DCMS consults on plans to reform UK data protection regime
What does the Government have in mind for the future of the UK’s data compliance landscape?
The key takeaway
The Department for Culture, Media and Sport (DCMS) has issued a set of proposals for the reform of the UK data regime which are aimed at reducing the friction in data protection compliance and increasing innovation. Personal data-rich organisations should respond to the consultation by 19 November 2021.
When the UK exited from the EU, it retained the EU GDPR in the form of the UK GDPR which contained substantively the same obligations albeit with some minor amendments. It was this similarity between regimes that no doubt helped the UK secure an adequacy decision by the European Commission earlier this year.
However, the UK has been eyeing up the possibility of diverging from the standards imposed by the EU and this set of proposals arguably represents the first major step in the UK’s departure from the EU regime.
The DCMS has issued a set of proposals for reform of the UK data regime aimed at reducing the perceived burden of data protection compliance on business and barriers to international data flows.
Proposals set out various measures including:
- removing or amending specific provisions in the UK GDPR to reduce disproportionate burdens on companies of different complexities ie the end of a “one size fits all” model
- abolishing Data Protection Impact Assessments (DPIAs) to be replaced with a more flexible approach to identify and minimise data protection risks that better reflect organisations’ specific circumstances
- amending data processing recording obligations in Article 30 but instead requiring that certain records be kept but allowing organisations more flexibility about how to do this in a way that reflects the volume and sensitivity of the personal information they handle
- adjusting the threshold for reporting data breaches to counter the trend of over-reporting with the ICO
- removing the consent requirements for analytics cookies in order to allow for easier consumer profiling and reducing the number of cookie pop ups, and
- implementing a system of adequacy decisions for other countries to which data transfers from the UK may be made, with a focus on risk-based decision-making and outcomes.
Why is this important?
With the potential overhaul of the UK data regime, there may be significant changes to data protection obligations. Whilst, in principle, these proposals appear to be aimed at reducing friction in maintaining adequate data protection standards, it remains to be seen how these will play out in practice and be enforced by the ICO – and, critically, what view the EU forms of these with regard to its UK adequacy decision.
Any practical tips?
Organisations which process significant amounts of personal data, or those whose businesses heavily rely on personal data, should make their opinions heard by responding to the consultation by 19 November 2021.