The UK Government has now published its long-awaited proposals to reform UK data protection law. The 146-page paper – Data: A new direction – contains detailed and well-thought-out proposals that raise valid questions about the cost and effectiveness of many aspects of the UK GDPR.
The answers to those questions, at least on the face of it, appear to be underpinned by the UK Government’s desire to deliver a Brexit dividend and remove unnecessary red tape for UK businesses. So what is, and is not, in the proposals?
Incremental reform, not radical reinvention
Importantly, while the proposal contains significant and wide-ranging changes, the core principles in the UK GDPR are unaffected. The data protection principles and legal bases for processing are largely unaffected - though there are some minor tweaks at the margin.
In other words, UK law will still closely align to the EU GDPR in many respects. The UK Government could have pursued a more radical reinvention of these laws but given the likely impact of UK adequacy (see below) and the tumultuous last couple of years, many UK businesses may welcome the continuity and stability these proposals provide.
A rose by any other name…
The proposal are, however, significant. The key principle is to remove some of the more rigid requirements in the UK GDPR and replace them with more flexible obligations that can be tailored to the business in question. For example, the proposals recommend:
- removing the duty to appoint a data protection officer, either in all cases or just for public authorities
- removing the obligation to conduct data protection impact assessments
- removing the duty to prepare records of processing activities
However, in their place comes a more amorphous obligation to implement a “privacy management programme” which might well oblige the business to appoint someone responsible for the programme and to produce: (a) personal data inventories; (b) internal policies; (c) risk assessment tools; (d) procedures for communicating with data subjects; and (e) procedures for handling breaches.
Given the Information Commissioner’s likely demanding expectations for such a programme it is not immediately clear this is a less onerous framework or that it will, in substance, make much different to the way many businesses try and comply with the law in practice.
No economy is an island
One of the most significant implications of these new reforms is the impact on the EU’s finding that the UK has adequate data protection laws. There are good arguments that these proposals should not affect the adequacy finding; in that the changes will not necessarily result in a lessening of the protection of personal data, rather it means the process to ensure that protection is more flexible.
However, this is ultimately a question for the EU Commission who will, no doubt, be scrutinising these proposals closely. The loss of adequacy would have immediate and significant negative effects that might well outweigh the other benefits these reforms will deliver.
Enabling a robotic future
Alongside these proposals are a range of other changes, such as to enable the development of AI, to allow better use of data for innovation, amend the rules on transborder dataflow and change the powers and duties of the Information Commissioner.
Read a more detailed review of all of these changes in our DigiLinks blog post.
UK proposals to reform the GDPR are significant but not radical