What will the UK GDPR reforms mean to you?


The UK government is consulting on proposals to adjust the data protection regime (PDF). After Brexit, the government is keen to flex its muscles to capitalise on the UK’s “independent status and repatriated powers”.

How will this affect you?

If the proposals are adopted, there will be the following changes:

  • It will be easier or clearer to use personal data in the following circumstances such as:
    • “reuse” of data for purposes other than for which data was collected
    • greater ability to share data
    • clarity over what amounts to anonymisation and how to use for AI, decisions based on “automated processing”, public health, policing, national security and research
  • You may be able to implement a “privacy management programme” and might no longer have to comply with the following obligations:
    • to notify the data subject where you collected their data directly from them
    • to appoint a Data Protection Officer
    • to undertake a Data Protection Impact Assessment
    • to consult with the ICO before undertaking certain high risk processing
    • to keep records
  • It will be easier to process data for a “legitimate interest” rather than relying upon consent because you are unsure where it is legitimate
  • It will be clearer when you don’t have to report data breaches to reduce overreporting
  • You may be able to charge for data subject access requests again
  • Use analytics cookies without obtaining consent (as happens in France) and some other technical uses
  • Fines for nuisance calls could jump from £500k to £17.5m or 4% of global turnover with the alignment of PECR enforcement with GDPR
  • International data transfers could become easier by:
    • the UK government adopting its own adequacy decisions including groups of countries, regions and multilateral frameworks
    • use of “alternative transfer mechanisms”
    • exempting “reverse transfers” of data from the UK back to the country from which it was originally transferred
  • There are also proposals to reform the Information Commissioner’s Office to include a new duty to have regard to economic growth, innovation and competition and to develop and publish KPIs

What next?

While some of the proposals appear to be business-friendly, the UK will be keen to ensure it does not undermine compliance with core GDPR protections. Any step in this direction could lead to the invalidation of the adequacy decision under which data can flow freely between the EU and UK. We can expect close scrutiny of the proposals by the European Data Protection Board before the consultation closes on 19 November 2021.

As ever, if you have any questions or need guidance on GDPR compliance, get in contact: +44 (0)20 7467 8742 or frank.jennings@wallace.co.uk.

What's your view? Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.