One final push needed to reap the full benefits of reform to the UK’s data laws
Following an extensive consultative process where the Government received almost 3,000 responses to its Data: a new direction consultation, DCMS has set out its reform to the UK GDPR in detail in the Data Protection and Digital Information Bill.
Consisting of six parts and 113 clauses, the Bill will push ahead with changes outlined in the Government’s response to the Data: a new direction consultation, marking an important evolution of the UK GDPR. The Bill strikes a good balance in retaining the core principles of the GDPR , while better enabling high end data-driven research and innovation and easing the compliance burdens of less data intensive businesses.
Individuals will continue to be able to exercise fundamental data rights, such as the ability to seek human intervention for significant automated decisions made about them, and the right to access details on how their personal data is being used by organisations.
techUK believes the reforms will ensure the UK continues to hold a high global standard of data protection rights and maintain data flows with our key trading partners, including the EU, and could go further in reaping the full benefits of reform for international transfers. The newly coined Information Commission will also be given new responsibilities and enforcement powers to implement the updated regime.
In addition to reform of the UK GDPR, the Bill will introduce a trust framework and register for digital verification services, regulation making powers for Smart Data schemes as well as changes to the governance structure for biometric data.
Enabling data-driven research and innovation
techUK has welcomed changes to the data protection framework which will remove barriers to responsible innovation, including making the test for anonymisation and pseudonymisation a relative one, introducing a statutory definition of “scientific research”, and clarifying when broader consent and further processing of personal data is lawful.
These changes will mark a step change for organisations developing technologies such as digital identity services and artificial intelligence (AI), which will be key for driving economic growth and tackling pressing societal challenges, such as climate change. However, further regulatory guidance will be critical to ensure these changes are well understood by industry.
The Government will also introduce a limited, exhaustive list of legitimate interests no longer requiring a lengthy legal assessment (balancing test), such as crime prevention, the safeguarding of children, and public emergencies, which will empower organisations to clamp down on fraud and develop safer products and services.
We urge Government to seize the full opportunity of this list by adding new items, such as internal research; to support organisations with workplace equality assessments and network security; to enable businesses to better maintain the security and resilience of their systems.
Lastly, techUK supports the Government’s decision to amend Article 22 in ways which will retain its core principles. This will empower organisations to implement automated decision-making in more low-risk scenarios such as personalising services for a user, while setting clear safeguards for decisions with legal or similarly significant effects, such as mortgage approvals. In such cases, individuals will have the ability to contest and seek human intervention on these decisions. This data right will be crucial in the context of AI-driven decision-making, where individuals must be able to alert businesses to any possible biases in their systems.
As the Government also develops plans for future AI Governance, further clarity will be needed on how any new regulation will interact with a revised Article 22.
Reducing burdens on businesses
The Government will implement “Privacy Management Programmes (PMPs),” to remove prescriptive elements of the GDPR for low data-intensive businesses, such as local hairdressers. Smaller businesses engaging in low-risk data processing, will no longer have to meet the same compliance requirements as companies that process large amounts of complex data. This will allow low-risk firms to absorb responsibilities equivalent with the EU GDPR as they grow and seek to enter new markets, helping prevent double compliance.
For example, the Bill will replace Data Protection Officers with “senior responsible individual(s)”, reduce the amount of record keeping and risk assessments as well as change thresholds around Subject Access Requests (SARs), to ensure this data right is exercised appropriately.
Remaining flexible and future-proof
Throughout the Bill, the Secretary of State will be afforded new regulation making powers, such as the ability to introduce new items to the legitimate interest list, create new Smart Data schemes, or adjust provisions in a limited number of circumstances. techUK welcomes these changes, including clear and robust safeguards such as prior consultation with the regulator and affirmative parliamentary procedures which will ensure these responsibilities are discharged appropriately and that MPs get a say on changes to the law. These powers will enable the data protection framework to remain flexible and future proof, which has been a well-known shortcoming of the current GDPR.
However, further clarity is needed on how powers for the Secretary of State to approve novel and complex regulatory guidance will work in practice, to ensure Government is not marking its own homework on its data protection responsibilities.
This Bill is an important evolution of the GDPR and suggests several measured and balanced changes that will support increased data-driven innovation in the UK. However, as we enter the final stretch, it can still go further to seize the full opportunities for reform. As the Bill enters Parliament, we encourage MPs to look at expanding the legitimate interest list to help organisations improve their security and internal processes, providing additional flexibility around international data transfers to allow the UK to become a hub for global data driven innovation, and broadening the research provisions contained within the Bill, all of which are seen as key prizes.
There are also areas where we have questions; while we welcome the Bill’s ambition to tackle “consent fatigue” around cookies and the volume of nuisance calls, Government must consider how these provisions will work in practice and the potential knock-on impacts they could have on the wider digital landscape, such as competition.
As the Bill moves forward for debate in Parliament, techUK will continue to work closely with Government, MPs, and the regulator for this last push to make the most of this opportunity for reform.
techUK will be calling for...
- Broadening and further clarification of research provisions to offer organisations certainty when conducting data-driven, commercial R&D;
- Expansion of the legitimate interest list so organisations can more easily secure their networks and improve their internal systems;
- Additional flexibility for international data transfers to allow the UK to become a global hub for data driven innovation;
- Regulatory coherence between data protection legislation and the UK's AI Governance policy;
- Further consultation on proposals related to opt-out models for cookie consent and new duties for communications providers to tackle nuisance calls under PECR legislation;
- Clarification on Secretary of State powers particularly the intention for the Secretary of State to approve novel and complex regulatory guidance.
- Clarification of how new information standards for health and social care will interact with the draft Standards and Interoperability Strategy.
Please see here for techUK’s full response to Data: a new direction.
This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.
Dani joined techUK in October 2021 as Policy Manager for Data.
She formerly worked in Vodafone Group's Public Policy & Public Affairs team as well as the Directorate’s Office, supporting the organisation’s response to the EU Recovery & Resilience facility, covering the allocation of funds and connectivity policy reforms. Dani has also previously worked as a researcher for Digital Catapult, looking at the AR/VR and creative industry.
Dani has a BA in Human, Social & Political Sciences from the University of Cambridge, focussing on Political Philosophy, the History of Political Thought and Gender studies.
As Associate Director for Policy Neil leads techUK's domestic policy development in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies. Neil also acts as a spokersperson for techUK on UK policy in the media and at Parliamentary Committees.
Neil joined techUK in 2019 to lead on techUK’s input and engagement with Government on the UK-EU Brexit trade deal negotiations, as well as leading on economic policy. He has a background in the UK Parliament and in social research and holds a masters degree in Comparative Public Policy from the University of Edinburgh and an undergraduate degree in International Politics from City, University of London.
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy. She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame. A key influencer in driving forward the data agenda in the UK Sue is co-chair of the UK government's National Data Strategy Forum. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.