The UK government is consulting on proposals to adjust the data protection regime (PDF). After Brexit, the government is keen to flex its muscles to capitalise on the UK’s “independent status and repatriated powers”.
How will this affect you?
If the proposals are adopted, there will be the following changes:
It will be easier or clearer to use personal data in the following circumstances such as:
- “Reuse” of data for purposes other than for which data was collected
- Greater ability to share data
- Clarity over what amounts to anonymisation and how to use for AI, decisions based on “automated processing”, public health, policing, national security and research
You may be able to implement a “privacy management programme” and might no longer have to comply with the following obligations:
- to notify the data subject where you collected their data directly from them
- to appoint a Data Protection Officer
- to undertake a Data Protection Impact Assessment
- to consult with the ICO before undertaking certain high-risk processing
- to keep records
It will be easier to process data for a “legitimate interest” rather than relying upon consent because you are unsure where it is legitimate
It will be clearer when you don’t have to report data breaches to reduce overreporting
You may be able to charge for data subject access requests again
Use analytics cookies without obtaining consent (as happens in France) and some other technical uses
Fines for nuisance calls could jump from £500k to £17.5m or 4% of global turnover with the alignment of PECR enforcement with GDPR
International data transfers could become easier by:
- The UK government adopting its own adequacy decisions including groups of countries, regions and multilateral frameworks
- Use of “alternative transfer mechanisms”
- Exempting “reverse transfers” of data from the UK back to the country from which it was originally transferred
There are also proposals to reform the Information Commissioner’s Office to include a new duty to have regard to economic growth, innovation and competition and to develop and publish KPIs
What next?
While some of the proposals appear to be business-friendly, the UK will be keen to ensure it does not undermine compliance with core GDPR protections. Any step in this direction could lead to the invalidation of the adequacy decision under which data can flow freely between the EU and UK. We can expect close scrutiny of the proposals by the European Data Protection Board before the consultation closes on 19 November 2021.
As ever, if you have any questions or need guidance on GDPR compliance, get in contact: +44 (0)20 7467 8742 or frank.jennings@wallace.co.uk.
By Frank Jennings, Chair, Code Governance Board and Partner, Wallace LLP
About the author: Frank is a Partner at Wallace LLP specialising in cloud & technology, commercial contracts, data security, & intellectual property. His clients come to him not just for his specialist legal advice but also rely upon him for his can do mentality and his pragmatic approach to solving problems and managing risk, helping to maximise return on investment. Clients say his robustly drafted contracts have helped them avoid expensive legal action. Independent legal directories Legal 500 and Chambers & Partners rate him as “a leading expert in cloud contracts”.
