UK GDPR - A New Era for Data Protection
The United Kingdom's data protections journey
Authors
Antony Desmond
14 May 2023
The United Kingdom's journey with data protection has taken a significant turn with the introduction of the Data Protection and Digital Information Bill (No. 2), otherwise known as the new UK GDPR. This landmark legislation plays a crucial role in the UK's post-Brexit strategy to distance itself from stringent EU laws and foster a more competitive, innovation-friendly environment.
The Reformed UK GDPR - An Overview
The reformed UK GDPR, rather than presenting a radical overhaul of the existing data protection landscape, provides crucial clarifications aimed at offering more certainty to businesses and other organisations in particular situations. This approach maintains the balance between the need for reform and the importance of keeping the UK’s data protection “adequacy” status, ensuring uninterrupted data flow between the EU and the UK.
Notably, the reforms aim to reduce the administrative burdens on organisations, change the rules about automated decision-making, and significantly increase the maximum level of fines for nuisance calls and messages.
Impact on European Companies
European companies must stay informed about these changes as they affect the cross-border flow of data. Especially since the Data Protection Bill demonstrates the UK's intent to retain its data protection "adequacy" status, which allows a seamless movement of data between the EU and the UK.
However, if the UK deviates too significantly from the EU standard, it could jeopardise this status, potentially disrupting data transfer processes and increasing compliance costs for European businesses operating in the UK.
Understanding the Changes
Understanding the Changes
Some of the most impactful changes in the Bill relate to automated decision-making. The new UK GDPR aims to make it easier for businesses to use automated decision-making in low-risk scenarios. For instance, personalising a user's experience would not require significant human intervention. At the same time, it provides safeguards for situations where automated decisions could significantly affect individuals, such as in recruitment processes.
One of the most notable developments introduced by the Bill is the increase of maximum fines for nuisance calls and messages from £500,000 to a staggering £17.5 million or 4% of global annual turnover, whichever is higher. This development will likely sharpen marketing teams' focus on compliance with the UK direct marketing rules.
What Companies Need to Be Aware Of
This new legislation carries implications that businesses, especially those operating internationally, must be aware of. Larger, international businesses that run their global data privacy compliance programs in a standardised way may find little benefit in these developments. Instead, they may see it as another change to tackle in the ever-evolving international data privacy landscape.
However, the proposed reduction in administrative burdens, such as the requirement for record keeping and appointing a data protection officer, is likely to benefit smaller, UK-focussed businesses. These businesses will appreciate the additional clarity about personal data processing circumstances and the reduced compliance costs compared to the old EU GDPR.
One potential boon for businesses is the proposed changes to cut down on the number of cookie banners online. This change will likely please not just individuals fed up with constant pop-ups seeking their consent, but also businesses that grapple with configuring their cookie banners for users in different countries to comply with local requirements.
The Future of Data Protection
The Bill also lays the groundwork for the UK Government to recognise more countries as offering an "adequate" level of data protection, making it easier for businesses to transfer personal data to these countries. This is particularly relevant in post-Brexit trade deal negotiations.
However, challenges remain. The most significant issue is to facilitate easier data transfers from the UK to international jurisdictions, such as the USA, India, and China, without jeopardising the UK’s ability to conduct data transfers with the EU.
The new UK GDPR is an integral part of the UK's post-Brexit narrative. Its impact
Want to stay compliant? Download our checklist here
