The UK Government is looking to introduce a revised Data Protection and Digital Information Bill, which they claim is “expected to unlock £4.7 billion in savings” over the next 10 years for the economy, by reducing compliance costs for British business. The proposed changes are largely based on feedback from stakeholders and aim to introduce a new, common-sense-led version of GDPR.
The new legislation, which is a UK version of GDPR, was first introduced last summer but was paused in September 2022 to allow ministers to engage in a co-design process with business leaders and data experts.
The proposed changes are expected to have a positive impact on some businesses, making it easier and more efficient to comply with data protection regulations. However, it is important to consider the potential consequences for UK businesses as well.
What Are the Proposed Changes?
The proposed changes to the current UK GDPR are to be targeted, and fall into three main categories:
- Changes or clarifications: The aim here is to clarify certation aspects of the law that have caused confusion or uncertainty, such as a more specific definition of what constitutes personal data, or by bringing non-binding information from the recitals into the actual text of the law.
- Expanding exemptions: This is designed to provide more flexibility to UK businesses by removing obligations in certain specific situations. For example, making it easier to refuse a request from an individual where they deem it to be vexatious or excessive.
- Promoting guidance and/or rulemaking: These changes aim to make it easier for the Information Commissioner's Office (ICO) to provide guidance or create new rules in the future. The ICO’s “Age Appropriate Design Code” is an example of the type of sector specific guidance that is to be encouraged.
What will NOT change:
As businesses gear up for potential changes to UK data protection regulations, one thing remains constant: the core principles of the current UK GDPR. This means that companies who have already adopted best practices for data handling can breathe a sigh of relief - they won't have to overhaul their compliance processes in order to stay in step with new requirements. That being said, the proposed reforms do offer opportunities for some businesses to optimize their compliance strategies and benefit from increased efficiency. Crucially, while the regulatory landscape may be shifting, one thing is clear: a commitment to protecting customer data and privacy remains as important as ever.
Potential Impact on UK Businesses
The proposed changes may result in a shift in the way that businesses approach data protection compliance, which could lead to some organisations having to make changes to their compliance programs.
There is also the potential for the proposed changes to impact businesses that operate internationally. As the UK is no longer part of the EU, there may be additional requirements for businesses that operate across borders.
Conclusion
The UK Government's proposed changes to the UK GDPR aim to reduce compliance costs for businesses by introducing a new version of the legislation that is common-sense-led. It is important to consider the potential impact on UK businesses and to ensure that compliance programs are adjusted accordingly.
Overall, the proposed changes are being interpreted as a step in the right direction towards making compliance with data protection regulations more efficient and effective for UK businesses, while also limiting any impact on privacy and data protection rights. However, this is still in the early stages of development and further amendments are to be expected. Not to mention that there is General Election looming in the not to distant future.
At DataGuard, we will be closely monitoring the Bill’s passage through parliament and considering any potential impacts for our clients. If you’re not a client you can still reach out to us in case you have any question or need a quick consultation about what will change for your business.
The experts
Dr. Frank Schemmel
Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, supports DataGuard since 2018 in various management positions (incl. Head of Privacy) and is currently responsible for the company-wide content and strategic design as well as optimization of the DataGuard service lines "Privacy" and "Compliance", a hybrid model of first-class consulting and support through self-developed, scalable software solutions. As a certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all topics of data protection, IT security and general compliance. Before joining DataGuard, he worked for Allen & Overy LLP for five years in the area of data protection and employment law as a consultant and legal project manager. He regularly publishes in relevant media and shares his experience as a lector at universities (Duesseldorf, Augsburg), conference speaker (euroforum Datenschutzkongress, bitkom Privacy Conference, IAPP Data Protection Intensive: Deutschland) and webinar host.
Ben Daley-Gage
Ben is a Senior Privacy Consultant in DataGuard’s UK Privacy Practice and is a legal expert for UK and EU Data protection law. With over 10 years’ experience as a data protection and privacy practitioner, he holds the CIPP/E, CIPM and CIPT certifications from the International Association of Privacy Professionals (IAPP), as well as the Practitioner Certificate in Data Protection issued by the British Computer Society (BCS). Having previously worked as a Data Protection Officer for a UK Government agency, Ben also has experience working in higher education, healthcare, and fundraising, and is passionate about providing practical data protection and privacy advice that allows organisations to meet business goals while upholding people’s rights. Since January 2023, Ben has also started as an Advisory Board Member of the IAPP.