In September 2021, the government launched its consultation here to draw proposals to make substantial changes in the UK Data Protection Laws which were less stringent than the EU GDPR but still covered all the important data protection rights. The UK government has expressed that the focus of this reform is to make a trusted data protection regime that is also more business-friendly, eliminating excess obligations from the businesses.
Why these changes now?
Currently, the UK is using the UK version of EU GDPR which is mostly similar with very few minor changes. The UK GDPR reform brings some changes to the existing data protection laws but the main parts, including the basic principles of GDPR remain unchanged, due to the rejection of several of the more significant changes. The move to reform the UK GDPR was not surprising, as one of the intended benefits of Brexit was the freedom to regulate in a more proportionate but also vigilant manner that works for British businesses to encourage innovation and growth but at the same time provide more protection.
The companies who are using the current UK GDPR need not adapt to these changes if they do not wish to as complying with UK GDPR makes them automatically compliant with these changes too, these changes being a liberal version of the UK GDPR.
The Department for Digital, Culture, Media and Sport (DCMS), described the EU GDPR as highly complex in terms of compliance which held back the UK businesses, and hence they proposed changes that give the UK Businesses more dynamic use of the data and fewer formalities to comply with. Following the response to the consultation, several changes were proposed, categorized into 5 broad sections namely to:
- Reduce barriers to innovation;
- Reduce burdens on business and deliver better outcomes for people;
- Boost trade and reduce barriers to data flows;
- Deliver better public services,
- Reform of the ICO.
These sections mostly discussed how more liberty could be given to the businesses in terms of data processing, reducing more formalities, and exchanging them with a less formal approach to secure data.
Amongst the major changes following changes are considered to be the most significant:
- Replacing a DPO with a suitable senior official for Data Protection Compliance: The UK reform requires companies to designate a senior company official with DPO responsibilities will shift the Data Protection responsibility to senior levels and hence will create an organization-wide data protection atmosphere.
- No Record Of Processing Activity (ROPA) & Data Protection Impact Assessment (DPIA): Under the new changes government wants businesses to maintain a Privacy management programme that describes what and where personal data is held, why it has been collected, and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30. The same program will also ensure there are risk assessment tools in place for the identification, assessment, and mitigation of data protection risks across the organization but not a DPIA as per Article 35. Basically, both will be a less formal version of the existing GDPR obligations to keep track of data processing and its safety.
- Use of legitimate interest as a legal base: The government wants to provide a limited, exhaustive statutory list of purposes that have a low-risk level for which legitimate Interests can be applied by default to accommodate more personal data access and personal data sharing for research and other purposes.
- Reducing cookie permissions: With this change, the UK plans to enhance the user experience by removing unnecessary cookies and eventually doing away with cookie banners altogether. For this, the website owners need to make sure that it gives the web user clear information about how to opt out.
- Creating an alternative transfer mechanism to make the data flow easier for International Data Transfer
By accepting these changes, the government has shown more faith in British businesses to properly comply with data protection laws even with a liberal approach. These changes will also provide more power to the Information Commissioner’s Office (ICO) along with more responsibilities to regulate. Some changes also affect the Data subject rights to excess requests, where the businesses can refuse an access request if they found them to be excessive and even charge fees in some cases.
The changes accepted by the UK Government in the existing data protection laws appear to be more political with an approach to making things easier for British businesses. Some believe that this is the way the UK is exercising its newfound freedom after Brexit and others have welcomed the changes claiming it to be cost-effective and pro-growth for the economy. Privacy advocates are concerned about a reduction in privacy standards and safeguards because even in a stricter GDPR regime, businesses are looking for loopholes to exploit people’s data, if the regulations are liberalized it will only make them exploit more. How this will impact the relationship between the EU and the UK will depend on how these changes will be implemented and what impact they bring in practice. The UK Government has provided assurances that these changes will not affect the high standards of data protection enforced by the ICO in the last years.
At the moment, the UK is granted an Adequacy status by the EU which means it has an equivalent level of data protection as in the EEA and so the data transfer is treated like a transfer within the EU with no additional safeguard requirements to comply with. Under these changing scenarios, the question about the Adequacy status lies in the result of how responsibly the businesses behave when given more freedom and how efficiently the ICO regulates under a liberal data protection law regime.