On September 10, the UK Government launched its consultation on a national data reform that aims to drive innovation and economic growth through the trusted use of data in the UK. The reforms have been outlined as part of the UK’s National Data Strategy published in 2020 and, according to the Department for Digital, Culture, Media & Sport’s (DCMS) press release, look to simplify data use in the development of AI and similar technologies as well as lessening the burdens on UK businesses and promoting the free and responsible flow of personal data. The proposals also include the introduction of tougher penalties for nuisance calls and a “common sense” approach to data use.

In addition to the launch of the consultation of data reforms, the DCMS also announced the appointment of new members to the Centre for Data Ethics and Innovation (CDEI) advisory board. The CDEI will continue to assist organizations with developing trustworthy approaches to data and AI governance as well as focusing on reducing barriers to innovation. Moving forward, the CDEI will have a focus on responsible use and sharing of data for the benefit of the public, developing an AI assurance ecosystem in the UK, and supporting AI projects in the public sector.

What Are the Aims of the UK Data Reform Proposals?

The proposed UK data reforms include a move away from a “one-size-fits-all” model for compliance with the UK General Data Protection Regulation and the Data Protection Act 2018 and makes an effort to reduce the burden on smaller organizations. Organizations will be subject to a standard of compliance that is more appropriate to their level of operations while maintaining a high level of data protection. The consultation also includes a push from the DCMS to simplify international data flows to and from the UK to support global trade and supply chains.

The consultation paper is made up of five chapters:

  • Reducing barriers to responsible innovation
  • Reducing burdens on businesses and delivering better outcomes for people
  • Boosting trade and reducing barriers to data flows
  • Delivering better public services
  • Reform of the Information Commissioner’s Office (ICO)

Speaking on the reforms, Oliver Dowden, Digital Secretary, said, “Data is one of the most important resources in the world and we want our laws to be based on common sense, not box-ticking. […] These reforms will keep people’s data safe and secure, while ushering in a new golden age of growth and innovation right across the UK, as we build back better from the pandemic.”

What Would the Data Reforms Mean for my Organization?

The proposals set out by the DCMS include the removal of several requirements to help minimize the operational burden on organizations and move towards a risk-based privacy management program framework. The proposals include:

  • Removing existing requirements to appoint a data protection officer
  • Removing the requirement for organizations to undertake data protection impact assessments
  • Removing record keeping requirements under Article 30
  • Changing the threshold for reporting a data breach
  • Introducing a voluntary undertakings process, similar to Singapore’s Active Enforcement regime
  • Introducing a fee regime for access requests to personal data held by all data controllers

It is highlighted that despite the proposed removal of these requirements, areas such as DPIAs and record-keeping requirements would fall under the new risk-based privacy management program framework in an attempt to streamline compliance efforts.

What do the Proposals say About Cookies and Similar Technologies?

The proposals also look to amend consent requirements for cookies and similar technologies to resolve the issues of the collection of audience measurement data and consumer complaints relating to the volume of cookie banners. The proposals offer two options: permitting organizations to use analytics cookies and similar technologies without the user’s consent; permitting organizations to store information on, or collect information from, a user’s device without their consent for other limited purposes.

In addition to this, the DMCS has not ruled out the possibility of removing cookie banners altogether and placing reasonability on data fiduciaries or other trusted third parties to manage an individual’s consent preferences.

Will International Data Transfers Change?

International data transfers make up a key area of the proposals. One of the main aims for the UK government is to continue to promote international trade by striking new partnerships in the form of independent adequacy decisions. The DCMS highlights that transferring data to and from the UK has been made more difficult in light of the developments following the Schrems II case and as such will seek to approach adequacy assessments with a focus on risk-based decision-making. The DCMS will consider adequacy decisions for groups of countries or multilateral frameworks such as Convention 108 to maintain a flexible approach to international data flows while upholding a high level of data protection.

How Will the Role of the ICO Change?

The DCMS will look to reform the ICO’s roles and responsibilities by proposing a statutory framework that sets out the strategic objectives and duties of the ICO. However, the ICO will have two new overarching objectives under these proposals: upholding data subject rights; and encouraging trustworthy and responsible data use.

The government has also proposed that the ICO’s existing obligations are extended by instating new duties relating to economic growth and innovation and competition. These duties would not supersede the overarching objectives outlined previously. These proposals have come following the recent announcement that John Edwards is the DCMS’ preferred nominee to replace Elizabeth Denham in the role of the new Information Commissioner.

The proposals set out by the DCMS would be a significant overhaul of the UK’s current data protection regime and, if passed, would give organizations greater flexibility over their compliance programs and greater opportunity for international trade.

The public consultation on reforms to the UK’s data protection regime closes at 11:45 pm on November 19, 2021. Comments can be submitted through the online form or by emailing [email protected]

Further reading on the proposals for UK data reform:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest regulatory developments.