The UK is seeking to break away from the EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018.
Four years later, in May 2022, the UK government proposed a new bill to overhaul the current regime and bring the 2018 Data Protection Act, UK GDPR and the UK’s application of the EU’s ePrivacy directive, the Privacy and Electronic Communications Regulations (PECR), under one directive.
The proposed bill, officially named the Data Protection and Digital Information Bill and dubbed the ‘Data Reform Bill’ (DRB), went through a first reading in the House of Commons in July and a second in September before being put on pause following changes in government.
If adopted, the DRB would introduce a number of changes to the current UK GDPR. Those include limitations in the scope of personal data; tweaks in the use of personal data for legitimate interests in order to ease data use and sharing for scientific research and the public sector; a redefinition of data protection impact assessment (DPIAs) to ‘assessments of high-risk processing’; and a change in the current threshold for refusing or charging a reasonable fee for a subject access request (SAR) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.
The requirement to appoint a data protection officer (DPO) will also be replaced by one to nominate a suitable senior responsible individual (SRI) to be responsible for data protection risks within their organizations or delegate that task to suitably skilled individuals.
The government projected these changes would yield savings for businesses of over £1bn over 10 years.
Criticism from the Experts
Several data protection experts have heavily criticized this proposed bill arguing that it does not necessarily remove red tape at all.
“The general idea was to remove some red tape, to help the plumber who thinks GDPR is a burden. However, in some ways, it would bring more red tape,” Jonathan Armstrong, partner at compliance firm Cordery* told Infosecurity.
One of the significant burdens the DRB is that many businesses will be forced to operate under two regimes. UK companies who deal with clients, customers, partners or suppliers overseas will see one piece of regulation added on top of the current rules.
“A UK organization with links with any EU economy will have to comply to two data protection regimes instead of one,” Armstrong noted.
Michelle Moody, managing director of consulting firm Protiviti, agreed that it could complicate things for British businesses, and she told Infosecurity that some organizations could “choose to keep complying only to GDPR, which is more restrictive.”
Armstrong also argued that some proposals are mere name changes that would complicate the compliance task with no trade-off.
“An SRI could just be a DPO-by-another-name, and then you have to modify the terminology in all compliance documents,” he complained.
Moody commented: “The only change I can see between the two terms is, perhaps, a stronger emphasis on the seniority of the SRI.”
A Political Stance
Further, the DRB introduces notions such as high-risk processing that are, if not controversial, then “difficult to assess,” Armstrong argued.
Moreover, it re-introduces some red tape that GDPR scrapped, such as the requirement for a business to register with the Information Commissioner’s Office (ICO).
“In the meantime, other controversial elements of GDPR, such as the requirement to report a data breach within 72 hours, which is nearly impossible to achieve in some cases, are kept in the proposed bill,” Armstrong cautioned.
Dan Middleton, VP UK & Ireland of data management firm Veeam, admitted that “there are a few elements in the DRB that sound beneficial to UK businesses, such as the addition of a requirement to implement a risk-assessment approach when working with new partners.”
However, Middleton quickly added that “it’s the only area worth looking at in this bill at this stage.”
Armstrong described the bill as a “political stance.” He said: “Many of the changes are wrapped up with the theory that Brexit hasn't done much and needs to do more and the idea that Europe imposed GDPR and that a lot of it has to be reversed. But it is a false promise: the UK started legislating on data protection in 1984 – and some elements the DRB wants to scrap, such as the DPIAs, were first introduced by the UK’s Data Protection Act.”
While the draft bill is still officially on pause until further notice, the UK government has confirmed it wanted to move away from the EU data protection regime.
On November 23, 2022, while the country was finalizing its first independent adequacy partnership with South Korea, allowing UK organizations to share personal data securely with the Asian country from December 19, 2022, the UK’s Information Commissioner John Edwards criticized GDPR monetary penalties and outlined a new, more lax approach, focused on fixing the issue rather than on financial fines.
*Cordery is part of the RELX Group, owner of Infosecurity Magazine