One final push needed to reap the full benefits of reform to the UK’s data laws

Following an extensive consultative process where the Government received almost 3,000 responses to its Data: a new direction consultation, DCMS has set out its reform to the UK GDPR in detail in the Data Protection and Digital Information Bill.

Consisting of six parts and 113 clauses, the Bill will push ahead with changes outlined in the Government’s response to the Data: a new direction consultation, marking an important evolution of the UK GDPR. The Bill strikes a good balance in retaining the core principles of the GDPR , while better enabling high end data-driven research and innovation and easing the compliance burdens of less data intensive businesses.

Individuals will continue to be able to exercise fundamental data rights, such as the ability to seek human intervention for significant automated decisions made about them, and the right to access details on how their personal data is being used by organisations.

techUK believes the reforms will ensure the UK continues to hold a high global standard of data protection rights and maintain data flows with our key trading partners, including the EU, and could go further in reaping the full benefits of reform for international transfers. The newly coined Information Commission will also be given new responsibilities and enforcement powers to implement the updated regime.

In addition to reform of the UK GDPR, the Bill will introduce a trust framework and register for digital verification services, regulation making powers for Smart Data schemes as well as changes to the governance structure for biometric data.

Enabling data-driven research and innovation

techUK has welcomed changes to the data protection framework which will remove barriers to responsible innovation, including making the test for anonymisation and pseudonymisation a relative one, introducing a statutory definition of “scientific research”, and clarifying when broader consent and further processing of personal data is lawful.

These changes will mark a step change for organisations developing technologies such as digital identity services and artificial intelligence (AI), which will be key for driving economic growth and tackling pressing societal challenges, such as climate change. However, further regulatory guidance will be critical to ensure these changes are well understood by industry.

The Government will also introduce a limited, exhaustive list of legitimate interests no longer requiring a lengthy legal assessment (balancing test), such as crime prevention, the safeguarding of children, and public emergencies, which will empower organisations to clamp down on fraud and develop safer products and services.

We urge Government to seize the full opportunity of this list by adding new items, such as internal research; to support organisations with workplace equality assessments and network security; to enable businesses to better maintain the security and resilience of their systems.

Lastly, techUK supports the Government’s decision to amend Article 22 in ways which will retain its core principles. This will empower organisations to implement automated decision-making in more low-risk scenarios such as personalising services for a user, while setting clear safeguards for decisions with legal or similarly significant effects, such as mortgage approvals. In such cases, individuals will have the ability to contest and seek human intervention on these decisions. This data right will be crucial in the context of AI-driven decision-making, where individuals must be able to alert businesses to any possible biases in their systems.

As the Government also develops plans for future AI Governance, further clarity will be needed on how any new regulation will interact with a revised Article 22.

Reducing burdens on businesses

The Government will remove prescriptive elements of the GDPR for low data-intensive businesses, such as local hairdressers meaning smaller businesses engaging in low-risk data processing, will no longer have to meet the same compliance requirements as companies that process large amounts of complex data. This will allow low-risk firms to absorb responsibilities equivalent with the EU GDPR as they grow and seek to enter new markets, helping prevent double compliance.

For example, the Bill will replace Data Protection Officers with “senior responsible individual(s)”, reduce the amount of record keeping and risk assessments as well as change thresholds around Subject Access Requests (SARs), to ensure this data right is exercised appropriately.

Remaining flexible and future-proof

Throughout the Bill, the Secretary of State will be afforded new regulation making powers, such as the ability to introduce new items to the legitimate interest list, create new Smart Data schemes, or adjust provisions in a limited number of circumstances. techUK welcomes these changes, including clear and robust safeguards such as prior consultation with the regulator and affirmative parliamentary procedures which will ensure these responsibilities are discharged appropriately and that MPs get a say on changes to the law. These powers will enable the data protection framework to remain flexible and future proof, which has been a well-known shortcoming of the current GDPR.

However, further clarity is needed on how powers for the Secretary of State to approve the regulator's statutory codes of practice will work, to ensure Government is not marking its own homework on its data protection responsibilities.

Next steps

This Bill is an important evolution of the GDPR and suggests several measured and balanced changes that will support increased data-driven innovation in the UK. However, as we enter the final stretch, it can still go further to seize the full opportunities for reform. As the Bill enters Parliament, we encourage MPs to look at expanding the legitimate interest list to help organisations improve their security and internal processes, providing additional flexibility around international data transfers to allow the UK to become a hub for global data driven innovation, and broadening the research provisions contained within the Bill, all of which are seen as key prizes.

There are also areas where we have questions; while we welcome the Bill’s ambition to tackle “consent fatigue” around cookies and the volume of nuisance calls, Government must consider how these provisions will work in practice and the potential knock-on impacts they could have on the wider digital landscape, such as competition.

As the Bill moves forward for debate in Parliament, techUK will continue to work closely with Government, MPs, and the regulator for this last push to make the most of this opportunity for reform.

techUK will be calling for...

1. Broadening and further clarification of research provisions to offer organisations certainty when conducting data-driven, commercial R&D;
2. Expansion of the legitimate interest list so organisations can more easily secure their networks and improve their internal systems;
3. Additional flexibility for international data transfers to allow the UK to become a global hub for data driven innovation;
4. Regulatory coherence between data protection legislation and the UK's AI Governance policy;
5. Further consultation on proposals related to opt-out models for cookie consent and new duties for communications providers to tackle nuisance calls under PECR legislation;
6. Clarification on Secretary of State powers particularly the intention for the Secretary of State to approve the regulator's statutory codes of practice.
7. Clarification of how new information standards for health and social care will interact with the draft Standards and Interoperability Strategy. 

Please see here for techUK’s full response to Data: a new direction.

This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.

techUK - Building a Thriving Digital Society

Visit our Digital Society Hub to learn more or to register for regular updates.

techUK is in constant dialogue with Government and policy makers to provide the perspective of the tech industry on a wide range of policy issues. Current policy engagement includes online safety, data protection, competition in digital markets, and online fraud. Get in touch to see how we can support your policy work. Visit our Digital Society Hub and complete the ‘contact us’ form.