The EU's General Data Protection Regulation (GDPR) came into effect across the UK in May 2018 and rightly so has captured the headlines as 2018 progressed with its fines of up to 4% of a company's annual turnover. But what you may not have heard is how the UK will reform GDPR after Brexit with the help of the Reform Bill - which is what I'm going to be talking about today.
The proposed bill, officially named the Data Protection and Digital Information Bill, but frequently referred to as the ‘Data Reform Bill’ (DRB), has already had its first reading in the House of Commons in July 2022 and a second was read through in September, but it was then put on hold due to all the changes that the government was going through at the time.
The idea of the reforms is to remove some of the red tape that many smaller businesses are finding difficult, but experts warn that instead of reducing the red tape it could actually increase it. One of these points is that UK businesses with links to an EU economy must comply with two data protection rules instead of dealing with just one.
Although the new bill does promise greater flexibility over the use of personal data while reducing the burden of complying with UK data protection laws. The bill does not comprise an extensive overhaul of the UK's data protection laws, but it will look to clarify and make adjustments with the hope of giving organisations greater flexibility over the use of personal data. Businesses that already comply with the UK's existing data protection laws won't need to take any further action to comply with the bill. However, some businesses could take advantage of the changes proposed to streamline their data protection compliance in the UK.
For businesses that operate throughout the EU, some benefits of the reforms aimed at reducing the administrative burden of UK data protection compliance will be more limited due to their presence within the EU. Those businesses will still need to, for example, nominate a data protection officer and be unable to benefit from the relaxation of certain recordkeeping rules set out below.
The new proposal will look to increase fines for nuisance calls and text messages up to either 4% of turnover or 17.5 million GBP, whichever is more. The reform bill would look at also reducing the number of consent pop-ups on websites.
Businesses will also be required to manage their records and processes only when it is high-risk data. Then, regarding how data flows internationally the bill will use existing transfer mechanisms. Therefore, if they are compliant with current U.K. data laws.
Importantly, while these are significant and wide-ranging changes, the core principles of the GDPR are unaffected. There will be no significant changes to the data protection principles. The key concepts such as that of personal data, and the distinction between processors and controllers remains.
Overall, this is not a new process. Hopefully, it will provide opportunities for businesses to be flexible and have clearer rules within the U.K. Given the last few years have been stormy due to Brexit and the instability in many areas that it has caused, many UK businesses may welcome the continuity and stability the Data Reform Bill will offer.
If you need any clarification on GDPR and how your business will fair with the Reform Bill, we would be happy to have a chat with you and see where we can help