The UK government’s response to the data protection reform consultation “Data: a new direction” was published on 17 June 2022. While the response suggests that the main framework of the GDPR will be here to stay, it also shows the UK government’s willingness to show flexibility and add clarity to the GDPR. In this blogpost, we have extracted some proposals which may have the most significant implications for businesses in the UK on a practical level.
Summary of significant changes
- Bringing PECR’s enforcement regime in line with UK GDPR and DPA 2018: The government plans to increase fines under the Privacy and Electronic Communications Regulations (PECR) up to GDPR levels – in other words, the potential maximum fine for breach of PECR will increase from the current maximum of £500,000 to 4% of the company’s global turnover or £17.5 million, whichever is greater. For businesses, this will mean that understanding and ensuring compliance with PECR, for example by revising marketing policies which contact people without consent, will be a significant priority.
- Removing unnecessary burdens on businesses: The government proposes to remove the UK GDPR requirements to (i) designate a data protection officer; (ii) conduct a data protection impact assessment; and (iii) consult the ICO in advance of carrying out high risk processing. While businesses will still be required to identify and manage data processing risks through a privacy management programme, the UK GDPR’s prescriptive requirements, which give organisations little flexibility about how they manage data risks, will be gone. This will reduce burdens for smaller businesses.
- Enabling smoother international data flows: While there are no specific details, the government aims to support the UK government’s ambitions to foster new data partnerships with important economies. The DCMS will not be required to review adequacy decisions every 4 years, and will have a new power to formally recognise new alternative data transfer mechanisms that offer clarity, flexibility and sufficient data protection.
- Anonymisation is relative: Anonymisation is important because anonymised data does not fall within the scope of data protection legislation. Whether data is anonymous would be assessed on a relative basis, based on the means reasonably available to a controller (as opposed to a third party) to re-identify it. For businesses, this will mean that the impossibly high standards for anonymisation will be brought down slightly.
The response seems to have struck a positive balance between preserving data subject rights and giving more flexibility to businesses in the UK. Instead of a radical change to the UK GDPR, the proposed incremental reform of the current data protection framework could be a win-win situation for all – for businesses, for individuals, and for the UK government.