Businesses in the UK have been operating under the framework of the General Data Protection Regulation (“GDPR”) ever since it was introduced by the EU in May 2018. Up to now, Brexit has not changed this, as the GDPR has simply been retained in UK law in essentially the same form.
However, with the UK no longer being bound by EU law, there is now some scope for the UK’s data protection regime to diverge from the EU’s. This process began on 9 September 2021, when the Department for Digital, Culture, Media and Sport (“DCMS”) announced that it was seeking to reform the UK’s data protection laws for the post-Brexit world. A consultation commenced on 10 September 2021 which remains in discussion until 19 November 2021.
By reforming the legislation on data protection, the UK Government is hoping to establish a new regime which simultaneously upholds public trust and high standards of data protection whilst removing any onerous and unnecessary “red tape”. Oliver Dowden, Digital Secretary, has cited that his ultimate aim for reforming data protection legislation is “to create a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards”.
Unfortunately for anyone who would like to see sweeping reforms of current data protection legislation, the UK Government will still have to bear in mind the EU data protection regime when making any new legislation. This is to ensure that the EU deems the UK’s data protection regime to be adequate in order to allow data to flow freely from the EU to the UK. If the EU does not consider the UK’s revised data protection legislation adequate, the additional hurdles placed on businesses dealing with the EU could outweigh any benefits gained from relaxed rules at home.
Some of the key proposed reforms are as follows:
- Greater use of “legitimate interests” as a ground for processing personal data, rather than relying on “consent”. A business processing personal data must have a lawful ground on which to do so. Two possibilities are “legitimate interests” and “consent”. The Government considers that getting consent in certain low-risk situations can be overly onerous, and that there is “consent-fatigue” to being constantly asked for consent. Therefore, the Government would like to make it easier for businesses to rely on their legitimate interests, rather than seeking consent, by setting out a list of specific situations whereby businesses would automatically be able to rely on their legitimate interests. One of the proposed situations is cookie-consent on websites – I would certainly be pleased to see that be a thing of the past, with businesses relying on their legitimate interests instead.
- Higher threshold for data breaches to be reported to the ICO. There is real concern that the ICO is required to deal with too many low level complaints and reports at the moment. With that in mind, the Government are proposing to increase the bar for situations in which a data breach must be reported to the ICO. Currently a data breach must be reported to the ICO unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. The proposal is that breaches would not need to be reported if the risk to individuals is “not material”. Therefore, only if there was a material risk to individuals would the breach be reportable.
- A new approach to “accountability”. The current obligations on businesses to demonstrate they are accountable under the UK GDPR require businesses to ideally have in place a number of policies and other documents. It is deemed that time and energy could be better utilised by diverting away from these policies and procedures and focusing more on ensuring the responsible use of personal data in a more flexible and risk-based context. One of the government’s considerations is whether to introduce a voluntary undertakings process which essentially would allow greater lenience by the ICO in the event of an organisation’s data breach if it can show that it has voluntarily embraced a positive approach to data protection compliance without the need for stringent legislation mandating the same.
- Potential re-introduction of fees for making subject access requests. It is widely considered that dealing with a large volume of subject access requests has placed a huge burden on small businesses, which often lack the resources to dedicate to them. The Government is considering how to deal with this issue, with one option being the re-introduction of a fee being charged. Another option is giving increased grounds for refusing to respond to a subject access request – currently there are only very minimal situations in which a business can refuse to respond.
- Implementation of a more flexible, risk-based approach to the international transfer of data and the relevant safeguarding mechanisms. It is hoped that this will remove any unnecessary barriers to international data flows and will promote the UK as an open and secure digital marketplace for businesses from all across the globe. In 2019, digital trade made up 74% of total UK services exports and 54% of its imports, which suggests it is perhaps time for a post-Brexit law reform to cement the UK as a global leader in digital trade.
- Requirement for an individual making a complaint to attempt to resolve it with the relevant business, before complaining to the ICO. The ICO is currently receiving a huge number of complaints in relation to the UK GDPR (36,607 in 2020/21). The Government are looking at ways of reducing the ICO’s burden here, by requiring the complainant to attempt to resolve the complaint before going to the ICO, and by introducing criteria by which the ICO can decide not to investigate a complaint.
There will undoubtedly be some issues that crop up as the legislation evolves in this area. If you would like any guidance on the data protection legislation, contact our Data Protection Team on 01603 610911 or by email at firstname.lastname@example.org.