What could UK data protection reform mean for SMEs?

3 Feb 2022 04:33 PM

With any regulatory change, the impact on small and medium enterprises (SMEs) will differ significantly compared to larger businesses. The UK’s upcoming data protection regime is no exception.

In a recent press release published in December 2021, the UK government reported that the UK tech sector achieved its best year ever, noting the growing tech hubs in regional cities including Cambridge, Manchester, Cardiff, and Belfast.

UK tech captured more than a third of investment into Europe, with £29.4bn raised by UK start-ups and scale-ups, double the figure raised in Germany and almost three time that raised by France. This growth has had a marked effect on the UK labour market, with a 50% rise in overall UK tech job vacancies compared to 2020.

Despite the positive trajectory of the UK tech sector, there is always more that can be done to help facilitate and remove barriers to growth and innovation for SMEs. Complex and burdensome regulatory regimes is one area that hampers the success of new businesses, and the UK’s upcoming data protection reform could be pivotal in enabling SMEs to unlock the value of data across the economy.

The ability to collect, share and process data remains a core and integral aspect of the success of UK businesses, and one of the foundations upon which innovation is built

Data: a new direction for SMEs?

When the General Data Protection Regulation (GDPR) was enforced in 2018, the impact of its implementation differed for organisations, with SMEs likely to suffer more significantly from compliance burdens, limited resource and lack of legal certainty when handling personal data.

Although there are now many services and resources to support SMEs on how to properly implement the GDPR, the regulation still likely poses barriers to SME innovation. These organisations may be more risk averse in pursuing projects out of fear of non-compliance, may lack resources to implement the necessary infrastructure, or lack the required expertise and knowledge of data regulation.

In September 2021, the UK Government launched a public consultation Data: a New Direction, an extensive review of the UK data protection regime that proposed a range of suggested reforms to make the regulation work better for UK businesses. You can read a summary of the consultation here.

How to get it right

Data: a new direction offers many common-sense reforms, which could support SMEs in innovating at pace, and provide the much-needed ease and clarity when processing personal data:

  1. Getting SMEs involved in the UK’s R&D ecosystem

Consolidating provisions for using personal data for research purposes will offer SMEs greater legal clarity and certainty when navigating the best lawful ground for (re)processing data. This will give SMEs more confidence in pursuing innovative research projects. To ensure this, commercial and industry led research should be kept in scope of the statutory definition of ‘scientific research’, to play to the UK’s strength as a global leader for R&D.

  1. Clarifying the legal bases for data processing

The introduction of a limited, exhaustive list of legitimate interests that would not require a lengthy legal assessment (balancing test) will be significant in supporting SMEs in processing personal data for many common sense activities. Legitimate interest is an often underused lawful ground for data processing by smaller organisations, as they are often uncertain on what constitutes a legitimate interest, and fear falling foul of GDPR. This many lead to an overreliance on consent as a lawful ground, which can create limitations on how the personal data can be used.

This reform, supported with easy to digest regulatory guidance, including clear examples will go far in giving SMEs more confidence in processing personal data, and remove the compliance burdens related to the balancing test for the activities included in the list.

  1. Retaining a positive adequacy decision with the EU

The free flow of data between the UK and the EU is of vital importance to the entire tech sector. However, SMEs in particular are at risk of being unable to absorb the cost and burdens of implementing alternative transfer mechanisms and depend greatly on a positive adequacy decision to manage data flows.

New economic modelling published by the New Economics Foundation and UCL European Institute shows that the average additional compliance cost to UK SMEs of a no adequacy decision could be between £3,000 and £19,555 for micro, small and medium sized businesses. Costs has high as these could be financially crippling for younger companies just starting out, where access to finances is likely to already be a challenge.

  1. Making compliance proportionate

In comparison to larger organisations, certain requirements of GDPR have been particularly costly for SMEs and start-ups such as hiring Data Protection Officers and completing impact assessments. The UK Government’s proposal for privacy management programmes could allow smaller organisations to implement a more proportionate approach to compliance and risk management, provided it maintains the high standard of UK data protection.

The proposed new rules also provide scope for template privacy management programmes to be developed that are tailored to SME needs and that can be changed as the SME grows, rather than having to follow a one size fits all approach.

Please see here for techUK’s full response to Data: a new direction.

This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.