Legal briefing | |

Change is in the air for UK data protection law


The Department for Digital, Culture, Media & Sport (DCMS) recently launched a consultation on reform of UK data protection laws, with the twin objectives of strengthening public trust in the use of data, and helping to drive economic growth and innovation. The consultation builds on the Government's National Data Strategy, published last year which set out plans to build a world leading data economy that works for everyone. 'Unlocking the power of data' is also one of the Government's top 10 tech priorities, and the Government's recently published National AI Strategy also highlights the importance of this consultation and the role of data protection in wider AI governance.  

The consultation is also part of a wider drive by the UK Government to change approach, now that we are no longer part of the EU and have more freedom over our direction of travel. Its recent approval of New Zealand's ex Privacy Commissioner, John Edwards, as the next Information Commissioner to follow Elizabeth Denham, and his pragmatic, no nonsense approach, is viewed by many as another important step towards reforming the strategic direction of UK data protection law and the ICO's enforcement of it.

We set out here the main changes to the existing data protection regime which have been put forward in the consultation. In summary, many businesses which have invested much time and resource in their GDPR compliance, will be relieved to know that the proposals in the consultation very much build on the existing UK GDPR, with suggestions for change where it is felt that this regime is not delivering as it should be, rather than proposing a whole sale change in direction. That said, the proposals do lean towards a more risk/outcomes based approach to data protection compared with the highly prescriptive nature of EU GDPR, and are expected by the Government to realise a net direct monetised benefit to the economy of £1.04 billion over a 10 year period.

Reducing compliance burdens for businesses/delivering better outcomes for people

This is the driver which will most probably result in the greatest change to organisations' compliance programmes, though the changes very much appear to address some common 'bug bears' that have emerged from the current regime. Proposals include:

  • introducing a more flexible and risk based accountability programme. Examples include the removal of the mandatory requirement on some organisations to appoint a data protection officer, and permitting organisations to replace the carrying out of data privacy impact assessments, with other, more appropriate tools for mitigating risk. Privacy management programmes tailored to the extent and nature of data processing which an organisation carries out would also be permitted;

  • the raising of the threshold at which a data breach becomes reportable to the ICO, so that breaches are only reportable if there is a 'material' risk to individuals, including production of further guidance as to what risks are considered to be 'non material';

  • introduction of a fee regime for individuals submitting data subject access requests and a cost ceiling for organisations which have to respond;

  • changes to the rules on the use of cookies and direct marketing, including allowing organisations to run analytics cookies and similar technology on websites without first obtaining the user's consent, and increasing the ICO's fining powers for breach of the Privacy and Electronic Communications Regulations to bring them in line with those under GDPR.
Boosting trade and reducing barriers to data flows

This is all about making it easier for organisations to transfer data internationally. The government plans to achieve this:  

  • through international partnerships, for example, by addressing data flow issues in trade agreements (as was done in last December's UK-Japan Comprehensive Economic Partnership Agreement);

  • through speeding up the process of making adequacy decisions in respect of third countries, and taking a pragmatic view about ensuring that equivalent standards of data protection are preserved in such countries. Please see our recent briefing for further details of DCMS' four step framework for granting adequacy decisions.

The consultation also considers greater use of alternative transfer mechanisms, certification schemes and derogations.

Reducing barriers to responsible innovation/increasing responsible data use

Innovative uses of personal data are seen as key for the development of cutting edge technologies. With this in mind the Government is keen to make it easier for organisations to use, share and re-use data for research and development purposes by providing them with more certainty about how and when they can use personal data. Proposed measures, including in relation to data used for AI purposes, address:

  • clarifying the lawful ground on which personal data can be processed for the purpose of research. This includes creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without having to apply the balancing test;

  • making it easer to gain a wider, less specific level of consent from data subjects at the outset of data collection; the Government also proposes clarifying when data can be re-used for a different purpose to that which it was collected for;

  • making the transparency requirements less onerous when it comes to using data obtained from a third party for research purposes.
Delivering better public services

The expansion of the substantial public interest health basis for lawful processing, to aid non public organisations which need to process data in an emergency, is considered in the consultation. Also, measures to encourage the responsible use of data in collaborations between the public and private sector.

This is partly in response to the Covid pandemic, which highlighted the value in the efficient sharing of data between the public and private sector for the purposes of research and development. 

Reform of the Information Commissioner's Office

Proposals have been laid out for reforming the ICO so that it operates in a way which is more aligned with other UK regulatory authorities. The Government also wants to free up the ICO to focus on more serious breaches of data protection law, and to take a more strategic approach towards encouraging responsible and innovative data use, including taking competition concerns into consideration. This builds on the collaboration with the CMA which was announced earlier this year. 

ICO Response to Consultation

Meanwhile, this week, the ICO released its own response to the consultation. It welcomed many of the suggestions put forward by the DCMS, such as proposals to make it easier to use, share and re-purpose data for research purpose. However, it also cautioned, amongst other observations, against some of the suggestions to reduce the compliance burden on business – including:

  • the revisions in approach to accountability (stressing the importance of retaining in law a requirement for accountability to be demonstrated), and the proposal to replace some accountability requirements with privacy management programmes, which it questioned the value of;

  • the proposal to remove the requirement to conduct a data protection impact assessment (these are viewed by the ICO as invaluable for helping controllers to understand data protection issues quickly and efficiently); and

  • the proposal to introduce a fee regime for data subject access requests (without further research to assess the benefit and risks of any changes to this right, given the effect that a fee regime would have on some individuals' ability to exercise their right to access their personal data).

The ICO also highlighted the importance of ensuring that as a regulatory body, it remained truly independent from the Government.

Whilst a more risk based approach towards data protection will be welcomed by British businesses which have had to deal with the at times overly complicated compliance burden of the GDPR, the Government will have to be careful that its proposals do not undermine the EU's adequacy decision, and that the UK's standards of data protection will still remain essentially equivalent to the standards provided in the EU. Furthermore, whilst the changes will be useful for those organisations which only operate in the UK (or are only subject to UK GDPR), they may not make such a difference to the many multinational organisations which process personal data and which will still have to ensure compliance with EU GDPR.

The consultation closes on 19 November.

For further information, please contact

Read Dan Reavill Profile
Dan Reavill
Back To Top