The British Government has launched a consultation on its proposed changes to the UK's data protection regime - which is currently underpinned by the EU's GDPR legislation - as it aims to ‘unleash data's power across the economy and society'.
The consultation document outlines what changes businesses can expect as the government navigates moving away from certain elements of GDPR, with the aim of removing ‘unnecessary burdens'.
The consultation is very careful to maintain that the UK will continue to be world-leading in its data protection standards and proposals, whilst also referring to ‘European friends and partners' - but insists that it is perfectly reasonable as an independent nation to carve its own path. The document notes:
The government recognises that different jurisdictions operate different data protection regimes, which reflect the specific values and priorities of their societies. Respect for the existence of multiple different data protection regimes and recognition of the importance of striving towards increased interoperability to support trusted international flows of data are key parts of the UK's approach.
In that spirit, the government believes it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime and moves to implement any reforms in the future.
European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law. Indeed, other countries, such as Israel, have been granted adequacy decisions by the EU while pursuing independent and varied approaches to data protection, reflecting their unique national circumstances, cultures and heritages.
However, whilst the UK was indeed granted adequacy status by the EU earlier this year, Brussels has already warned that it will be keeping the situation under review in case the British Government backs away from its GDPR commitments. And as my colleague Stuart Lauchlan recently highlighted on diginomica, the UK is taking a huge gamble with these proposed changes to its data protection framework.
However, Minister for the Cabinet Office, Lord Frost, was banging the UK independence drum and said:
These reforms are another example of how, having gained new regulatory freedoms outside of the EU, we can now take bold action in the national interest and in the interest of British businesses and consumers.
Our new data regime will cement our status as a science superpower by removing unnecessary burdens and boosting innovation and growth right across the UK.
Changes for business
The government's proposals include changes for businesses that largely center around the accountability framework set out in UK GDPR. It argues that the current framework tends towards a ‘box ticking' compliance regime, rather than one that encourages a proactive and systemic approach, which ‘undermines' the principle of accountability.
The proposed changes for business aim to incentivise organizations to invest more effectively in the governance, policies, tools, people and skills that protect personal data - with a focus on ‘the right outcomes'.
However, with organizations having invested in GDPR for a number of years now, the government is also keen to highlight that any future data protection regime will not require changes to many current processes if they already operate effectively.
The current proposed changes include:
The government intends to remove the existing requirements for organizations to designate a data protection officer. It argues that even without a data protection officer, organizations will still need to be compliant and accountable.
Removing the requirement for organizations to undertake a data protection impact assessment, so that different approaches to identify and minimize data protection risks can be adopted.
The current legislation requires that where an organization has identified a high risk that cannot be mitigated, it must consult with the Information Commissioner's Office (ICO) before starting the processing of data. However, the government says that this is used infrequently and that the requirement for prior consultation should be removed.
GDPR requires organizations to maintain at all times a record of processing activities, which the government argues leads to the creation of large amounts of paperwork that is largely duplicated by other provisions in the legislation. It therefore proposes to remove record keeping requirements.
GDPR requires that an organization must inform the ICO of a data breach ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons'. The government believes this low legal threshold for reporting incentivises organizations to over-report, through fear of regulatory action by the ICO. Therefore, the government is considering whether to change the threshold for reporting a data breach, where ‘non material risks' would not have to be put forward.
The government has said that its initial economic analysis shows that the reform package will have a net direct monetised benefit of £1.04 billion over 10 years, even after accounting for potential costs incurred through any future changes to the UK's EU adequacy decisions.
Responding to the release of the data reform consultation, technology trade association techUK said:
The consultation opens a significant discussion in the UK about the future of the UK's data protection regime. The approach is firmly rooted in the GDPR framework, and the consultation includes some sensible ideas about how it can be improved. However, both businesses and civil society will want to take a close look at the proposed reforms to privacy management frameworks, the grounds for data processing and international data transfers.
Encouraging innovation need not come at the cost of weakening of data protection standards. The objective must be to ensure that innovation is enabled, citizens are able to exercise their rights and the UK is seen a secure location for international data. Businesses will want to see the UK maintain its data adequacy agreement with the EU.
These proposals have more weight to them than the headline grabbing ‘no more cookie pop ups!' we saw a few weeks ago, and they will likely be more attention grabbing to those watching closely in the EU. Reducing burden on businesses isn't a bad thing, but it can't come at the cost of the data protections that GDPR has brought for businesses and individuals. Solid data protections are *good* for business and I'm fairly certain the government's plans to remove records of processing activities and lowering thresholds for reporting data breaches will raise some red flags. Over to you Brussels…