What now for UK data protection laws?
Guest Blog: Peter Church, TMT Counsel, Linklaters discusses the UK Government's proposals to reform UK data protection laws.
The UK Government has now published its long-awaited proposals to reform UK data protection law. The 146-page paper – Data: A new direction – contains detailed and well-thought-out proposals that raise valid questions about the cost and effectiveness of many aspects of the UK GDPR.
The answers to those questions, at least on the face of it, appear to be underpinned by the UK Government’s desire to deliver a Brexit dividend and remove unnecessary red tape for UK businesses. So what is, and is not, in the proposals?
Incremental reform, not radical reinvention
Importantly, while the proposal contains significant and wide-ranging changes, the core principles in the UK GDPR are unaffected. The data protection principles and legal bases for processing are largely unaffected - though there are some minor tweaks at the margin.
In other words, UK law will still closely align to the EU GDPR in many respects. The UK Government could have pursued a more radical reinvention of these laws but given the likely impact of UK adequacy (see below) and the tumultuous last couple of years, many UK businesses may welcome the continuity and stability these proposals provide.
A rose by any other name…
The proposal are, however, significant. The key principle is to remove some of the more rigid requirements in the UK GDPR and replace them with more flexible obligations that can be tailored to the business in question. For example, the proposals recommend:
- removing the duty to appoint a data protection officer, either in all cases or just for public authorities
- removing the obligation to conduct data protection impact assessments
- removing the duty to prepare records of processing activities
However, in their place comes a more amorphous obligation to implement a “privacy management programme” which might well oblige the business to appoint someone responsible for the programme and to produce: (a) personal data inventories; (b) internal policies; (c) risk assessment tools; (d) procedures for communicating with data subjects; and (e) procedures for handling breaches.
Given the Information Commissioner’s likely demanding expectations for such a programme it is not immediately clear this is a less onerous framework or that it will, in substance, make much different to the way many businesses try and comply with the law in practice.
No economy is an island
One of the most significant implications of these new reforms is the impact on the EU’s finding that the UK has adequate data protection laws. There are good arguments that these proposals should not affect the adequacy finding; in that the changes will not necessarily result in a lessening of the protection of personal data, rather it means the process to ensure that protection is more flexible.
However, this is ultimately a question for the EU Commission who will, no doubt, be scrutinising these proposals closely. The loss of adequacy would have immediate and significant negative effects that might well outweigh the other benefits these reforms will deliver.
Enabling a robotic future
Alongside these proposals are a range of other changes, such as to enable the development of AI, to allow better use of data for innovation, amend the rules on transborder dataflow and change the powers and duties of the Information Commissioner.
Read a more detailed review of all of these changes in our DigiLinks blog post.
Latest News from
Four pillars for removing barriers to tech-led growth: techUK’s submission to the Autumn Budget and CSR 202122/10/2021 16:25:00
techUK's submission to the Autumn Budget and CSR 2021outlines four pillars to remove the barriers to tech-led growth to underpin a strong economic recovery.
UK and New Zealand reach agreement in principle on new FTA with a solid digital trade chapter22/10/2021 11:25:00
Recently (20 October 2021), UK and New Zealand reached agreement in principle on a new Free Trade Agreement.
Report: How spectrum policy can help to tackle climate change21/10/2021 16:25:00
A report by Plum Consulting, commissioned by the UK SPF, makes several recommendations to government including giving Ofcom environmental impact responsibilities.
Gov publishes net zero review: initial takeaways20/10/2021 16:20:00
Government has published several linked reports detailing its pathway to net zero carbon emissions.
Issues affecting supply chains and UK business operations20/10/2021 12:15:00
techUK is working with the Government to map and understand the impacts of supply chain issues on our members as well as the wider tech sector.
US and UK research labs collaborate on autonomy and AI20/10/2021 09:25:00
Integrated artificial intelligence technologies to support the armed forces are being developed as part of an international partnership agreement.
New digital twins project looks at language barriers19/10/2021 16:25:00
New digital twins project looks at language barriers – techUK, AMRC, IET, CDBB, CLC, Alan Turing Institute.
New Government Office for Science review outlines why the UK needs to invest in Supercomputing19/10/2021 11:25:00
On 20 September the Office of Government Science released its review of the UK’s large-scale computing ecosystem (LSC).
Guest blog: Industrial IoT and Edge Computing for utilities18/10/2021 16:25:00
Blog posted by: Atos, 15 October 2021.