U.K. data reform plan seeks to reduce ‘unnecessary burdens’ of GDPR

The Data Reform Bill will focus on outcomes rather than box-ticking compliance to allow “more flexibility” and reduce unnecessary burdens on businesses, the government stated in a June 17 press release. For example, organizations will no longer need to have a dedicated data protection officer (DPO) but will still be required to have a privacy management program in place to ensure they are accountable for how they process personal data.

Data protection impact assessments will no longer be required to be conducted, nor will it be necessary to maintain a record of processing activities. They will be substituted for personal data inventories, which will comprise where personal data is held, why it has been collected, and how sensitive it is, though this will not necessarily be in a prescribed form.

Regulatory attention will focus on the areas where there is more risk of harm, allowing organizations with a low risk of data privacy violations to operate without “unnecessary” form filling. 

Other key changes include:

• Getting rid of cookie banners and allowing users more control to set an overall approach to how their data is collected and used online, such as via their internet browser settings;
• Simplifying the legal requirements around obtaining consent over the use of personal data to carry out medical and scientific research;
• Increasing fines for nuisance calls by raising the current maximum from 500,000 pounds (U.S. $599,000) to align with the GDPR’s totals of £17.5 million (U.S. $21 million) or 4 percent of global revenue;
• Modernizing the Information Commissioner’s Office (ICO) so it has a chair, chief executive, and board;
• Revising the U.K. GDPR framework to make it clearer what the ICO’s duties and objectives should be; and
• Setting up an International Data Transfer Expert Council to help the United Kingdom innovate new data-driven technologies and advise on data adequacy agreements with third countries.

Legal experts believe the proposed reforms will not radically alter the existing data privacy landscape, meaning companies that are already compliant with the U.K. GDPR should not face any additional burdens.

Isabel Simpson, global data protection lead for KPMG Law, said, “An agile, pragmatic, proportionate approach to how information is stored and managed is welcome.” She added, “It is right to have controls in place that are appropriate for the size and type of organization, rather than a blanket approach.”

Fred Saugman, senior associate at law firm WilmerHale’s U.K. white collar defense and investigations team, said the country’s approach to adequacy decisions “suggests a potential loosening of the standards and could result in the first significant difference between the EU and U.K. regimes.”

“An agile, pragmatic, proportionate approach to how information is stored and managed is welcome. It is right to have controls in place that are appropriate for the size and type of organization, rather than a blanket approach.”

Isabel Simpson, Global Data Protection Lead, KPMG Law

Lillian Tsang, senior data protection and privacy solicitor at law firm Harper James, said such divergence “may put any future adequacy decision at risk and therefore make transferring personal data outside the U.K. very complex and burdensome.”

Tsang added the EU-U.K. data adequacy decision contained a “sunset clause” aimed at protecting the European Union against future divergence by the United Kingdom from the GDPR. This clause limits the duration of adequacy to four years, after which it might be renewed only if the United Kingdom continues to ensure an adequate level of data protection.

The European Commission has been clear it will continue to monitor U.K. compliance during this period and could intervene at any point.

Indeed, fears over possible divergence with the European Union might prompt companies with operations in the EU to follow its GDPR instead for more assurance.

Emily Cox, partner and head of media disputes at law firm Stewarts, said the proposed changes to the U.K. law “carry risks that are unlikely to be adopted by businesses which are also subject to EU law.”

Darren Wray, head of data protect solutions at IT firm Donnelly Financial Solutions, said removing the need for a DPO “puts the U.K. at a loss” because “in other countries, the role of DPO is recognized and requires qualification and certification.”

He also questioned why the reforms would wish to water down data protection, especially around sensitive personal information like medical data.

Wray warned softening the rules so personal data can be “legitimately” used for a different purpose than was identified at the point it was initially collected “could become a free-for-all, with organizations deeming all purposes to be legitimate.”

Ryan Gracey, partner at law firm Gordons, said the changes to the ICO could be “potentially significant” if the European Union believes the regulator is not sufficiently independent from the U.K. government—especially if the U.K. GDPR diverges further or the United Kingdom tries to conclude data adequacy agreements with countries the European Commission does not believe offer similar levels of data protection.