The government has made fresh comments confirming its plans to scrap GDPR and instead create a new system of data regulation for the UK based on "common sense".
The new regulation will be 'intensive', said the secretary of state for digital, culture, media and sport (DCMS) Michelle Donelan, who did not offer any specific details about how the regulation may take shape.
“Our plan will protect consumer privacy, and keep their data safe, whilst retaining our data adequacy, so that businesses can trade freely,” said Donelan, who formally announced the move at the Conservative Party Conference, currently taking place in Birmingham.
“Our new data protection plan will focus on growth, on common sense, on helping to prevent losses from cyber attacks and data breaches, while also protecting data privacy.”
Citing the abundance of 'red tape' as a primary goal for enacting the new regulation, Donelan quoted a DCMS survey in which 50% of polled businesses said that the General Data Protection Regulation (GDPR) had led to "excessive caution" amongst their workforce when handling data.
Donelan emphasised that the new system will be co-designed with businesses, and cited the example of countries that have achieved data adequacy without implementing GDPR, such as Israel, Japan, South Korea, Canada and New Zealand.
However, many familiar with GDPR and wider data regulation have already voiced their criticism of the idea, which is being billed as unnecessary.
“I get really annoyed at this,” wrote former Conservative MEP Lord Kirkhope, in a tweet.
“The so-called “EU GDPR” was actually partly written by me and other UK MEPs and is understood and accepted Internationally. It’s [sic] “proportionality” provisions were my idea. Leave it alone!”
Chair of the Standards and Privileges Committee Chris Bryant MP also pointed out that new regulation could end up not only giving data protection officers even more work, but also costing businesses more.
“This is madness,” he tweeted in response to the announcement.
“UK companies will still have to abide by GDPR if they want any online business in the European Union (as other non-EU companies already do). So UK divergence will simply mean UK double costs.”
The government had announced plans earlier in 2022 to replace the UK’s implementation of the GDPR with the Data Reform Bill, which was intended to cut “red tape and pointless paperwork” and decrease the steps needed to use data in scientific research.
Progress on these plans was put on hold as prime minister Liz Truss built her own cabinet this summer. It appears this new legislation will take its place
The UK follows the regulatory framework of the Data Protection Act (DPA) 2018, which ensures that the UK retains data adequacy on the collection, processing, and storage of data and sets out the role of the Information Commissioner’s Office (ICO).
GDPR “slowing innovation” in the Android app market, research claims Why the UK is dragging its feet on regulating big tech General Data Protection Regulation (GDPR)
After January 2021, the UK also implemented its own regulations based on GDPR, known as the UK GDPR, to maintain adequacy whilst making some changes to the rights and obligations around processing personal data that are local to the UK.
The DPA 2018 works in tandem with, and occasionally provides exemptions for, the UK GDPR such as for law enforcement.
This is essential for UK businesses, as it ensures that sufficient data protection policies are enforced, whilst keeping the UK compliant with regulations that let companies continue to trade with and operate in the EU. Without EU-compliant data protection, UK firms could not collect or process EU data.
