Governments Might Change, but Data Protection Obligations Remain

You might remember that several months and a handful of prime ministers ago, the government proposed an overhaul of data protection law.

The efforts stemmed from complaints over the GDPR (General Data Protection Regulation), which was adopted by the UK on the precipice of Brexit. Its critics, led by Boris Johnson, said that the requirements were too strict and forced organisations to create excessive amounts of documentation.

Under Johnson’s premiership, the government looked to replace the GDPR with a new set of requirements that were published in the official briefing notes for the 2022 Queen’s Speech.

The notes claimed that the Data Reform Bill would “take advantage of the benefits of Brexit to create a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework”.

The Bill also promised to “create over £1 billion in business savings over ten years by reducing burdens on businesses of all sizes”.

In late July, the DCMS (Department for Digital, Culture, Media & Sport), under Nadine Dorries, introduced the Bill, by then called the Data Protection and Digital Information Bill, to parliament.

However, progress stalled after Boris Johnson resigned. Liz Truss’s subsequent government introduced a new set of plans, but these too came to a halt after she stepped down.

With Rishi Sunak – another critic of the GDPR – taking over as prime minister, we may yet see a third version of the government’s plans. But that doesn’t mean organisations can say goodbye to the GDPR.

How did we get here?

The UK’s relationship with the GDPR has been uneasy to say the least. The Regulation was adopted in 2016, when the UK was part of the European Union, but by the time it came into force two years later, the Brexit process was underway.

A major contributing factor for the UK leaving the EU was the promise that the country would be free from EU bureaucracy and regulations such as the GDPR. However, scrapping the Regulation immediately simply wasn’t feasible.

Organisations had spent significant time and effort implementing the GDPR’s requirements, and it was clear that previous data protection legislation – in the form of the DPA (Data Protection Act) 1998 (itself implementing an EU directive) – was no longer suitable.

As a result, UK organisations have been balancing the requirements of three different laws since the Brexit transition period ended on 31 December 2020: the DPA 2018 (the UK law that replaced the DPA 1998), the UK GDPR (the UK’s post-Brexit version of the EU GDPR) and – for organisations processing EU residents’ personal data – the EU GDPR.

With multiple sets of requirements to meet, this is the antithesis of what Brexit promised to deliver. Critics of the GDPR, including the Johnson government, claimed the rules provided little benefit to citizens.

However, not everyone felt the same way. DCMS’s UK Business Data Survey 2021 found that a “substantial proportion” of respondents felt “there had been benefits to their business” from the GDPR and DPA 2018, and only a quarter of respondents reported seeing no benefits.

It was therefore unclear how much support the Data Protection and Digital Information Bill would receive as it moved through parliament. Furthermore, its second reading on 5 September was cancelled following Boris Johnson’s resignation, as the Conservatives turned their attention to finding a new leader.

What next for the reform?

After the appointment of Liz Truss, data protection reform re-entered the agenda. In a speech at the Conservative Party Conference in October, Michelle Donelan, the new Secretary of State for DCMS, reiterated the government’s plans.

She described the GDPR as a “regulatory minefield” that “shackled” businesses with “unnecessary red tape” and “clunky bureaucracy”.

Donelan then announced another new approach to data protection law – distinct from both the GDPR and Dorries’ proposal – that would “protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely” and “be simpler and clearer for businesses to navigate”.

However, she provided few specific details about how it would achieve this beyond moving away from a one-size-fits-all data protection law and introducing less onerous data protection obligations for SMEs – dubbed ‘GDPR-lite’ by some commentators.

Since the conference, Truss has been replaced by Rishi Sunak. Although Donelan has retained her position as Secretary of State for Digital, Culture, Media and Sport, it’s unclear whether her proposal will remain or if the government will reconsider its plans.

Sunak has previously voiced his support for scrapping the GDPR. In the leadership election to replace Boris Johnson, Sunak promised to “remove the burdens of GDPR, creating in its place the most dynamic data protection regime in the world”.

He added: “The EU’s Byzantine rules are preventing British tech companies from innovating and public services from sharing data to prevent crime. As any internet user can see, GDPR – with all its bureaucratic box-ticking – is clearly not working and needs to be replaced.”

However, with a turbulent economic situation to navigate, it’s possible that data protection reform will take a backseat.

What might data protection reform look like?

It’s not clear what the current government’s plans are, but any new version of the Bill will almost certainly be similar to the original version introduced by Nadine Dorries.

That proposal contained several key differences from the GDPR:

  • The definition of personal data

Whereas the GDPR defines personal data as “any information relating to an identified or identifiable natural person”, the Bill restricted the scope of personal data.

Under its rules, information would only be considered personal data if a living individual was made identifiable by a controller or processor “by reasonable means” at the time of processing, and identifiable “by reasonable means” by anyone else who “the controller or processor knows, or ought reasonably to know”, “will, or is likely to, obtain” the information as a result of the controller or processor’s processing.

  • Data subject access requests

The Bill amended the requirement to fulfil data subject access requests, enabling organisations to refuse them when they are “vexatious or excessive”, rather than if they are “manifestly unfounded or excessive”, as stipulated by the GDPR.

  • UK representatives and data protection officers

The Bill removed the requirement for UK representatives for controllers outside the UK.

It also proposed removing the need for DPOs (data protection officers), replacing them with responsible individuals who are “part of the organisation’s senior management”.

Given that DPOs under the GDPR must be independent – indeed, the Regulation allows organisations to outsource the role to avoid any conflict of interest – this is one of the most significant divergences from the GDPR.

That said, the Bill does stipulate that the “controller or processor must not dismiss or penalise its senior responsible individual for performing [their] tasks”.

In practical terms, this might mean that organisations that are also bound by the EU GDPR will need a senior responsible individual and an outsourced EU GDPR-compliant DPO essentially performing the same tasks.

  • International data transfers

Schedule 5 of the Bill set out a risk-based approach to international transfers of personal data, aiming to make it easier for the government to issue adequacy decisions if the third country or international organisation meets the requirements of a “data protection test”, and “the standard of the protection” they provide personal data “is not materially lower” than that afforded by the UK’s data protection laws.

There were also further provisions relating to international transfers that rely on “appropriate safeguards”, such as standard contractual clauses.

What should organisations be doing?

Despite the protracted talk of data protection reform, we’re no closer to a solution than we were when the Bill was introduced.

Given recent circumstances, no one can be sure what will happen next. It’s possible that Sunak’s government will deprioritise data protection reform as it focuses on tackling the economic crisis and instability within the party – particularly as the plan does not have overwhelming support.

Even if the government presses ahead, it will take time for the new rules to be finalised and longer still for them to take effect.

That said, Sunak is clearly in favour of scrapping the GDPR, and it’s one of the few things that each of the last three prime ministers has agreed upon.

But until then, the GDPR and the DPA 2018 remain intact.

Organisations therefore cannot become complacent with their compliance requirements. Failure to implement appropriate measures could result in severe fines. Although they aren’t as back-breaking as was feared when the GDPR took effect – with the maximum penalties reserved only for extreme cases – even comparatively moderate penalties can cause major problems.

With at least 429 GDPR fines issued last year, it’s clear that many organisations are still overlooking the importance of compliance.

If you’re concerned about your organisation’s data protection practices, now is the time to act. IT Governance can help, whether you need practical advice to achieve compliance or are looking for additional tools to bolster your compliance posture.

Our all-in-one solutions can help you achieve and maintain GDPR compliance, while cutting your implementation costs.