Just when you thought it was safe and just about got used to the idea of GDPR – the UK’s Department for Digital, Culture, Media & Sport (“DCMS“) has now issued a consultation (the “Consultation“) (Data: A new direction) on suggested reforms to the UK’s data protection regime following Brexit.
The GDPR (a.k.a., the EU’s General Data Protection Regulation), was implemented in the UK pre-Brexit in 2018.
After Brexit, GDPR was cemented into UK law (with some small UK specific tweaks) and in particular, UK employers were required to ensure that their contracts, policies and practices comply with it.
Now that the UK is no longer part of the European Union, the UK is consulting on whether it can “reshape its approach” to data privacy legislation (in the words of the government).
The lightly more longwinded aim is to “create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data“.
Some of the key proposals from the DCMS which may be of interest are as follows:
- The ICO – making changes to the ICO’s structure and operation, including increasing enforcement powers for direct marketing but also changes proposed to make the ICO more business-friendly and eliminate some of the operational burdens which, the Consultation argues, will create a “clearer mandate for a risk-based and proactive approach“. These include a new duty on the ICO to have regard for economic growth and innovation in discharging its function.
- DP Accountability – removing the UK GDPR’s accountability framework and replacing it with a “privacy management programme” tailored to the processing activity. This would mean changes including removing the requirement to designate a data protection officer to carry out a data protection impact assessment and to keep a record of processing activities.
- Data subject access requests (“DSARs”) – many UK employers will be familiar with the time and resources it takes to comply with requests from individuals to access copies of their data. The consultation proposes introducing a fee regime for individuals to access copies of their data. The government is also considering lowering the threshold at which businesses can refuse to comply with DSARs which may, for example, enable employers to refuse to comply with a request where the main purpose of the request is litigation, rather than genuine concerns about the processing of their data.
- Legitimate interests – making it easier for employers to rely on legitimate interests as a legal basis for processing data, by publishing a list of circumstances in which employers can rely on without needing to balance these against individuals’ rights.
- Data Transfers – Empowering organisations to be flexible in their transfer mechanisms to countries where no adequacy decision exists.
As with all things, there are risks to this process, particularly for international data transfers. As may have seen, in June 2021, the European Commision granted the UK an adequacy decision (according to which, the UK is assessed as applying a high level of protection to individuals’ data) which allows the free flow of data from Europe. As a result, European businesses that transfer data to the UK don’t need to put in place data transfer documents.
So far, so good BUT when the EU granted the UK this status, this was subject to close monitoring and would need to be reviewed if the UK moved away from GDPR.
Firstly, please note that the consultation is open for views until 19 November 2021 and any change in the law will take some time.
The key thing to keep an eye on so far is if the European Commission decides to revoke this adequacy decision referred to above (which it could do if it considered that the UK’s standards of data protection dropped), this may mean data transfer documents would be required by businesses for transfers of data from Europe to the UK.
Regards to all