The new U.K. GDPR is finally here. After a brief recess back in September 2022 to allow ministers time to “co-design process with business leaders and data experts,” the Data Protection and Digital Information Bill (previously known as the Data Reform Bill) was unveiled in U.K. parliament yesterday.
It has been described as “easier to understand, easier to comply with… and releases British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy”.
The new UK GDPR bill combines the best elements of GDPR with greater flexibility for U.K. businesses. It focuses on five key areas of reform: legitimate interests, scientific research, reducing compliance for low-risk processing, international transfers, and automated decision-making. With data-driven trade generating 85 percent of the UK’s total service exports and contributing to an estimated £259 billion for the economy in 2021, it’s a significant step to strengthen the U.K. economy post-Brexit.
When data is involved, it’s always complicated. While aiming to drive economic growth is an admirable goal, the legislation appears to push the responsibility of data privacy on organisations themselves. Still, most U.K. businesses will welcome the changes, as the new regulation reduces friction and cost to comply.
Critics of the legislation, including staunch data privacy advocates, believe the bill undermines foundational rights to data privacy. They state it “severely restricts data subjects’ rights, substantially abolishes the right to human review of automated decisions, hollows out the principles of purpose limitation and lawfulness, and transforms the ICO into a government-controlled authority”. Questions have also been raised on whether the new bill will impact the U.K. and EU data adequacy agreement, (the “equivalent” level of data protection to that which exists within the EU). There’s a possibility that the EU will revoke this agreement if they feel the revised U.K. data legislation falls below an acceptable level.
Much like the revision of the EU-U.S Privacy Shield agreement, this could cause confusion and inconsistency with how data is processed and shared by businesses who want to participate in the global market. For example, organisations that are already compliant with the U.K. GDPR (the post-brexit version of the EU GDPR) can continue to use their current mechanism to transfer data internationally without incurring costs to demonstrate compliance with the new rules. However, organisations seeking to be compliant under the new Data Protection and Digital Information Bill will be subject to a different set of standards.
It will take some time to assess the true impact of the new bill; much is speculative at the moment. However, it would serve businesses well to take a proactive approach to how they share, and appropriately protect, sensitive information.
By adopting solutions that allow the simple application of security policies applied directly to the data itself (e.g., who can access the information, for how long, and whether it can be forwarded or downloaded) enables businesses to take full control of their own data and ensure compliance wherever it is shared.
If those same controls can be provided to customers and third parties who have to reciprocate the sharing of sensitive data, even better! It’s a simple and surefire way to create trustworthy commercial relationships and compliant workflows that will drive profitability and growth for years to come.
Contact us to learn more about our partnership opportunities.