Plans to reform the UK’s data protection regime represent an important evolution for the UK GDPR
On 17 June 2022, the UK Government published its response to its Data: a new direction consultation. The response sets out a series of proposals to reform the UK GDPR in ways that will better enable innovation, drive scientific research, and position the UK as a more attractive data economy. At the same time, the reforms maintain a high standard of data protection rights that will help preserve data sharing agreements with international partners, including the European Union (EU).
Following the UK’s withdrawal from the EU, the UK Government has approached reform of its data protection regime as an opportunity to seize the benefits of its new-founded regulatory freedoms, opting for a more risk-based and proportionate approach to data protection and compliance, which techUK has welcomed.
Based on feedback from just under 3,000 consultation responses, including techUK’s submission, the Government has set out the changes it will take forward in reforming the UK’s data protection regime, which will be laid before Parliament as a draft bill later this year.
In its response to the consultation, the Government outlines across five chapters which proposals will be adopted, including provisions around using personal data for research, introducing a legitimate interests list, creating a more proportionate and risk-based approach to the accountability framework and data flows, as well as expanding the responsibilities of the regulator. Overall, this is a welcome package of reform that adopts many of the suggestions made by techUK and our members.
Commenting on the proposals, Julian David, CEO at techUK said:
“At its introduction the GDPR was not perfect. The challenge in reforming it has always been how to retain key protections for citizens while introducing clarity and flexibility to enable growth in data driven innovation and new technologies such as AI.
“The reforms announced today find a good balance between making the UK’s data protection system clearer, more flexible, and more user friendly to researchers, innovators, and smaller companies. While at the same time maintaining levels of data protection in line with the highest global standards.
“There are some outstanding questions about how exactly these reforms will work in practice. Specifically, around an opt-out system for cookies and the Government’s proposals for balancing tests with regards to data processing.
“However, on the whole this is a welcome package of reform. techUK will continue to work closely with the Government on these outstanding questions and we look forward to seeing the draft Data Bill in due course.”
Chapter 1: Reducing barriers to responsible innovation
The Government will make it easier and clearer for organisations to use and reuse data for research purposes. The Government will legislate to create a statutory definition for scientific research in the UK GDPR. This will be based on recital 159 of the GDPR, a broad definition that covers technological development and demonstration, fundamental research, applied research and privately funded research.
The Government will clarify the processes and safeguards for the re-use of personal data and clarify standards for anonymisation, including making the test for anonymisation relative. An exhaustive list of processing activities that will allow organisations to process data without a lengthy legal assessment (balancing test) will be introduced. This will be usable for a number of purposes such as for anti-fraud and anti-money laundering.
Many of Government’s proposals and suggestions on artificial intelligence (AI) in this chapter, have been left to a forthcoming AI White Paper which will focus on the governance and regulation of AI systems. This includes the future of Article 22 (the right to a human review of an automated decision), which will remain in the UK GDPR in some form, however its thresholds for use will be clarified in the AI Whitepaper. techUK supports the UK retaining Article 22 in legislation and agrees with the Government that clarification is needed.
The Data Bill however make changes to enable organisations to use sensitive personal data for the purpose reducing bias in AI systems. This will be done by clarifying that Schedule 1 Paragraph 8 of the UK GDPR can be used for for the purpose of ensuring bias monitoring, detection and correction.
The Government will also implement proposals to provide organisations with more clarity on data anonymisation, improve industry participation in Smart Data Schemes under BEIS, and support efforts to promote the uptake of Privacy Enhancing Technologies (PETs).
Chapter 2: Reducing burdens on businesses and delivering better outcomes for people:
The Government will shift towards a more flexible and risk-based approach to compliance, proceeding with plans to implement Privacy Management Programmes (PMPs) as well as remove the requirement to appoint Data Protection Officer’s (DPOs) and Data Protection Impact Assessments (DPIAs). This will largely benefit smaller organisations who will now be able to take a more tailored approach to compliance.
The Government will also tackle concerns around “consent fatigue” in relation to Cookie banners by reducing the scope in which they are required (e.g., for non-intrusive purposes) and in the longer term, move to an opt-out model of consent for cookies,. The proposed opt-out system will require further consultation to ensure in its implementation it does not stifle innovation or have a negative impact on competition in the sector.
In this chapter, the Government has also set out other areas it will implement reform to ease compliance burdens on organisations related to record keeping, breach reporting and responding to unreasonable information requests from individuals (Subject Access Requests). techUK has welcomed the fact that a nominal fee for individuals to submit these requests will not be re-introduced.
On the whole, these plans should reduce burdens for businesses while retaining high standards of data protection. However, it will be important that Government seeks to make sure it does not take away regulatory burdens with one hand and then add them on with the other. This in particular, will be the case for new proposals with the intention to reduce unsolicited direct marketing, such as nuisance calls. While the policy intention here is good, this is a complex area. If reforms are poorly designed, they could add significant monitoring and double compliance costs to network providers which would be against the broader goals of these reforms to reduce burdens on businesses.
Chapter 3: Boosting trade and reducing barriers to data flows:
The Government will shift to a more risk-based and outcomes-based approach to data adequacy decisions, such as by removing the requirement to review adequacy decisions every four years and developing a more flexible and outcomes based approach for assessing jurisdictions for adequacy as well as for the creation of new data transfer mechanisms.
Chapter 4: Delivering better public services:
The Government will make it easier and clearer for organisations to share data with public bodies when asked to do so on public interest grounds. These proposals will help to address many of the challenges that arose during the pandemic around the sharing of personal data for purposes in the public interest.
Chapter 5: Reform of the Information Commissioner’s Office (ICO)
The Government will implement wide reforms to the ICO with a view to expand its responsibilities and bring its Governance structure in line with other UK regulators such as the Ofcom and the Competition and Market’s Authority (CMA).
This includes a new governance structure, including a Chief Executive and a board as well as secondary duties to consider the economic impacts of its decisions, to develop a coherent international strategy, as well as new transparency and reporting requirements.
The DCMS Secretary of State will also be given new powers to prepare a non-binding Statement of Strategic Priorities for the ICO and to approve new codes of practice and complex or novel guidance. How this power to approve guidance is exercised will be important with regards to the perceived independence of the regulator. techUK would therefore welcome further clarification on how this proposal will work in practice.
The ICO will also be renamed to better reflect changes in its structure and responsibilities.
Overall, these reforms represent an important evolution in the UK GDPR which will provide greater clarity and flexibility for businesses who process personal data. While some proposals will require further consultation and clarification this package is an important evolution of the UK GDPR, particularly with regard to changes designed to boost data driven research and innovation.
Based on the response to the consultation, a draft Data Reform Bill will be laid before Parliament this summer to undergo several rounds of amendments before it is formally passed into legislation. The scrutiny period will be critical in addressing any outstanding questions on the proposals such as those related to AI, cookies, nuisance calls, reforms to the ICO as well as the effectiveness of the processing activities listed under the legitimate interest list.
Once passed, the regulator will also play a vital role in providing organisations and individuals with guidance for implementing the new regime.
techUK will remain engaged with the Government throughout this process. In particular, we await the publication of the AI Whitepaper. Establishing the correct framework for data use and the regime for AI governance are two vital pieces of the puzzle to ensuring the UK takes a leadership role in AI, giving companies the confidence to invest.
Please see here for techUK’s full response to Data: a new direction.
This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.
Julian David is the CEO of techUK, the leading technology trade association that aims to realise the positive outcomes of what digital technology can achieve through innovation and collaboration, and serves on its board of directors.
Julian led the transformation of techUK from its predecessor Intellect in 2015, putting an increased focus on the growth and jobs the technology industry offers in a global economy. He has since led its impressive expansion driving forward the tech agenda in key areas such as skills, digital ID and public sector transformation, now leading techUK’s 70-strong team and representing over 850 member companies, comprising of global and national champions and more than 500 SMEs. In 2020, techUK joined forces with TechSkills, the employer-led organisation that aims to improve the talent flow of talent into the digital workforce.
Julian represents techUK on a number of external bodies including the Digital Economy Council, the Cyber Growth Partnership and the Department of International Trade’s Strategic Trade Advisory Group. He also sits on the Executive Board of DIGITALEUROPE and is a member of the Board of the Health Innovation Network the South London Academic Health Science Network.
Julian has over thirty years of experience in the technology industry. Prior to joining techUK, he had a long career at IBM culminating as Vice President for Small and Medium Business and then Public Sector. After leaving IBM he worked as a consultant helping tech SMEs establish successful operations in the U.K. His personal interests include Football (West Ham and Real Madrid) and Art.
Dani joined techUK in October 2021 as Policy Manager for Data.
She formerly worked in Vodafone Group's Public Policy & Public Affairs team as well as the Directorate’s Office, supporting the organisation’s response to the EU Recovery & Resilience facility, covering the allocation of funds and connectivity policy reforms. Dani has also previously worked as a researcher for Digital Catapult, looking at the AR/VR and creative industry.
Dani has a BA in Human, Social & Political Sciences from the University of Cambridge, focussing on Political Philosophy, the History of Political Thought and Gender studies.
As Associate Director for Policy Neil leads techUK's domestic policy development in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies. Neil also acts as a spokersperson for techUK on UK policy in the media and at Parliamentary Committees.
Neil joined techUK in 2019 to lead on techUK’s input and engagement with Government on the UK-EU Brexit trade deal negotiations, as well as leading on economic policy. He has a background in the UK Parliament and in social research and holds a masters degree in Comparative Public Policy from the University of Edinburgh and an undergraduate degree in International Politics from City, University of London.
- [email protected]
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy. She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame. A key influencer in driving forward the data agenda in the UK Sue is co-chair of the UK government's National Data Strategy Forum. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.