Following its post-Brexit promise for deregulation, the UK has released proposed reforms to its data protection laws as it looks to potentially move away from the European Union’s General Data Protection Regulation. The proposed bill aims to make data privacy laws in the UK more flexible and easier for organizations to comply with, as well as bolster innovation and research.
To be sure, the U.K. government said it remains committed to maintaining high data protection standards, and the changes likely won’t risk an adequacy decision. But the proposals could have an impact on entities doing business with the country.
Following Brexit, in September 2021, the U.K. launched a consultation over proposed changes to its data privacy regime. The results from that consultation, shared this June, show that the proposed reforms are more an evolution of the GDPR than a complete overhaul, said Simon Elliott, a partner in and head of Dentons’ data privacy and cybersecurity practice in the U.K.
“There’s nothing that strikes me in the proposals that should very obviously put the U.K. adequacy at risk,” Elliott said. “Throughout the process, the U.K. government has been trying to position this as an evolution, clarification of areas that are not clear or trying to fix areas that are just not working from a practical perspective currently, rather than a large-change revolution.”
That the proposed bill is fairly similar to the GDPR surprised some industry professionals who expected more extensive or ambitious reforms, Elliott said.
That being said, many global organizations who had invested significant amounts of resources to meet GDPR standards were relieved that no extensive revamping would be needed to meet new potential U.K. regulations, he added.
“There are certainly some changes that may be needed in the UK, but actually there’s more flexibility that they can take in relation to the U.K. policy framework,” Elliott said. “But it’s certainly not a large overhaul that will be needed.”
“That’s clearly important in the U.K., both in terms of its global position, but also supporting a large digital economy agenda … driving more use of AI and other digital initiatives and technologies,” he added. “Ensuring others’ trust and high standards of data protection are important to build a foundation for these technologies. Plus it does mean that this adequacy decision should not be fundamentally at risk.”
While the U.K. government aims to maintain high levels of data protection, the proposed changes aim to reduce the burden put on small and medium organizations to comply with data privacy laws.
The proposed changes, among others, include removing the requirement to appoint a data protection officer and having organizations designate a “suitable individual” to oversee their compliance instead. Similarly, the record of processing activities would be replaced by what the proposal called a data inventory, a less detailed approach.
What’s more, the proposed regulation also seeks to remove certain perceived barriers to innovation and facilitate research in the scientific field by creating more flexibility on the way health data, previously subject to stricter requirements under the GDPR, can be processed.
While the proposed bill isn’t triggering a wave of concerns, Gabriel Voisin, a partner at Bird & Bird, an international Privacy & Data Protection practice, said that some suggestions did raise some questions.
For instance, the suggestion that the Information Commissioner’s Office could be less independent after the reform than what it is today could be a source of worry, he said, explaining that the bill would require the government’s approval for any form of statutory guidance issued by the ICO.
“We’ll have to see if that sort of hierarchy creates an argument that ICO is no longer independent in the way it can operate. That’s an example of where the debates and the reaction from Brussels will be interesting,” Voisin said.
For now, the proposed regulations are still a long time away from coming into effect. While the wording of the bill is unlikely to change dramatically until then, the timing for the bill is uncertain and will most likely be delayed by the wave of resignations from the U.K. government, including Prime Minister Boris Johnson who announced Thursday he was stepping down.