct marketing and nuisance calls: the UK Government plans to extend the soft opt-in regime to non-commercial organisations and supply safeguards to protect individuals who do not want to continue receiving communications. Communication service providers would have to report suspicious traffic transiting their networks. The ICO would be granted enforcement against companies based on the number of calls they generate (instead of the current criteria of connected calls).
Fines: enforcement for breaches in privacy and electronic communications would be aligned to the EU-GDPR level (fines of up to £17.5m or 4% of a business’s global turnover).
Cross-border data flows
Adequacy decisions as a transfer mechanism: the UK will tighten its approach to adequacy decisions regarding risk assessment and proportionality by considering countries’ legal traditions and operating contexts. Any judicial or administrative redress would be assessed for international data transfers. It would increase the assessment of adequacy decisions to “ongoing” from “every four years”.
New alternative transfer mechanisms: these new mechanisms will be considered, and it will empower the DCMS Secretary of State to recognise them. The reform also aims to revisit the importance of proportionality in international data sharing and allow data importers to act pragmatically and proportionately when using alternative transfer mechanisms.
Conclusion
The Response is one more step toward the UK’s data protection reform, with detailed legislative process to follow. Despite this, it is possible to say that the direction of the Bill highlights the UK’s desire to boost data-driven businesses, including international companies, and to make the UK more attractive in terms of cross-border data sharing. We will keep monitoring the next steps, so that we can keep you updated and provide advice on all matters pertaining to data protection. If you have any questions, please contact us as our team can assist you with this and other matters
