The UK government is consulting on proposals to adjust the data protection regime (PDF). After Brexit, the government is keen to flex its muscles to capitalise on the UK’s “independent status and repatriated powers”.
How will this affect you?
If the proposals are adopted, there will be the following changes:
- It will be easier or clearer to use personal data in the following circumstances such as:
- “reuse” of data for purposes other than for which data was collected
- greater ability to share data
- clarity over what amounts to anonymisation and how to use for AI, decisions based on “automated processing”, public health, policing, national security and research
- You may be able to implement a “privacy management programme” and might no longer have to comply with the following obligations:
- to notify the data subject where you collected their data directly from them
- to appoint a Data Protection Officer
- to undertake a Data Protection Impact Assessment
- to consult with the ICO before undertaking certain high risk processing
- to keep records
- It will be easier to process data for a “legitimate interest” rather than relying upon consent because you are unsure where it is legitimate
- It will be clearer when you don’t have to report data breaches to reduce overreporting
- You may be able to charge for data subject access requests again
- Use analytics cookies without obtaining consent (as happens in France) and some other technical uses
- Fines for nuisance calls could jump from £500k to £17.5m or 4% of global turnover with the alignment of PECR enforcement with GDPR
- International data transfers could become easier by:
- the UK government adopting its own adequacy decisions including groups of countries, regions and multilateral frameworks
- use of “alternative transfer mechanisms”
- exempting “reverse transfers” of data from the UK back to the country from which it was originally transferred
- There are also proposals to reform the Information Commissioner’s Office to include a new duty to have regard to economic growth, innovation and competition and to develop and publish KPIs
While some of the proposals appear to be business-friendly, the UK will be keen to ensure it does not undermine compliance with core GDPR protections. Any step in this direction could lead to the invalidation of the adequacy decision under which data can flow freely between the EU and UK. We can expect close scrutiny of the proposals by the European Data Protection Board before the consultation closes on 19 November 2021.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.
[…] IDTA has been drafted to allow for updates to UK data protection laws. The UK government consulted on proposed reforms last year and is expected to publish its intentions soon. We await to see whether these reforms will affect […]
[…] I’ll spare you any more of this vapid nonsense. It’s all in the background briefing notes if you have the stomach for it (PDF). In truth, presumably they’ll base the reform on the results of the consultation they undertook recently. […]