UK Data Protection Regime Braced for Change

In June 2021 the European Commission adopted adequacy decisions for the UK in which it acknowledged that the current UK data protection framework comprising UK GDPR (which effectively mirrors EU GDPR) and the Data Protection Act 2018 offers essentially equivalent levels of protection to personal data to those guaranteed under EU Law. As a result, data can continue to flow freely from the EEA to the UK without the need for organisations to put in place additional safeguards.

However, the UK adequacy decisions contain a ‘sunset clause’ which provides that the adequacy decisions will automatically expire four years after becoming effective, with an option to renew if the UK’s law and practice continue to ensure an adequate level of data protection. The European Commission also retains the right to intervene if the UK does not meet the level of data protection currently in place, and the Commission has indicated that it will continuously monitor how the UK privacy and data protection framework develops in the future.

A new direction?

Fast forward three months and with the dust barely settled on the UK adequacy decisions, the Department for Digital Culture Media and Sport (DCMS) has launched a public consultation on reforms to the UK’s data protection regime. The aim of the reform is to create “an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.”

The proposed reforms are wide ranging and include:

• Removal of the existing requirements for organisations to appoint Data Protection Officers (DPOs), conduct Data Protection Impact Assessments (DPIA) and prepare Records of Processing Activities (RoPA);
• Creation of a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test in order to allow them to process personal data without relying upon consent;
• Introduction of a fee regime similar to Freedom of Information Requests for access to personal data in order to reduce the burden on data controllers of responding to Subject Access Requests;
• Increased threshold for reporting personal data breaches to the ICO to address over-reporting; and
• Requirement for an individual to attempt to resolve their complaint directly with the organisation before lodging a complaint with the ICO.

It appears that post-Brexit the UK intends to take a more flexible, risk-based approach to data protection aimed at reducing the compliance requirements for organisations. However, should the UK diverge significantly from the EU data protection framework there is a risk that the UK’s adequacy status could be jeopardised which would create added cost and administrative burdens for organisations with cross border flows.

The consultation runs until 19 November 2021 and can be accessed here.

If you would like any further information or advice on these issues please contact Laura Cunningham from the Commercial team.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.