What could GDPR reform look like in practice?

In a month that marked the 4 year anniversary since the GDPR data protection laws went into effect, Andy Chesterman, Compliance Director for local firm Privacy Helper, wrote his perspective on what proposed UK government reforms may or may not achieve.

A notable inclusion in the Queens Speech earlier this month was the proposed UK Data Reform Bill – the “Brexit Dividend” as the Government have labelled it. The Government claim this Data Reform Bill will reform the UK’s data protection regime, freeing it up from the GDPR which has challenged many organisations since 25th May 2018.

But is the Data Reform Bill really going to release the UK from the GDPR?

At this time, nobody really knows what the UK’s data protection laws will look like off the back of this Bill but there are warning signs as to the implications of this path.

The Data Reform Bill contains modifications to the Human Rights Act. If these modifications are passed, then the Adequacy decision awarded by the EU during Brexit which allows the free-flow of personal data to and from the UK may be revoked. This was one of the original risks of a no-deal Brexit and will be costly to UK businesses in many ways. Imagine having to re-draft all your contracts with specific clauses just to send or receive personal data from the EU or the transfer will be unlawful. Some EU companies may be unwilling to work with UK companies until these clauses are in place.

Businesses reliant on trade from the EU, or with its supply chain there will still need to comply with the EU GDPR. As a business, do you continue to comply with the GDPR as the recognised global standard, or double your compliance workload and split your efforts between the UK and EU legislation?

The Information Commissioners Office (ICO) would become more reportable and accountable to Parliament, with Parliament able to over-rule their decisions – this would compromise the independence of the regulator and could make rulings for data breaches harder to implement.

If the Consultation White Paper published by the Government in September 2021 is anything to go by, then data protection may take on a more “risk-based” approach based on the size of your business and the type or amount of personal data you process, rather than the one-size fits-all in place now. This could be a positive move removing some of the compliance burden from the small companies, or lead to even more uncertainty with companies unsure of which category they fall into and – and having to justify their compliance position when challenged by external parties.

In reality, the only businesses that are likely to truly benefit from any changes are micro businesses whose entire operation is UK-based. If you’re not one of these businesses, then our recommendation is it’s business as usual – the GDPR remains the global standard in data protection and is here to stay.

To learn more about Privacy Helper and their work in the data protection field, visit their website at www.privacyhelper.co.uk 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s