What’s Next for the UK After GDPR Replacement Plans Stall?

Several months and a handful of prime ministers ago, the UK government proposed an overhaul of data protection law.

The plans, which were first published in the official notes for the 2022 Queen’s Speech, promised to “take advantage of the benefits of Brexit to create a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework”.

The Data Reform Bill also promised to “create over £1 billion in business savings over ten years by reducing burdens on businesses of all sizes”.

In late July, Nadine Dorries, then Secretary of the DCMS (Department for Digital, Culture, Media & Sport), introduced the Bill, by then called the Data Protection and Digital Information Bill, to parliament.

However, progress stalled after Boris Johnson resigned, and new plans issued under Liz Truss’s premiership were also scrapped after she too stepped down.

With Rishi Sunak – another critic of the GDPR – taking over as prime minister, we may yet see a third version of the government’s plans. But after so much upheaval, how likely is it that these plans will come to pass? And what might they mean for UK businesses?

What is the government proposing?

It’s not clear what the government’s current plans are, but the rhetoric surrounding data protection reform has remained consistent under each of the three previous prime ministers.

It’s therefore likely that if new proposals are made, they won’t deviate significantly from the original plans made by Nadine Dorries, which contained several key differences from the GDPR:

  • The definition of personal data

Whereas the GDPR defines personal data as “any information relating to an identified or identifiable natural person”, the Bill restricted the scope of personal data.

Under its rules, information would only be considered personal data if a living individual was made identifiable by a controller or processor “by reasonable means” at the time of processing, and identifiable “by reasonable means” by anyone else who “the controller or processor knows, or ought reasonably to know”, “will, or is likely to, obtain” the information as a result of the controller or processor’s processing.

  • Data subject access requests

The Bill amended the requirement to fulfil data subject access requests, enabling organisations to refuse them when they are “vexatious or excessive”, rather than if they are “manifestly unfounded or excessive”, as stipulated by the GDPR.

One of the examples of vexatious requests listed in the Bill is “an abuse of process”.

  • UK representatives and data protection officers

The Bill removed the requirement for UK representatives for controllers outside the UK.

It also proposed removing the need for DPOs (data protection officers), replacing them with responsible individuals who are “part of the organisation’s senior management”.

Given that DPOs under the GDPR must be independent – indeed, the Regulation allows organisations to outsource the role to avoid any conflict of interest – this is one of the most significant divergences from the GDPR.

That said, the Bill does stipulate that the “controller or processor must not dismiss or penalise its senior responsible individual for performing [their] tasks”.

In practical terms, this might mean that organisations that are also bound by the EU GDPR will need a senior responsible individual and an outsourced EU GDPR-compliant DPO essentially performing the same tasks.

  • International data transfers

Schedule 5 of the Bill set out a risk-based approach to international transfers of personal data, aiming to make it easier for the government to issue adequacy decisions if the third country or international organisation meets the requirements of a “data protection test”, and “the standard of the protection” they provide personal data “is not materially lower” than that afforded by the UK’s data protection laws.

There were also further provisions relating to international transfers that rely on “appropriate safeguards”, such as standard contractual clauses.

What next?

Speaking at the Conservative Party Conference in October, the incoming Secretary of State for DCMS, Michelle Donelan, expressed a familiar sentiment towards the GDPR and the desire for data protection reform.

She described the Regulation as a “regulatory minefield” that “shackled” businesses with “unnecessary red tape” and “clunky bureaucracy”, before announcing new plans that were distinct from both the GDPR and Nadine Dorries’ proposal.

She said her proposal would “protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely” and “be simpler and clearer for businesses to navigate”.

However, she provided few specific details about how it would achieve this beyond moving away from a one-size-fits-all data protection law and introducing less onerous data protection obligations for SMEs – dubbed ‘GDPR-lite’ by some commentators.

Since the conference, Truss was replaced by Rishi Sunak, although Donelan has retained her position in the cabinet. It’s unclear whether this indicates that Sunak is satisfied with the approach or if the government will reconsider its plans.

Based on Sunak’s comments during the leadership election to replace Boris Johnson, the latter seems more likely. He promised that under his stewardship, the government would “remove the burdens of GDPR, creating in its place the most dynamic data protection regime in the world”.

He added: “The EU’s Byzantine rules are preventing British tech companies from innovating and public services from sharing data to prevent crime. As any internet user can see, GDPR – with all its bureaucratic box-ticking – is clearly not working and needs to be replaced.”

But with the Conservative Party mired in crisis, these plans appear to have taken a back seat. For now, organisations must continue to focus on their existing compliance requirements and avoid complacency.

Everyone is aware of the current economic hardship, and the last thing you need is to suffer a data breach and go through the financial implications that come with that, including the potential for a sizeable GDPR fine.

If you want to avoid the prospect of data protection disaster, it’s imperative that you consider your current practices. A small investment now could save you major problems in the near future.

You can find the support you need to get started with GRCI Law’s Privacy as a Service solution.

We will provide guidance on everything from GDPR compliance monitoring and data breach notification to data privacy management and DSARs (data subject access requests).

With the help of our team of experts, you will be equipped to to prevent costly data breaches and GDPR fines.