The UK government announced on Friday, 17th June 2022, that a new Data Reform Bill would be passed through the House of Commons to be voted on. Follow-up and enforcement dates are yet to be determined.
What is it?
The UK Data Reform Bill is in response to government consultations since September 2021.
- This consultation ran for ten weeks, closing on 19 November 2021.
- The consultation received 2,924 responses, 684 via email and 2,240 via the survey platform.
- Responses were received from the Information Commissioner’s Office and organisations representing a cross-section of the UK economy and society, as well as from overseas organisations.
During the consultation period, the government engaged with various stakeholders, including over 40 roundtables with academia, tech and industry bodies, and consumer rights groups, providing a wide range of views.
The responses detail changes that will be made to current UK Data Protection Law, some responses are still to be considered and some responses have not been carried forward.
Details are still to be confirmed. Some of the changes are essentially a renaming of current documentation.
Changes are being made to the independence of the ICO as well as how data is transferred to countries without an adequacy rating, the US for example. Although not fully detailed, the responses suggest an adequacy rating for the US and Australia are likely, among other countries the UK wishes to include.
The EU may decide that the reform does not uphold the same level of protection offered by the EU GDPR and revoke the UK’s adequacy rating. We await further response from the EU on this.
Until the Data Reform Bill is passed, the UK GDPR will remain the law in the UK.
UK Businesses who trade in the EU
If you offer services to the EU, you must abide by EU GDPR, so you may want to consider adopting the higher standard in most cases across the board where applicable.
There are no timelines for the enforcement of the bill. It must be passed through the commons first.
The government has highlighted the critical benefits to UK businesses as:
- Reducing burdens on business, relaxing prescriptive rules around how a company manages risk.
- Protecting customers from nuisance calls and unnecessary cookies. Fines have been increased for nuisance marketing, and cookies will be opt-out rather than opt-in (consent).
- Modernising the ICO. New objectives and a restructure will be put in place.
- Enabling innovative use of data such as for scientific research purposes. This will likely change how AI is used moving forward.
- Empowering international trade. The UK will likely allow transfers to the US and Australia, which are currently unlawful under the EU GDPR.
The critical changes in detail
Further changes to how a company documents and manages its compliance include:
- A change of name to the Record of Processing Activities (ROPA). A new personal data inventory will be introduced.
- Privacy Management Program. This will allow companies to select the areas that apply to them and manage data more dynamically.
- Small companies will not require DPOs. It is yet to be defined how larger companies will be impacted. This is essentially a name change as the reform details the requirement for a privacy program to be implemented. Remember that you will need a DPO, in certain circumstances, if you trade in the EU to satisfy the EU GDPR.
- Analytics cookies will be allowed, and users can opt-out rather than needing to opt-in every time they visit a website.
- It is likely that cookie banners will not be required on UK websites.
- DPIAs will be renamed Risk Assessments. There is no significant change here as DPIAs are designed to reduce and mitigate risk.
- Fines. The limit for an electronic fine under the Privacy and Electronic Communications Regulations (PECR) is currently £500k, this will increase to be in line with the maximum GDPR fines.
- PECR governs nuisance marketing and calls, and so whilst the cookie news is good, this will be interesting for marketing in general as the ICO will be under scrutiny to enforce the new Reform Bill.
- Complaints to the ICO are likely to be investigated more seriously.
The UK Data Reform Bill will be passed through the commons and voted upon. The Bill will likely become law for a while before it is enforceable. For now, no changes are required. The GDPR was law in 2016 but was enforced in 2018.
Some UK businesses will take the opportunity to act upon certain parts of the bill now. For example, a company may decide to scrap cookie banners and cookie consent for their UK websites. The risk will be lower, given that a new law on this practice will be passed. However, you should be urged to consider the risks of making changes ahead of any law changes
If you are a UK-based business looking to understand the implications of the UK Data Reform Bill and how the changes will affect your current compliance with the GDPR, we can help you. At Palladium, we have assisted numerous companies in being compliant with the GDPR and will be assisting many more in building a compliance framework that complies with both the GDPR and the UK Data Reform Bill. As more and more complex regulations are introduced across the globe it is vital that you have considered the laws of all of the countries you trade in.
If you have any questions, or would like to discuss in further detail - please get in touch to speak to Tony Marshall, our resident data compliance expert.
Palladium is an award-winning digital and technology due diligence provider and digital transformation partner to Private Equity firms and their portfolios across Europe and the US - providing advisory services throughout the transaction lifecycle. Palladium was named Gold and Overall Winner at the International Digital Experience Awards 2021.
Discover Palladium’s full range of capabilities in our latest case studies.