The Brexit Freedoms Bill: How will it impact the UK-GDPR?
Earlier this year, the UK government announced a new “Brexit Freedoms” bill, which alongside a review of retained EU law, aims to make it easier to change or update any EU laws which have remained in place since the UK left the European Union. In addition to the promise of lighter regulatory burdens and a reduction of red tape for UK businesses, the bill especially highlights a move towards a “pro-growth, trusted data rights regime, more proportionate and less burdensome than the EU’s GDPR”.
While the bill's full text has yet to be released, what we know so far already raises a number of questions; Would a departure from the EU’s GDPR mean additional compliance requirements for international businesses looking to trade within the UK? What would this mean for the rights of UK data subjects? And most pressing, could a reform potentially force a review of the EU’s data adequacy decision?
A review of the UK GDPR
A reform of the UK GDPR - which came into effect after the UK's departure from the European Union and currently aligns with the EU's GDPR - is not a new development. The UK government has been considering a review of the UK GDPR since at least early 2019 and in September 2021, the Department for Digital, Culture, Media & Sport released "Data: A new direction", a set of proposed reforms to the UK's data protection laws.
Among the proposed reforms, the report called for a number of changes to the UK GDPR including:
The removal of the existing requirement to appoint a data protection officer.
This would be replaced by the requirement for businesses and organisations to appoint a suitable individual(s) to oversee any internal data protection activities or requirements, continuing to place the responsibility on businesses to ensure they meet compliance against any new data protection legislation.
Organisations processing data likely to result in "high-risk" will be likely to require the appointment data protection officer to demonstrate compliance.
The removal of record-keeping requirements under article 30 of the UK-GDPR.
Under the UK GDPR, organisations are required to maintain comprehensive records of their data processing activities, including but not limited to, the types of personal data being processed, any third-party companies or countries with which this data may be shared and for how long this data is stored.
While businesses may breathe a sigh of relief over this reduction in paperwork, the report states that organisations will continue to be required to keep records of how personal data is being processed. The new proposed changes aim to put in place "more flexibility about how to do this in a way that reflects the volume and sensitivity of the personal information they handle".
A change in the threshold for reporting data branches to the ICO.
Currently, any data breach likely to result in the risk to an individual's rights and freedoms must be reported to the ICO within 72 hours of discovery. If a data breach is not reported to the ICO, this decision must be recorded and justified.
While the report does not specify what a change in the threshold would look like, it states that the penalties for non-reporting will continue to carry the maximum fine of £8.7M or 2% of global annual turnover - whichever is greater.
The report also includes proposals to review the current requirements around Analytics cookies and cookie banners, soft-opt in for marketing purposes and the potential implementation of a nominal fee for subject access requests. While the roll-back of some of these requirements would remove some of the pressures the UK GDPR places on businesses when it comes to compliance, it stands to be seen whether these changes will be enough to convince the EU that the UK can provide an adequate level of data protection for businesses operating across both regions.
The future of data flows between the UK and EU
One of the key concerns when it comes to a potential review of the UK GDPR is the impact this could have on the adequacy decision ensuring the free flow of data between the UK and EU.
Under the GDPR, data can flow freely between countries within the European Economic Area (EEA) provided that each country has been assessed by the European Commission as providing an adequate level of data protection. This "adequate" level of data protection may be called into question if the UK GDPR is amended in a way that falls short of the EU's expectations. On this the ICO has stated that it will continue to "work closely with the EU data protection authorities to ensure that any amendments to the UK GDPR maintain our adequacy status", but it remains to be seen how this will play out in practice.
While these reforms to the UK GDPR represent a change from current regulation as it stands, they do not mean a departure from a commitment to data privacy and protection. Businesses processing data from individuals outside of the UK are now subject to a number of growing global data compliance regulations. Within the UK, these changes underline the importance of an adequate data protection regime and its need to be reviewed to take into account the impact compliance regulation often has on smaller businesses.
Naq will continue to be your trusted partner in ensuring you comply with data protection legislation, no matter how often they change. To receive updates on the latest data protection news or to find out more about Naq's services, sign up to our newsletter, or click here to get in touch with our team.