The Department for Digital, Culture, Media and Sport (“DCMS”) has unveiled its new proposals for the UK’s post-Brexit data protection regime. Following the announcement of the UK’s new National Data Strategy ‘Data: a New Direction’ (the “Strategy”) last year (a summary of which can be found here), and the conclusion of London Tech Week, DCMS has published the responses to its consultation on the Strategy, outlining which of the proposals will be taken forward into the highly anticipated Data Reform Bill. The Annexes to the Strategy consultation proposals clearly outline the Government’s plans in relation to each of the proposed reforms, including whether these will now be taken forward into legislation.

Whilst a number of proposals are still under consideration by the Government, the following have been identified as forming part of the Data Reform Bill:

  • creating a limited list of legitimate interests for businesses to process personal data, without then having to conduct balancing tests;
  • imposing requirements on companies to conduct a privacy management programme, outlining how they process and safeguard personal data;
  • substituting the obligation on some organisations to appoint a DPO with an obligation to identify an individual within the organisations responsible for overseeing data protection compliance;
  • the removal of Data Protection Impact Assessments;
  • a relaxation of the requirements relating to consent for cookies, including the removal of the requirement for prior consent for cookies where the website uses automated technology to manage user preferences and the removal of prior consent for analytics cookies;
  • extending greater powers of enforcement to the Information Commissioner’s Office, including increased fines for breaches of the Privacy and Electronic Communications Regulations to bring them in line with the fines issued for breaches of UK GDPR; and
  • reforming DCMS Secretary of State’s adequacy making power in relation to international transfers, as well as removing the requirement to conduct a review of adequacy decisions every 4 years.

In the latest press release, the Secretary of State highlights that the plans aim to ‘replace unnecessary paperwork to deliver around £1 billion in business savings’. 

The new Data Reform Bill, announced in the Queen’s Speech as part of a package of incoming Government legislation, aims to reduce what has become viewed as a ‘box-ticking’ exercise for many organisations, with the previous EU imposed data protection regime being seen as putting a disproportionate burden on smaller business in regards to compliance. For organisations, the hope is that these proposals will remove the ‘red-tape’ surrounding data protection compliance, but it remains to be seen what material effect these reforms will have on businesses themselves.

These proposals align with those made by the ICO in regards to international data transfers, with the outcome of their newly proposed International Data Transfer Agreement regime still unclear, leaving many organisations in a state of limbo as to what mechanisms they should apply. With the UK still reliant on the adequacy decision in place with the EU for any transfers of personal data between the UK and any EEA countries, it remains to be seen whether these reforms will have struck the appropriate balance between alleviating organisations of the administrative burdens data protection compliance can bring, or whether the UK’s proposed reforms will be viewed by the EU as having diverged too far from the EU GDPR regime and therefore risk the adequacy decision currently in place.

If you’d like to discuss the upcoming changes expected in this area, please contact a member of our data protection team.

This blog post was written by Isaac Bedi.