The U.K. government last month announced plans to reform the country’s data privacy laws, with the key driver being to simplify procedures for businesses and reduce “red tape.”
According to a press release issued by the government on June 17, the Data Reform Bill will put more emphasis on results than on compliance with the letter of the law in order to give businesses "more flexibility" and lessen unnecessary burdens. To ensure they are responsible for how they process personal data, organizations will no longer be required to have a dedicated data protection officer (DPO), but they will still need to have a privacy management program in place.
Both conducting and keeping a record of processing activities will no longer be required for data protection impact assessments. They will take the place of personal data inventories, which will list where personal data is stored, the purpose for which it was collected, and how sensitive it is, though not always in a predetermined format.
Organizations with a low risk of data privacy violations will be able to operate without filling out "unnecessary" forms because regulatory attention will be concentrated on the areas where there is a greater risk of harm.
Other key changes include:
1. Eliminating cookie banners and giving users more control to decide how their data is collected and used online generally, for example, through their web browser settings;
2. streamlining the legal requirements for obtaining permission to use personal data for scientific and medical research;
3. raising the current maximum penalty for nuisance calls from 500,000 pounds (U.S. $599,000) to match the GDPR's totals of £17.5 million (U.S. $21 million), or 4% of global revenue;
4. establishing a chair, chief executive, and board for the Information Commissioner's Office (ICO) in a modern manner;
5. Modifying the GDPR framework in the UK to clarify the obligations and goals of the ICO; and
6. Establishing an International Data Transfer Expert Council to assist the UK in the development of novel data-driven technologies and to offer guidance on data adequacy agreements with third countries.
7. According to legal experts, the proposed reforms will not significantly alter the current data privacy landscape, so businesses that already comply with the U.K. GDPR should not be subject to any new requirements.
"An agile, pragmatic, proportionate approach to how information is stored and managed is welcome," said Isabel Simpson, global data protection lead for KPMG Law. She continued, "it is right to have controls in place that are appropriate for the size and type of organization, rather than a blanket approach."
The U.K.'s approach to adequacy determinations, according to Fred Saugman, senior associate with WilmerHale's U.K. white collar defense and investigations team, "suggests a potential loosening of the standards and could result in the first significant difference between the EU and U.K. regimes."
Such a divergence "may put any future adequacy decision at risk and therefore make transferring personal data outside the U.K. very complex and burdensome," according to Lillian Tsang, senior data protection and privacy solicitor at law firm Harper James.
Tsang added that a "sunset clause" in the EU-U.K. data adequacy decision served to safeguard the European Union from future United Kingdom deviations from the GDPR. According to this clause, adequacy is only valid for a period of four years and may only be extended if the United Kingdom maintains an adequate level of data protection.
The European Commission has made it clear that it will continue to keep an eye on the United Kingdom's compliance during this time and may take action at any time.
In fact, concerns over a potential break with the EU may lead businesses with operations there to adopt its GDPR in order to feel more secure.
The proposed changes to U.K. law "carry risks that are unlikely to be adopted by businesses which are also subject to EU law," said Emily Cox, partner and head of media disputes at law firm Stewarts.
The lack of a DPO "puts the U.K. at a loss," according to Darren Wray, head of data protect solutions at IT company Donnelly Financial Solutions, because "in other countries, the role of DPO is recognized and requires qualification and certification."
He also questioned the reforms' desire to weaken data protection, particularly in the case of highly sensitive personal information like medical records.
A loosening of the laws to allow the "legitimate" use of personal data for purposes other than those for which it was originally collected, Wray warned, "could become a free-for-all, with organizations deeming all purposes to be legitimate."
The ICO changes could be "potentially significant," according to Ryan Gracey, partner at the law firm Gordons, if the European Union thinks the regulator is not sufficiently independent from the British government. This is especially true if the UK GDPR diverges further or if the UK attempts to reach data adequacy agreements with nations that the European Commission does not believe provide comparable levels of data protection.
By fLEXI tEAM