Replacing GDPR in the UK: A Cost-Benefit Analysis

Written by

In March 2023, the UK government re-introduced its controversial Data Protection and Digital Information (DPDI) Bill to Parliament.

The purpose of the legislation is to establish a UK version of the EU’s GDPR, which was incorporated into UK law following the nation’s official departure from the EU in 2020. The Bill was first introduced in the Summer of 2022, but its passage was paused while government ministers engaged in a “co-design process” with business leaders and data experts.

The updated DPDI Bill is currently undergoing Parliamentary processes, with the first reading taking place on March 8, 2023. The second reading is due to begin on April 17, 2023.

The government’s principal reasons for drafting this law are to unlock more innovation and reduce costs and complexities on businesses, while ensuring data privacy remains protected. It believes that the changes will save £4.7bn for the UK economy over the next 10 years.

In the government’s announcement, the UK’s Science, Innovation and Technology Secretary Michelle Donelan explained: “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs.

“Our system will be easier to understand, easier to comply with, and takes advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.

“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

With increasing data privacy legislation emerging throughout the world based upon GDPR principles, it is vital to assess the potential implications of the UK’s planned divergence.

Questions remain as to whether the UK law will have the desired impact in reducing costs and complexities for businesses, and some argue could even endanger the free flow of data between the UK and EU.

Read Part 2 of Infosecurity's analysis of the UK's DPDI Bill here, which focuses on the data privacy proposals around research and AI.

A Risky Strategy for the UK Government

A notable aspect of the proposed law is the shift to a ‘risk-based’ model of compliance. In essence, it will allow businesses to adopt a more flexible posture regarding data processing, with a higher regulatory burden for highly sensitive personal data, such as health records, compared to lower-risk information, like email addresses.

As part of this, organizations will be given greater clarity about the types of personal data they can process without obtaining consent or retain processing records, thereby reducing the amount of paperwork required to demonstrate compliance.

Additionally, the bill removes the obligation for certain organizations to have data protection officers (DPOs), further easing costs on those businesses.

It also outlines changes to the set-up of the UK’s data protection regulator, the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive.

“I believe the proposed changes are short-sighted and focused on a quick buck"

Reflecting on these proposals, Valerie Lyons, COO and senior consultant at Ireland headquartered firm BH Consulting, commented: “Compliance to UK law will most definitely become easier for UK organizations. The requirement for a DPO significantly reduced, the requirement for records of processing activity (ROPAs) and data protection impact assessments (DPIAs) reduced, and accountability measures loosened.”

However, she argued this will be at the detriment of consumers’ data privacy rights and protections, which, in turn, could have a knock-on financial effect on UK businesses by reducing consumer trust and brand loyalty.

“I believe the proposed changes are short-sighted and focused on a quick buck,” Lyons said. “The UK data subject should ask themselves why would the UK government reduce accountability mechanisms and obligations in their data protection regime while all around the world, including China, data protection regulations are emerging that strengthen these key principles, not weaken them.”

Jonathan Armstrong, partner at law firm Cordery, believes the legislation is creating more uncertainty for businesses, particularly given the “on-off” nature of the proposed changes.

“It's ironic when the whole idea is to create certainty for businesses. The way they have managed this has had the opposite effect,” Armstrong outlined.

For the many UK businesses that also operate in EU nations, having to comply with two separate regulatory regimes will create extra bureaucracy and costs, according to Armstrong, which again, is contra to the government’s intentions.

“Many businesses are already struggling with a Brexit burden – the added costs of doing business after we've left the EU. For most businesses this just adds to the Brexit burden for no tangible benefit,” he said.

Armstrong’s colleague, Andre Bywater, also a partner at Cordery, noted that any changes to the regulatory regime will add costs to any EU-based business that operates or deals in the UK.

“Whatever the final outcome, international organizations that have devoted much work, time and resources trying to ensure compliance with both the existing UK GDPR and EU GDPR may find that if the Bill is adopted there is more work for them to do on the UK side of things,” he stated.

Could the UK Legislation Be a Positive Step?

However, Sarah Pearce, partner at law firm Hunton Andrews Kurth, believes the move to a risk-based model of compliance “is a good, pragmatic way forward.” She argued that it represents more of a clarification, with the majority of UK organizations already following risk-based principles based on guidance from the regulator.

She added that the government’s overall mindset and aims with the law are sound, seeking to take a common sense approach to data privacy – “reducing the burden on businesses and making it easier to use personal data but maintain a high level of protection.” Pearce added: “From what I’ve read and seen, the majority of it they do sensibly.”

Pearce is also more optimistic about the extent of the changes UK businesses will need to make to their compliance programs once the Bill is passed.

She said organizations will need to undertake a review of their strategy and identify areas that require updating or revising but she does not think there will necessarily be changes in every aspect of the compliance program.

“Anything that looks to diverge far from what the EU GDPR requirements on international data transfers are does jeopardize that adequacy decision"

Responding to Infosecurity’s request for comment, a Department for Science, Innovation and Technology (DSIT) spokesperson said that organizations that already have GDPR-compliant policies, procedures and programs “will already be largely compliant with our future regime – except for only a small number of new requirements.”

The department added: “They could choose to update their policies for activities in scope of the UK’s new laws, to take advantage of the benefits of this bill and cut costs while still maintaining high standards of data protection.”

UK-EU Adequacy Arrangement

Following the UK’s official departure from the EU, there were concerns that personal data transfers between the two regions would not be automatically enabled. This would require additional arrangements for businesses to continue data exchanges. These fears were allayed in June 2021, when the EU formally granted the UK adequacy status.

However, the issue has been thrown back into the spotlight as a result to the proposed changes to the UK’s data protection regime.

“Anything that looks to diverge far from what the EU GDPR requirements on international data transfers are does jeopardize that adequacy decision,” acknowledged Pearce.

At such an early stage, it is very difficult to ascertain whether the EU will consider the proposals as diverging too far. Bywater argued that particular aspects of the rules, such as removing the need for DPOs “will be obvious targets for rocking the boat for adequacy.”

Nevertheless, he acknowledged that achieving ‘adequacy’ status does not require a system to be exactly the same as GDPR. “Will all the final changes add up to the end of adequacy status? Possibly if a hard-line approach is taken by the EU but not if there is a more nuanced and practical approach,” added Bywater.

As part of the DSIT’s response to Infosecurity, the government department reiterated that “EU adequacy decisions do not require an ‘adequate’ country to have the same rules” and that it believes the reforms are compatible with maintaining the free flow of personal data from Europe.

The DSIT spokesperson added: “We maintain an ongoing dialogue with the EU. We will continue to engage with the EU with a view to ensuring our reciprocal arrangements for free flow of personal data can remain in place. This is a top priority.”

Lyons has a more pessimistic view on the matter, believing that the passing of the DPDI in its current form would not meet the EU’s adequacy requirements.

“Safeguards are too weak and vague and the UK Government is proposing to replace the existing data protection watchdog (the ICO) with a new board, whose members the secretary of state may appoint, completely undermining the office’s independence,” she commented.

This is a crucial consideration for businesses, with the absence of an adequacy agreement making data transfers more expensive and cumbersome. Lyons highlighted complexities with the way data is transferred between the US and EU, even though the two parties have reached an agreement to revamp the previous Privacy Shield arrangement following the Schrems II court ruling in 2020.

“How much do we think Safe Harbor, Privacy Shield and the American Trans-Atlantic Data Privacy Framework has cost the US government and its businesses?” she asked. “Consider the costs of Standard Contractual Clauses and Transfer Impact Assessments. These require expensive legal and technical resources together with extensive stakeholder collaboration.”

The mere possibility of the UK losing adequacy status could cause significant economic damage to the UK, according to Armstrong: “If, for example, I am setting up a new Europe-wide data centre why would I choose the UK when adequacy is threatened? Investment will go elsewhere.”

In Part 2 of Infosecurity’s analysis of the DPDI Bill, we will examine the proposals relating to use the use of data in research and AI.

What’s hot on Infosecurity Magazine?