By Ruby Ashby, dispute resolution solicitor at Nelsons
Four years since the General Data Protection Regulation (GDPR) was implemented, statistics from RSM have revealed that 30% of European businesses are still not compliant – so is it time for further fresh legislation?
With the Data Protection and Digital Information Bill (Data Reform Bill) currently at the first stage in its passage through parliament, Ruby Ashby, associate and solicitor at Nelsons’ dispute resolution team, discusses how it will work in practice and whether it will be an improvement on current legislation.
In the Queen’s Speech earlier this year, it was confirmed that the Data Reform Bill would strengthen the UK’s high data protection standards while reducing the burden on businesses. Since then, more information has been released and the Bill has entered its first stage in parliament. But what does the new Bill outline?
The Data Reform Bill: Five factors to consider
- Reducing barriers to responsible innovation
The proposed reforms aim to promote innovation by providing more clarity in relation to the processing of data for scientific research. The Data Reform Bill will simplify the legal requirements around research so that scientists are not impeded from using data to conduct their research.
It will also clearly define the scope of scientific research and give clarity on what scientists need to do to obtain a person’s consent to use their data for research purposes. Under the current rules, scientists can only obtain a person’s consent when they know the specific study they will be using the data for. The Data Reform Bill is intending to change this to give scientists the power to rely on someone’s consent for their data to be used for any research in a certain field.
- Reducing burdens on businesses and delivering better outcomes for people
The government has confirmed that it feels there has been a lack of clarity surrounding the EU GDPR, which has resulted in businesses adopting a one-size-fits-all approach rather than assessing the risk of their actual data processing activities. The Data Reform Bill will focus on reducing the unnecessary burden on businesses, meaning that small businesses will not have to recruit independent Data Protection Officers (DPO) if they can manage the risks effectively themselves. There will therefore be a shift to looking at precisely what data businesses are processing, and the risk involved, rather than one rule for everyone.
- Boosting trade and reducing barriers to data flows
The government intends, through the Data Reform Bill, to create an autonomous framework for international data transfers that reflect the UK’s approach to data protection. The aim of this is to drive forward international commerce, trade, and development.
- Delivering better public services
The government has confirmed that it wants to create a data ecosystem for the public sector being a collaboration between the public and private sectors across all parts of the UK. The intention behind this is to improve the delivery of government services through better use and sharing of personal data.
- Reform of the Information Commissioner’s Office
The proposed reforms seek to better equip the Information Commissioner’s Office (ICO) in performing its functions as a regulator. The ICO will be modernised to have a chair, chief executive, and a board to make sure it remains an internationally recognised regulator.
The ICO will also have new objectives that will give parliament and the public the power to hold the ICO to account, an improvement upon the current regulations, which do not give the ICO any clear framework of objectives and duties. The intention behind the reform is to create a stronger regulator who can take a risk-based and proactive approach, tackling the highest-risk data processing activities whilst helping other organisations comply with the law from the outset rather than simply telling them what they are doing wrong.
What does this mean?
The government published its response to the consultation on the Data Reform Bill, in June 2022, in which it pledged to go forward with a number of changes to the UK’s post-Brexit data protection framework.
Amongst these suggested changes included removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), and introducing a “fee regime” for subject access requests (SARs). All of these are now included in the updated Bill in some form that has been introduced to parliament.
However, there are still uncertainties that remain unanswered and doubts as to whether the Bill deviates far enough away from GDPR. It will be interesting to watch the Bill pass through parliament and to see if it will be passed when the government comes back from its summer break in September, as well as seeing what further information and questions will be answered.