The Queen’s speech on 10th May 2022 confirmed the Government’s intention to reform the UK’s Data Protection Legislation. This presents quite significant changes for individuals as well as businesses, as Christine Caffrey explains.
Brexit and UK GDPR
Since 2018, the UK has adopted the GDPR from the EU, implemented in UK law by the Data Protection Act 2018. Following Brexit, the UK is working with a retained version of these laws, now referred to domestically as the ‘UK GDPR’ which is at present, virtually identical to its EU counterpart.
Whilst retaining the GDPR in this way helped ensure the UK was successful in securing an adequacy decision from the EU on 28 June 2021, it was always envisaged that the UK would look to diverge from the EU GDPR more significantly post-Brexit. The Government have now committed to dealing with this during the present Parliamentary term by way of the Data Reform Bill.
At this stage, the exact mechanics of the new Bill are not known, however the general premise is expected to include measures that are less prescriptive with a view to removing some of the more onerous data protection obligations UK businesses currently face. It is hoped that this will allow businesses to take a more risk-based approach to their own data protection measures that are proportionate to their individual business needs and resources, with a move away from the ‘one-size fits all’ model.
What does the data reform mean for individuals?
The impact on individuals may also be significant with talk of introducing fees payable for Data Subject Access Requests (DSARs) which are currently rarely charged. We are also awaiting significant reform in the area of Cookies and the level of consents required in the context of online marketing and website use.
Whilst the government may have grand plans post-Brexit, they will need to be careful not to diverge too far from the status quo, not least because of the potential to cause businesses across the UK additional work in trying to understand and conform to new measures (particularly given the GDPR changes are less than 5 years old) but more crucially, to ensure that the UK does not lose its recently acquired adequacy decision from the EU. The EU are due to review the decision in 2024 but have said they will bring this date forward if it looks as though the UK changes are a significant divergence from existing measures.