Alert 05.20.22
UK Announces Post-Brexit Data Reform Bill
Does this signal the beginning of the end of the GDPR in the UK or simply a reframing of approach?
Alert
Alert
03.06.23
Businesses already face an uphill struggle keeping pace with fast changing and multiple new data laws being passed in multiple U.S. states as well as numerous countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The current efforts of the UK government therefore may well leave some feeling nervous. The details of any proposed changes to the UK GDPR will have to be scrutinized to assess impact (and to see if Data Protection & Digital Information Bill (DPDI) proposals regarding fines, cookies, data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc. survive). We will also have to keep an eye on how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. One thing that is for certain is that any business with UK operations, customers, suppliers or partners will need to freshly review and likely make changes to its policies, documents and procedures to account for any changes this year.
The UK government hopes that the changes to data laws will “reduce red tape” faced by businesses operating in the UK or targeting UK individuals, moving to an approach that is outcome-focused rather than “box-ticking,” and increasing competitiveness and efficiency of UK businesses.
The UK Secretary of State Michelle Donelan is due to reveal more details of the proposed changes this month. Further changes to the last version of the DPDI Bill are expected. By way of reminder, the DPDI proposals included:
The DPDI Bill replaced the previously named Data Reform Bill, so it is likely there will be a fair deal of further tinkering to the DPDI with the new proposals.
The government has previously stated that the changes should not diminish the protection of personal data in the UK, for which it seeks to retain a “gold standard.” Any significant deviation from current practices would, however, likely add to complications for international businesses. If the EU takes a dim view, it could also risk the UK losing its “adequate” status, which currently allows for personal data to flow uninhibited between the UK and the EU.
Businesses will need to revisit their operations once we have more details.
The newly minted Department for Science, Innovation and Technology (DSIT) is a priority project for the Sunak government. It is therefore likely that, although the prior Data Reform and DPDI Bills made slow progress, the new proposals being announced this month will have more momentum and lead to changes to UK data laws and variances with the EU GDPR. Businesses are advised to monitor the latest developments and consider how this will likely impact their current business activities, data protection policies and procedures.