Legal briefing | |

UK data protection reform: a taste of what's ahead

UK data protection reform: a taste of what's ahead


The Department for Digital, Culture, Media and Sport (DCMS) has recently published its response to the consultation on data protection reform (which we previously wrote about here). For those disappointed by the lack of detail in the Queen's Speech on the Data Reform Bill, this response provides a clearer picture of UK data protection reforms to come – which measures the UK Government is taking forward, which it is dropping and which it needs to consider further. For the detail, we'll need to wait for the text of the draft Bill itself.

This briefing looks at the likely impact on businesses of the principal changes (as well as those changes that didn't make the cut). The consultation is broken down into 5 chapters: reducing barriers to responsible innovation; mitigating burdens on businesses and delivering better outcomes for people; minimizing barriers to data flows; improving public services (which we do not cover in this briefing); and reform of the ICO. 

"A clampdown on bureaucracy, red tape and pointless paperwork" (according to the DCMS). Perhaps. The good news for those who have invested heavily in complying with UK GDPR is that, if you are already compliant, you are unlikely to have to make substantial changes in order to remain so, as the changes proposed here are incremental to the existing regime, not a seismic shift. It also looks likely that those subject to both the UK GDPR and the EU GDPR, wishing to take a harmonised approach across their business, should (broadly) be able to satisfy the requirements of both regimes by adhering to the EU GDPR standard.

Mitigating burdens on businesses and delivering better outcomes for people

These changes, set out in chapter 2 of the consultation, are likely to have the most practical impact on businesses:

  • Changes to the Privacy and Electronic Communications Regulations 2003 (PECR):

    • in response to cookie pop-up "fatigue", the consent requirement for analytics cookies (audience measurement and detecting faults are mentioned) will be removed. Moreover, there will be a move in the longer term to opt-out consent for all cookies “once automated technology is widely available to help users manage online preferences”. The opt-out won’t apply to websites likely to be accessed by children, who will still need to provide opt-in consent;

    • in relation to direct marketing, there will be a duty for communications providers to report suspicious levels of traffic. Curbing nuisance calls is to be encouraged, but this measure does not appear consistent with reducing the regulatory burden on businesses;

    • enforcement will be brought in line with UK GDPR i.e. with maximum fines of higher of £17.5m and 4% of turnover. Businesses take note: PECR fines are currently much more common than fines under UK GDPR.

  • "Privacy Management Programmes" (PMP) and a requirement to have a senior individual to oversee the PMP will replace Data Protection Impact Assessments, Data Protection Officers and records of processing activity. Intended to be a more risk-based and flexible approach to accountability, only time will tell if it actually results in a reduction of the burden on businesses. Will some businesses, particularly those also subject to EU GDPR, choose to subsume existing accountability mechanisms within a PMP? If so, not much will change - apart from the label.

  • There will be no mandatory requirement to consult with the ICO in relation to high-risk processing - a requirement currently more honoured in the breach than in the observance - although it may be a mitigating factor in an enforcement action to have consulted.

  • The threshold for refusing a Subject Access Request (SAR) will change from "manifestly unfounded or excessive" to "vexatious or excessive". It's questionable how many more requests will be filtered out by applying this new test, as it is still a high bar.

What didn't make the cut…?

  • No cost ceiling on, and no nominal fee for, SARs

  • No change to the threshold for data breach reporting
Boosting trade and reducing barriers to data flows

The UK Government aims to make it easier to transfer data internationally. Changes include:

  • Facilitating a risk-based approach to adequacy decisions (including clarifying that administrative redress for data subjects is sufficient for international transfers, not just judicial redress) and removing the mandatory four year review of those decisions

  • Introducing a power to create alternative transfer mechanisms (but not empowering organisations to devise their own).
Reducing barriers to responsible innovation/increasing responsible data use

The Government wants to make it easier and clearer for organisations to use and reuse data for research purposes. The changes in this area are mostly clarificatory, rather than significant changes of principle:

  • Shifting concepts from recitals to operative provisions including providing a definition of "scientific research"

  • Clarifying the standard of anonymisation. The precise approach isn't set out but the test will be relative to the means (for identification of the individual) available to the controller at the particular time

  • Introducing a new condition to enable the processing of special category data for the purpose of monitoring and correcting bias in AI systems

  • Providing a (now shorter) list of exceptions to the requirement to undertake a balancing test in relation to the "legitimate interests" lawful ground for processing e.g. preventing crime, reporting safeguarding issues, important reasons of public interest.

What didn't make the cut…?

  • There's to be no separate lawful ground for research purposes under article 6

  • The Government has stepped away from removing the right for human review of AI decisions and many of Government’s proposals on AI have been left to a forthcoming AI White Paper
Reform of the ICO

The changes proposed to the ICO (which may have a different name in future) are fairly extensive, aligning its structure more closely with other regulators such as the FCA and CMA and include:

  • A new statutory framework: an overarching objective to uphold data rights and encourage trustworthy and responsible personal data use with subordinate duties, to take into account growth/innovation, competition law and public safety

  • A new governance structure, with a chair and CEO

  • Complaints will need to be raised first with data controllers before being lodged with the ICO and data controllers will need to have a transparent complaints procedure

  • Power for the ICO to commission technical reports (at the data controller or processor's expense) and compel witnesses to interview, which could add to the cost of managing a data breach for example

  • An increase, in certain circumstances, to the ICO's current 6 month deadline to issue penalty notices and a requirement for the ICO to be more transparent over time periods for each phase of an investigation

  • An obligation on the ICO to consult with other regulators. 

Respondents expressed concern that the changes proposed in the consultation risked compromising the independence of the ICO. The ICO, John Edwards, has said, "I am pleased to see the government has taken our concerns about independence on board", but some question marks remain on this front. The DCMS still intends to require approval of codes of practice which entail complex or novel guidance and the ICO is to carry out its data protection functions under a statement of strategic priorities to be prepared by the DCMS (although the ICO won't be legally bound to act in accordance with this statement and it will still be subordinate to the ICO's primary objective and duties under the UK GDPR and the DPA 2018).

The EU's adequacy decision

There has been much speculation about the impact that these reforms may have on the adequacy decision from which the UK benefits in respect of data transfers from the EU. It has been suggested1 that the compliance cost to UK businesses of losing adequacy would easily wipe out the $1bn of savings over 10 years that the DCMS projects from deregulation as a result of these reforms. We're cautiously optimistic: the Government has taken a fairly conservative approach, none of these changes appears to fly in the face of EU GDPR and so it looks unlikely that these reforms alone will threaten the UK's adequacy status. That said, the devil will be in the detail and, besides, adequacy is not only about how closely UK and EU legislation are aligned but by factors such as the access that the national security agencies have to personal data, so the Government still needs to tread carefully.


1  Research carried out by the New Economics Foundation think tank and UCL's European research hub

Key contacts

Read Dan Reavill Profile
Dan Reavill
Read Helen Reddish Profile
Helen Reddish
Back To Top