UK Data Protection Reform – Some relaxation on the horizon?
The UK government begins a move away from what it describes as ‘a clampdown on bureaucracy, red tape and pointless paperwork’.
On June 17 2022, the UK government published its long awaited response to the consultation on the reform of the UK data protection regime. The consultation formed part of the UK’s post-Brexit national data strategy, which gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy.
In its response, the government has indicated which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill due for publication in July.
The government claims that the introduction of the Data Reform Bill will allow for the same high data protection standards, but provide organisations with increased flexibility to determine how they meet these standards.
It says that small businesses will no longer be required to appoint a Data Protection Officer (DPO) or carry out data protection impact assessments (DPIAs).
The Bill also looks to cut down on user consent pop-ups and banners. It plans to introduce an opt-in model and allow users to set their online cookie preferences to opt out via automated means, for example through their internet browser settings.
There are also proposals to simplify the use of legitimate interests as a legal basis for processing personal data by creating a list of legitimate interests for which no legitimate interest assessment would be needed. In addition, the reforms include a proposal to increase the existing substantial public interest grounds for processing special category data which should make processing special category data easier, without the need for explicit consent.
There are also plans to reform the Information Commissioner’s Office (ICO) with a clear framework of objectives and duties, as well as plans to promote research and innovation.
Whilst the government claims the new rules will bring a boost for the economy, others are not convinced. UK based companies will still need to comply with EU data protection laws when they target goods and services to the EU. This will mean that for many organisations , they may find themselves having to deal with a two-track regime. In addition, the reforms will not ease some of the main compliance burdens under the current data protection framework such as the obligations in responding to subject access requests.
Our data protection specialists regularly advise upon compliance with the current legislation and will be closely watching the progress of the Bill. If you have any queries regarding these recent data protection developments or any other data protection issues don’t hesitate to contact our Information Law team below.