The UK government’s response to the data protection reform consultation “Data: a new direction” was published on 17 June 2022. While the response suggests that the main framework of the GDPR will be here to stay, it also shows the UK government’s willingness to show flexibility and add clarity to the GDPR. In this blogpost, we have extracted some proposals which may have the most significant implications for businesses in the UK on a practical level.

Summary of significant changes

  • Bringing PECR’s enforcement regime in line with UK GDPR and DPA 2018: The government plans to increase fines under the Privacy and Electronic Communications Regulations (PECR) up to GDPR levels – in other words, the potential maximum fine for breach of PECR will increase from the current maximum of £500,000 to 4% of the company’s global turnover or £17.5 million, whichever is greater. For businesses, this will mean that understanding and ensuring compliance with PECR, for example by revising marketing policies which contact people without consent, will be a significant priority.
  • Removing the requirement for prior consent for all types of cookies: Along with the increase of fines for the PECR, the government also proposes to simplify the cookie policy for UK internet users. Currently, users have to give their consent for cookies to be collected. The UK will move to an opt-out model for cookies, where cookie banners for UK residents will no longer be required. Under the new rules, internet users will be better enabled to set an overall approach to how their data is collected and used online - for example via their internet browser settings.
  • Removing unnecessary burdens on businesses: The government proposes to remove the UK GDPR requirements to (i) designate a data protection officer; (ii) conduct a data protection impact assessment; and (iii) consult the ICO in advance of carrying out high risk processing. While businesses will still be required to identify and manage data processing risks through a privacy management programme, the UK GDPR’s prescriptive requirements, which give organisations little flexibility about how they manage data risks, will be gone. This will reduce burdens for smaller businesses.
  • Enabling smoother international data flows: While there are no specific details, the government aims to support the UK government’s ambitions to foster new data partnerships with important economies. The DCMS will not be required to review adequacy decisions every 4 years, and will have a new power to formally recognise new alternative data transfer mechanisms that offer clarity, flexibility and sufficient data protection.  
  • Anonymisation is relative: Anonymisation is important because anonymised data does not fall within the scope of data protection legislation. Whether data is anonymous would be assessed on a relative basis, based on the means reasonably available to a controller (as opposed to a third party) to re-identify it. For businesses, this will mean that the impossibly high standards for anonymisation will be brought down slightly.

Conclusion

The response seems to have struck a positive balance between preserving data subject rights and giving more flexibility to businesses in the UK. Instead of a radical change to the UK GDPR, the proposed incremental reform of the current data protection framework could be a win-win situation for all – for businesses, for individuals, and for the UK government.

That said, there will of course be detractors. Privacy advocacy organisations have already criticised the ‘opt-out’ model for the cookie policy, arguing that individuals’ rights will be undermined by the proposals. For businesses, the limited geographical scope for the Data Reform Bill, which will be the likely place for many of the proposals to be implemented (see our blogpost, A new direction for UK data? for a summary) raises practical questions – for instance, how would the proposed changes to cookie policies sit with the French Data Protection Authority’s more robust approach to enforcing cookie rules in France? The imminent publication of the Data Reform Bill will hopefully clarify some of these questions.