UK unveils Data Reform Bill, scrapping parts of GDPR and promising £1 billion in savings
The reforms, which stop short of abolishing GDPR entirely, also include an overhaul to the Information Commissioner's Office and a watering-down of rules around consent for scientific research
The UK government has unveiled the details behind its widely anticipated proposals to replace the General Data Protection Regulation (GDPR) with more flexible and less stringent data protection laws.
The EU’s “highly complex” GDPR, which came into force four years ago, has held back businesses from using data “as dynamically as they could”, according to the Department for Digital, Culture, Media and Sport (DCMS).
The Data Reform Bill will scrap what the government decries as “red tape and pointless paperwork”, while lowering the barrier for personal data to be used in scientific research. As part of this package, the Information Commissioner’s Office (ICO) will also be restructured.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower,” DCMS secretary Nadine Dorries said. “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.”
“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”
Death to the “box-ticking” GDPR
The UK government has long argued that a lack of clarity in GDPR meant seeking consent from individuals turned into a box-ticking exercise, with the current regime putting a disproportionate burden on small businesses.
The government has hinted the Data Reform Bill will ditch the need for organisations to seek explicit consent before processing personal data on every occasion, although it hasn’t outlined what this will look like in practice. It says, however, the new data protection rules will be focused on outcomes rather than going by the letter of the law.
Under this laissez-faire approach, some businesses won’t need to appoint a data protection officer (DPO) and won’t need to conduct data protection impact assessments (DPIA) when developing new tools or services.
The example DCMS uses is that of an independent pharmacist no longer needing to recruit a dedicated DPO, provided they can effectively manage risks themselves.
Organisations, though, will still need to have a privacy management programme in place to ensure they’re accountable for how they process personal data.
Scrapping these administrative elements of GDPR will save businesses approximately £1 billion, the government claims.
Retooling the ICO
Under the proposals, the UK data regulator will be reorganised to have a chair, chief executive, and a board in order to introduce a wider set of skills to support decision-making. The government also wants to broaden the responsibilities underpinning the ICO’s work, with everything currently sitting on the shoulders of the Information Commissioner.
“I share and support the ambition of these reforms,” said the recently appointed Information Commissioner, John Edwards. “I am pleased to see the government has taken our concerns about independence on board.
“Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”
The ICO will also be given new, “clearer” objectives, to be set out in legislation, which will give the regulatory more focus. They’ll also require the regulator to consider factors like economic growth, innovation and competition when making judgements, rather than going by the letter of the law.
Political oversight will also be added to the way the ICO develops statutory codes, which it routinely publishes to outline best practice for organisations using data in specific ways – such as protecting children’s data online.
The secretary of state must personally approve each piece of statutory guidance in future before they’re presented to Parliament.
Lowering the barrier for data processing
Among the most significant elements of the package is watering down the legal requirements for institutions and companies to process personal data for research purposes.
The Data Reform Bill will more clearly define the scope of scientific research, and will give scientists clarity about when they can – and when they don’t need to – obtain user consent to collect or use data for broad research purposes.
Under the current regime, users need to give their explicit consent for data to be processed for a specified reason. The data collected cannot then be used, without re-acquiring consent, if the purpose of the research changes. Now, researchers only need to specify they’re using data in, for example, cancer research generally as opposed to a particular cancer study.
The UK government has long considered abolishing GDPR and replacing it with a new set of data protection laws that are more flexible, and reduce the administrative and legal burden placed on businesses.
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mindFree Download
Last June, the prime minister Boris Johnson welcomed an agenda that included scrapping consent altogether, and removing human oversight from artificial intelligence (AI) tools and systems. DCMS announced a consultation on a set of less extreme proposals in September last year, which has culminated in the package of measures it’s announced tonight.
Edwards, who was appointed Information Commissioner on 4 January, previously warned ministers against scrapping the safeguards GDPR gives data subjects. That the Data Reform Bill has won his backing suggests he's satisfied the new regime will maintain high standards of data protection.
How the data reforms will affect the UK's relationship with the EU remains unclear. The UK was able to secure a data adequacy agreement with the EU following Brexit, which allowed data to flow from the EU to the UK unhindered, however that agreement is contingent on the EU continuing to recognise the UK as having data protections as robust as that of the European Union. Many industry experts have warned that attempts to deviate too far from GDPR could put this agreement at risk, causing severe disruption for businsesses across Europe.
Peter Church, Counsel at multinational law firm Linklaters, highlighted that a number of more radical suggestions have been removed from the final proposals, including the possibility of replacing GDPR entirely in favour of a brand new framework.
"This is hardly a surprise given data protection laws are now a global norm and the GDPR is the template upon which many of those laws are based," said Church. "This is good news for data flows between the EU and the UK, as these more modest reforms mean the EU Commission is less likely to revoke the UK’s adequacy finding, which would have caused significant disruption."
However, Mariano delli Santi, data protection campaigner at Open Rights Group, called the proposals "irresponsible", adding that "they risk leading to a massive and expensive rupture with the EU, making data transfers costly for UK businesses, costing jobs during an economic downturn".
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download