New data protection laws marking the UK’s divergence from GDPR have been described as more “cosmetic than substantive” and will provide little tangible benefit for many British businesses, legal experts have warned.
The long-awaited Data Protection and Digital Information Bill, which was introduced – and later paused – in 2022 seeks to move away from the ‘one-size-fits-all' approach of European data regulation, the government said in a statement today.
According to the government, this new ‘common-sense-led' approach to data regulation will reduce costs and regulatory burdens placed on organisations in the UK and unlock £4.7 billion in savings for the economy over the next decade.
The improved bill will introduce what the government describes as a “simple, clear, and business-friendly” framework that will take the best elements of GDPR and modify them to provide UK firms with greater flexibility about how they comply with data regulations.
In addition, the new data regime will provide organisations with greater confidence about when they can process personal data and “further reduce” the volume of paperwork required to demonstrate compliance for businesses.
While the announcement has been welcomed by some industry stakeholders, Will Richmond-Coggan, director and data protection law expert at Freeths, told IT Pro that the new regulations are “more cosmetic than substantive” and warned that some businesses may not fully reap the proposed benefits.
“Only those businesses without any international dimension are likely to be well-placed to benefit from any mooted relaxation of the regime,” he said. “Certainly, the cost savings being suggested seem to have very little foundation in reality.”
For businesses with international operations, specifically in the European Union, Richmond-Coggan noted that the new regime could force firms to operate separate compliance programmes that will likely burden them with higher long-term costs.
“Any businesses who operate both in the UK and in the EU will either adopt a uniform approach, which will ultimately be driven by the more stringent rules - wherever they originate - or try to operate separate compliance programmes in different jurisdictions, which will only add to costs,” he said.
“Furthermore, if any divergence results in a disruption to EU-UK data flows – which fortunately looks to be unlikely – this will only serve to increase the compliance burden and associated costs,” he added.
Overhauling “prescriptive” regulations
A key factor in the government’s overhaul of GDPR is that the European-led framework “takes a highly prescriptive, top-down approach” to data protection regulation.
This, the government said, has severely limited UK organisations' flexibility to manage privacy risks and has placed “disproportionate burdens” on businesses since its introduction in 2018.
“Ministers have improved the bill to further cut down on the amount of paperwork organisations need to complete to show compliance,” the government said in a statement today.
“Now, only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms will need to keep processing records. This could include, for example, where organisations are processing large volumes of sensitive data about people’s health.”
“The new rules will give organisations more clarity about when they can process personal data without needing consent or weighing up their own interests in processing the data against an individual’s rights for certain public interest activities.”
Nine steps to proactively manage data privacy and protection
Build trust with your employees, customers, and third parties
Mona Schroedel, technology and privacy expert at Freeths, warned that while the new regulations claim to cut down on cumbersome "red tape" for businesses, the bill appears to be introducing a “reduction in accountability” and could impact consumers.
“This has a two-fold effect,” she explained. “Companies are encouraged to self-regulate and will no doubt be more prone to consider the processing taking place to be below a threshold requiring consent.”
“What is said to be providing organisations with greater confidence in processing is aimed to cut down on cookie popups,” she added.
“While there will undoubtedly be consumers who will not care one way or another, recent data protection legislation has shown there is a large interest from consumers in how their data is being collected online and later used for profit by big organisations.”
Ultimately, what could be perceived as “cutting through red tape” may well lead to organisations finding themselves subject to a far higher volume of data subject access requests to allow subjects to understand what data is being held about them.
“We can foresee that the self-regulation element will cause some consternation with consumers and be tested through the regulator and the courts,” she added. “Thereby creating additional costs and uncertainty as those challenges work their way through.”
Industry support
Despite these concerns, the bill’s announcement has been welcomed by tech industry stakeholders and hailed a positive step to reduce burdens on organisations processing personal data.
Julian David, chief executive of techUK, said the package of reforms “builds on ambitions to bring organisations clarity and flexibility when using personal data”.
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services, and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU,” he said.
Chris Combemale, CEO at the Data & Marketing Association (DMA), which collaborated with the government through the bill’s development, said the reforms will support the best interests of both businesses and consumers.
“We are confident that the bill should act as a catalyst for innovation and growth while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy,” he added.
