Skip to content
Share

GDPR and data protection reforms – A look at what's been proposed

Authors Guest Image
David Edwards Friday 19 November 2021

David Edwards, partner and head of Harrison Drury’s regulatory team, examines the proposed reforms to UK data protection laws and how they may affect UK businesses.

On 10 September 2021, the government proposed reforms to the UK’s data protection regime and opened a public consultation on those proposals with a 146-page paper entitled Data: A new direction.

According to the government, the aim of the proposed reforms is to, ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standard’.

As the report acknowledges, there is currently a disproportionate burden on SMEs and organisations that undertake low risk processing; and that acknowledgement may have been received welcomely by many SMEs.

What data laws do the reforms cover?

The legislation that falls within the scope of the proposed reforms is:

  • UK General Data Protection Regulation (GDPR),
  • Data Protection Act 2018, and
  • Privacy and Electronic Communications Regulations (PECR).

What changes are proposed in the data protection reforms?

According to the paper, the key proposed reforms include reducing barriers to responsible innovation; reducing compliance burdens on businesses; boosting trade and reducing barriers to data flows; and reforming the Information Commissioner’s Office (ICO).

To achieve this, the proposed changes include:

  • Removing the requirement to carry out Data Processing Impact Assessments (DPIAs),
  • Removing the requirement to complete and store Records of Processing Activities, and
  • Allowing data controllers to routinely charge a fee to act on a DSAR.

There are also a number of other proposed reforms around the use of website cookies and e-mail marketing designed to simplify matters for businesses.

What are the implications for businesses?

While some SMEs may heave a sigh of relief on sight of these proposals, it is important to remember that any significant changes to the UK’s data protection regime should meet the EU’s adequacy requirements.

According to government figures, the free flow of data to the EU is worth £85 billion to the UK economy. Therefore, ensuring that the EU’s data protection adequacy requirements continue to be met is vital, both to business and the wider economy.

Also, the only organisations that can benefit completely from any of the proposed changes are those that operate and trade exclusively in the UK. Organisations that operate and trade outside of the UK will still be obligated to follow the GDPR, in addition to any new domestic rules.

To what extent the proposed reforms are adopted, and whether any changes that are implemented do, in practice, reduce the burden on SMEs, remains to be seen.

If you wish to discuss any issues raised in this article, or need help with any other data protection matter, please contact David Edwards in our regulatory team on 01772 258321.