A shift in the UK’s approach to data protection is underway, with the finished product potentially representing a huge benefit for small and medium-sized businesses (SMBs).
The changes come in the form of the Data Protection and Digital Information (DPDI) Bill, which experts say would significantly alter existing data protection law when it comes into law next year.
This draft update to the existing UK data protection framework – currently based on the EU’s General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 – aims to remove “red tape” associated with current laws. With lawmakers still devising the DPDI Bill, however, there's a lot to be determined, but the regulations could significantly lighten the load by making it easier and less costly to comply with.
How will the DPDI Bill differ from GDPR and the DPA 2018?
As law firm Pinsent Masons notes, the proposals in the latest update are similar to those contained in the original DPIDI Bill introduced into parliament in July 2022. Among the changes, the paper introduces a more business-friendly approach, says Sarah Pearce, partner at Hunton Andrews Kurth. For example, it introduces a new basis for processing personal data for “recognized legitimate interests”, she says.
This could make things easier because it wouldn’t require a so-called Legitimate Interests Assessment (LIA) – a light-touch risk assessment thought to be good practice under the current laws. Instead, organizations would simply have to demonstrate the data they’re processing is necessary for the relevant purpose, says Pearce.
Keys to successful innovation through artificial intelligence
Discover the keys to overcoming the challenges that businesses commonly face when attempting to implement AI and ML.
It also introduces several exemptions from the much-hated cookie consent requirement for situations that pose a low risk to user privacy. At the same time, the Bill proposes to remove the obligation on controllers and processors not established in the UK to appoint a local representative. This is an example of administrative “red tape” being removed under the Bill, says Pearce.
Meanwhile, the role of data protection officer (DPO) currently required will be replaced by a “senior responsible individual”. “A senior responsible individual is only required when an organization processing personal data is a public body or is conducting high-risk processing, and they must be part of your senior management,” Pearce explains.
What are the benefits and drawbacks of the proposed regulations?
The proposed regulation offers multiple advantages. SMBs are expected to see proportionally higher reductions in compliance costs than their larger businesses, for example, says Sarah Williamson, partner and head of the commercial and technology team at Boyes Turner. “This is because they will generally have lower levels of data use prior to the reforms – although it does depend upon the nature of the business.”
She says the greatest compliance cost savings will be felt in the professional, scientific, and technological sectors. “This is due to the fact that the reforms are focused on removing barriers to data use for research purposes and artificial intelligence.”
Yet there are proposals that, in practice, could cause difficulties. Williamson cites the example of the removal of the need to have a DPO. “Given the requirement under the EU GDPR for a DPO to be independent, there are questions [as to] whether, for businesses caught by both UK and EU GDPR, the same person could perform both roles. There’s also uncertainty as to whether an external consultant could still fulfill this role.”
The removal of a one-size-fits-all approach to data protection could in some ways be a boon for SMBs. But in its current form, the bill “risks being incredibly confusing and more onerous than the standardized approach”, says Jamie Akhtar, CEO and co-founder of CyberSmart. “Without further guidance and clarity, we risk placing the onus on SMBs to figure out data protection requirements themselves, something that’s simply not feasible for many small businesses.”
At the same time, the regulation could cause issues for firms that operate in both the EU and UK. Alongside aiming to reduce regulatory “red tape”, the Bill’s other objectives are to ensure that data protection and privacy are securely protected and that the UK maintains its EU “data adequacy” status. Yet some commentators feel the government has forgotten that the priority of data protection law is to protect consumers, rather than help businesses, says Williamson.
“Some businesses fear that because of the reforms, the EU may reassess and withdraw the adequacy decision, causing major disruption to firms operating and trading internationally who rely on a free flow of data between the UK and the EU.”
How can SMBs prepare for the DPDI Bill?
There is good news for SMBs: if you’re already GDPR-compliant, there shouldn’t be too much to do. You will automatically comply with the proposed legislation, says Lauren Wills-Dixon, solicitor and data privacy expert at law firm Gordons.
Of course, there could be an impact on organizations operating in both the UK and the EU, says Wills-Dixon. “These will be dual regulated by the UK regime and the EU GDPR which could add some complications and complexities to their privacy and governance frameworks.”
SMBs must keep international data protection in mind when handling governance, risk and compliance concerns as businesses, says Jan Stappers, EU GRC specialist at compliance software firm NAVEX. “No matter the size, firms must generate, process, or collect data in order to operate,” he says.
Taking this into account, he thinks a “solid program” is “a good investment that will pay dividends as it helps foster business growth”.
There’s time to spare and the draft regulation’s text may change. The exact timing before it becomes law is uncertain, but the Bill is expected to become an Act by roughly March 2024. “There will be a third reading before it progresses through the House of Lords, so organizations should not rush to make any changes until legal obligations are clear and finalized,” Wills-Dixon says.
In the meantime, Wills-Dixon thinks it is useful for senior management teams to “note and consider things such as how changes to the DPO function and lighter record-keeping requirements would affect their organization’s structure and their current allocation of roles and responsibilities”.
Do you want to make your voice heard as an IT decision maker? The ITPro Network is a select group of senior IT professionals who contribute to ITPro’s unique content through interviews, opinion, podcast appearances and more.
Members also get access to monthly group chats and other exclusive content and events. Interested? Fill out this form to apply.
(Please note we cannot accept applications from vendors at this time).
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.