What could UK data protection reform mean for SMEs?
With any regulatory change, the impact on small and medium enterprises (SMEs) will differ significantly compared to larger businesses. The UK’s upcoming data protection regime is no exception.
In a recent press release published in December 2021, the UK government reported that the UK tech sector achieved its best year ever, noting the growing tech hubs in regional cities including Cambridge, Manchester, Cardiff, and Belfast.
UK tech captured more than a third of investment into Europe, with £29.4bn raised by UK start-ups and scale-ups, double the figure raised in Germany and almost three time that raised by France. This growth has had a marked effect on the UK labour market, with a 50% rise in overall UK tech job vacancies compared to 2020.
Despite the positive trajectory of the UK tech sector, there is always more that can be done to help facilitate and remove barriers to growth and innovation for SMEs. Complex and burdensome regulatory regimes is one area that hampers the success of new businesses, and the UK’s upcoming data protection reform could be pivotal in enabling SMEs to unlock the value of data across the economy.
The ability to collect, share and process data remains a core and integral aspect of the success of UK businesses, and one of the foundations upon which innovation is built
Data: a new direction for SMEs?
When the General Data Protection Regulation (GDPR) was enforced in 2018, the impact of its implementation differed for organisations, with SMEs likely to suffer more significantly from compliance burdens, limited resource and lack of legal certainty when handling personal data.
Although there are now many services and resources to support SMEs on how to properly implement the GDPR, the regulation still likely poses barriers to SME innovation. These organisations may be more risk averse in pursuing projects out of fear of non-compliance, may lack resources to implement the necessary infrastructure, or lack the required expertise and knowledge of data regulation.
In September 2021, the UK Government launched a public consultation Data: a New Direction, an extensive review of the UK data protection regime that proposed a range of suggested reforms to make the regulation work better for UK businesses. You can read a summary of the consultation here.
How to get it right
Data: a new direction offers many common-sense reforms, which could support SMEs in innovating at pace, and provide the much-needed ease and clarity when processing personal data:
- Getting SMEs involved in the UK’s R&D ecosystem
Consolidating provisions for using personal data for research purposes will offer SMEs greater legal clarity and certainty when navigating the best lawful ground for (re)processing data. This will give SMEs more confidence in pursuing innovative research projects. To ensure this, commercial and industry led research should be kept in scope of the statutory definition of ‘scientific research’, to play to the UK’s strength as a global leader for R&D.
- Clarifying the legal bases for data processing
The introduction of a limited, exhaustive list of legitimate interests that would not require a lengthy legal assessment (balancing test) will be significant in supporting SMEs in processing personal data for many common sense activities. Legitimate interest is an often underused lawful ground for data processing by smaller organisations, as they are often uncertain on what constitutes a legitimate interest, and fear falling foul of GDPR. This many lead to an overreliance on consent as a lawful ground, which can create limitations on how the personal data can be used.
This reform, supported with easy to digest regulatory guidance, including clear examples will go far in giving SMEs more confidence in processing personal data, and remove the compliance burdens related to the balancing test for the activities included in the list.
- Retaining a positive adequacy decision with the EU
The free flow of data between the UK and the EU is of vital importance to the entire tech sector. However, SMEs in particular are at risk of being unable to absorb the cost and burdens of implementing alternative transfer mechanisms and depend greatly on a positive adequacy decision to manage data flows.
New economic modelling published by the New Economics Foundation and UCL European Institute shows that the average additional compliance cost to UK SMEs of a no adequacy decision could be between £3,000 and £19,555 for micro, small and medium sized businesses. Costs has high as these could be financially crippling for younger companies just starting out, where access to finances is likely to already be a challenge.
- Making compliance proportionate
In comparison to larger organisations, certain requirements of GDPR have been particularly costly for SMEs and start-ups such as hiring Data Protection Officers and completing impact assessments. The UK Government’s proposal for privacy management programmes could allow smaller organisations to implement a more proportionate approach to compliance and risk management, provided it maintains the high standard of UK data protection.
The proposed new rules also provide scope for template privacy management programmes to be developed that are tailored to SME needs and that can be changed as the SME grows, rather than having to follow a one size fits all approach.
Please see here for techUK’s full response to Data: a new direction.
This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.
Latest News from
Be part of the techUK Local Digital Capital Index Working Group!30/01/2023 10:15:00
We are inviting techUK members to apply for a position to sit on the Local Digital Capital Index Working Group and get involved in the creation of the third edition of the Index which we will publish later in this year.
Digital skills scheme for veterans backed by 6 techUK members30/01/2023 09:15:00
Tech sector firms including Capita, Northrop Grumman, Atos, Leonardo UK, Fujitsu and Leidos are supporting the 15,000 Futures initiative created by WithYouWithMe to support veterans into tech sector jobs
Quantum Computing in Energy & Utilities Day27/01/2023 09:20:00
This campaign day will be focusing on the opportunities for quantum computing applications in the energy and utilities sector. We will uncover its potential, viability, and challenges.
Voting Open: techUK Digital Twin Steering Group Chair and Vice Chair25/01/2023 16:05:00
Voting is now open for the techUK Digital Twin Steering Group Chair and Vice Chair positions. The elections will be open until 14 February 2022.
A UK Plan for Chips25/01/2023 15:05:00
The UK needs a plan for 'chips' if we are to fulfil the aim to become a science and tech superpower
Financial Services Policy Explainer | Payment Services Regulations (PSR) Review and Call for Evidence23/01/2023 11:20:00
Helping to map the UK’s Joint Regulatory Oversight Committee’s (JROC) upcoming strategic work, HM Treasury’s latest Review, and Call for Evidence of the UK’s payments regulatory environment will shape the following stages of determining digital technology suppliers’ contributions to building the payments infrastructure of UK Open Banking
How UK tech companies are playing their part to tackle the rise of online fraud20/01/2023 13:10:00
Fraud is now the most commonly experienced crime in the UK, costing over a hundred billion pounds every year, with online fraud making up an increasing proportion of incidents.
Made in the UK, Sold to the World Awards 202317/01/2023 16:10:00
Celebrating UK business success around the world, The Department for International Trade’s Made in the UK, Sold to the World Awards are launching in January 2023