Changes to UK data regulation laws - The impact for your organisation
- Posted on January 20, 2023
- Estimated reading time 9 minutes
The UK government has announced upcoming changes to its data protection laws that will differentiate its framework from EU GDPR, enabling companies’ greater flexibility to demonstrate compliance. The opportunity extends beyond just being a GDPR compliant organisation – the real differentiation comes through becoming a truly trustworthy organisation within your sector, which in turn will retain and attract clients. The upcoming changes also present both a fantastic opportunity to distinguish your organisation through the use of data and drive business and operational insights, readying your data for AI, intelligent automation, and cognitive services. Below we provide an overview of the upcoming GDPR changes and highlight ways in which you can make the changes work in your favour by driving trust and unlocking the value of your data.
1. What is the Data Reform Bill?
The General Data Protection Regulation (EU-GDPR) was established to strengthen the fundamental rights of individuals and clarify rules for those processing personal data. The Data Protection Act 2018 is the UK’s implementation of the GDPR. Given the UK’s decision to leave the EU (Brexit), with effect from January 1, 2021, the EU-GDPR no longer applied to the UK and was replaced with ‘UK GDPR’ which sits alongside an amended version of the Data Protection Act 2018. For most part, it has continued to follow the EU GDPR standards and principles very closely to maintain the status quo. This was until the Department for Digital, Culture, Media and Sport (DCMS) introduced a new Bill in the House of Commons that signified the UK would be deviating from GDPR.
The Data Reform Bill – officially called the Data Protection and Digital Information Bill (DPDI) – seeks to amend several laws currently in place for the UK, including UK GDPR mentioned above, as well as the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulation (PECR – e-privacy).
2. What changes to UK GDPR does the Bill seek to make?
The Bill proposes to ‘update and simplify’ the UK’s data protection framework, and ‘reshape its approach to regulation outside of the EU’. This divergence from EU GDPR, therefore, can be seen to have the aim of making UK legislation more flexible and risk-based to encourage emerging technologies (ET), in particular Artificial Intelligence (AI) and Machine Learning, but poses risks to the UK’s relationship with the EU. The Regulatory Policy Committee (RPC) summarises that “the overall position appears to be that personal data is a valuable, unutilised asset and that “unlocking” this generates large commercial and consumer benefit at little cost”.
Although not an exhaustive list, we have identified four themes the Data Reform Bill is targeting which will have a direct impact on UK businesses:
- Encouraging data-driven activity and harnessing the latest technology,
- Boosting trade by making international data sharing easier,
- Amending e-privacy laws to increase ability to use personal data and internet tracking,
- Reducing compliance burdens for businesses.
2.1 Encouraging data-driven activity and harnessing the latest technology
A key theme is to help organisations ‘build or deploy AI systems responsibly, and to innovate with care, while ensuring risks are managed’. The Bill seeks to legislate in some of the areas previously identified within the Government’s National AI Strategy published in September 2021. The Bill establishes a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents, streamlining such processes as onboarding and verification. It also introduces new powers to introduce ‘smart data schemes’ for the secure sharing of customer data and enabling services such as personalised market comparisons and account management. By readying your data ecosystem, you can rapidly innovate, create new revenue streams and, subsequently, tailor your offering to increase sales and retention.
2.2 Boosting trade by making international data sharing easier
Adequacy is a term that the EU uses to describe other countries, territories, sectors, or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. The Bill includes a relaxation of the current requirement to review adequacy regulations every 4 years, proposing instead an approach of ongoing monitoring. Removal of the need for a formal review, as well as flexibility with granting adequacy decisions to countries, could pose risks to data protection standards and those companies that do business with the EU. For instance, if the UK allows personal data of people in the EU to be transferred to a country that does not have an adequacy decision from the EU, this could weaken the EU GDPR. Further, organisations could attempt to use the UK as a “transfer hub” to circumvent the EU’s rules, putting the EU’s assessment of UK’s adequacy under threat.
Businesses that process EU data or function outside of the UK may be faced with further complications, such as having to operate a dual regime with differing rules since they will still need to comply with EU GDPR where applicable, which no doubt will add a layer of complication for companies who are not solely UK based.
2.3 Amending e-privacy laws to increase ability to use personal data and internet tracking
Companies are required to have prior consent from individuals to process tracking technologies – also referred to as cookies – unless it is ‘strictly necessary’. The Government claims that businesses’ ability to collect potentially useful information, such as how many people are visiting their websites and what pages they are looking at the most, is restricted by the current strict rules on data collection consent. The Bill proposes to remove the requirement for prior consent for all types of cookies (governed by Regulation 6 of PECR). The increased volume of personal data being processed for enhanced audience measurement, provides organisations the opportunity to harness ML for customised user experiences and improving their offering to customers. As with the processing of all personal information, managing and protecting the information must be at the core of an organisation’s governance strategies. Without this, you risk fines and permanent loss of customer trust.
2.4 Reducing GDPR compliance burdens for businesses
The Bill aims to provide organisations greater flexibility in how they demonstrate their legal compliance compared to the current regulatory regime, which the government claims restrict the ability of firms to fully realise the benefits of its data assets. For example, the government proposes transferring the tasks and responsibilities of a Data Protection Officer (DPO) to a designated senior individual, and where an organisation’s processing activities are low risk, the organisation does not need to appoint a senior responsible individual. The proposed changes will arguably benefit smaller organisations which do not process large volumes of sensitive data, but less practical to larger organisations or those carrying out more sensitive processing activities. The removal of the requirement to appoint a DPO could result in a loss of data protection expertise, lack of a designated focus on this area and a lack of independence, which could in turn lead to a potential fall in customer trust.
The Bill also proposes to remove the need to complete Data Protection Impact Assessments (DPIAs), suggesting that these assessments are a ‘prescriptive duplication of other risk assessments that achieve the same outcome performed within an organisation’. Organisations would still be required to identify and manage risks when processing personal information, but greater flexibility would be permitted as to how you demonstrate compliance with those requirements, allowing you to build an approach personalised for your organisation’s size, activity and existing data protection processes.
3. Parliamentary passage
The Data Reform Bill was introduced in the House of Commons on 18th July 2022, and is currently pending its Second Reading, which has been postponed due to recent changes in government. Since the appointment of Rishi Sunak as Conservative Party Leader, official communications regarding the Government’s intentions for the Bill have yet to be made.
Rishi Sunak has made it clear that he backs the removal of ‘burdens of GDPR’ in his article in the Telegraph: “The EU’s Byzantine rules are preventing British tech companies from innovating and public services from sharing data to prevent crime. As any internet user can see, GDPR – with all its bureaucratic box-ticking – is clearly not working and needs to be replaced.” It is, therefore, very possible that the Bill’s passage will resume in earnest soon.
Across every industry, the pace of change continues to accelerate. With the right data framework and approach, you will be able to organise, manage, govern, and secure your data to gain faster ROI and competitive advantage. Being considerate and trustworthy of people’s personal data is pivotal for attracting and retaining customers.
Overall, there is a recurring theme across the Data Reform Bill of realising the benefits of greater personal data use and reducing burdens on businesses, by maintaining standards but allowing organisations greater flexibility in how they demonstrate compliance. This greater flexibility provides organisations a unique opportunity to develop a personalised data management and governance approach that works for them.
Taking a proactive approach significantly minimises risks, increases revenue, reduces cost and manages complexity. By democratising data across your organisation, you can establish a complete value chain, encompassing your organisation’s people, processes and technologies, to improve quality and accessibility of your data and exploit your data as a valuable asset. This is not an easy process to undertake, and we can help you in navigating and preparing for the coming changes by supporting you with your governance framework, ensuring you have the right strategy in place to successfully make the most of your data and differentiate yourselves from your peers. Avanade can help you get the correct grounding with your data in order to reap the benefits of cloud-based solutions, artificial intelligence and machine learning. Engaging in a data health check, maturity assessments, and implementing data governance structures are among the initiatives we can support you to enhance your current position and to give you flexibility to adapt and evolve for what is coming on the regulatory horizon.
Contact us and register for a data strategy consultation today.