New data protection laws remove “unnecessary” GDPR burdens on UK businesses, says UK government

The UK government has unveiled new laws which it claimed will strengthen the nation’s data protection standards and reduce compliance burdens on businesses. The announcement comes at the close of London Tech Week and outlines the government’s response to a consultation to harness the power of data to help British businesses trade abroad, boost the UK’s position as a science and technology superpower, and improve people’s everyday lives. The new laws include plans to modernise the UK’s data regulator the Information Commissioner’s Office (ICO) so it can better help businesses comply with data protection requirements whilst introducing tougher powers to crack down on nuisance calls, texts, and other data serious data breaches.

Data Reform Bill reduces unnecessary GDPR burdens on businesses

The UK government stated that a lack of clarity surrounding complex General Data Protection Regulation (GDPR) requirements has led businesses to an overreliance on “box-ticking” to seek consent from individuals to process their personal data to avoid non-compliance. However, the GDPR’s one-size-fits-all approach puts disproportionate burdens on small businesses including start-ups and scaleups, it added.

The new Data Reform Bill will remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks – including the need for certain organisations, such as small businesses, to have a data protection officer (DPO) and to undertake lengthy impact assessments. “It means a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low,” the government wrote.

Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data and the same high data protection standards will remain, but organisations will have more flexibility to determine how they meet these standards, it added.

Digital Secretary Nadine Dorries commented, “Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society but retains our global gold standard for data protection. Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers, and civil society from being held back by a lack of clarity and cumbersome EU legislation.”

Reforms to modernise the ICO, introduce higher fines

The Data Reform Bill also seeks to modernise the ICO, introducing a new chair, chief executive, and a board to ensure it remains an internationally renowned regulator, the government stated. “The change will introduce a wider set of skills to support robust decision-making and broaden the legal responsibility underpinning the ICO’s work, which currently sits solely with the role of Information Commissioner. The ICO will have new objectives which will give Parliament and the public better ability to hold the regulator to account. Clearer objectives to prioritise its activities against and a more modern governance framework will better equip the ICO to fulfil its role and bring it in line with the best practice of other regulators.”

The reforms will introduce a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing, or storing personal data in specific instances, such as protecting children’s data online. “The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament. This will bring the ICO in line with other UK regulators, such as the Electoral Commission and strengthen the accountability of the privacy watchdog when it makes legal rules.”

Furthermore, the ICO will have the power to levy increased fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR), which aim to prevent companies contacting people for marketing purposes without consent.