Lady Justice and UK flag showing UK GDPR

New UK GDPR Draft Greatly Reduces Business Compliance Requirements

The UK GDPR replacement continues to develop in a pro-business direction that reduces privacy protections, something that prominent government figures have been signaling since the country committed to breaking from the EU.

The second draft proposal calls for fewer record-keeping requirements for the country’s businesses along with less oversight, and would also reduce the Information Commissioner’s Office (ICO)’s ability to act quickly and decisively when data breaches or other violations occur. The actual impact would be hard to measure, however, as UK businesses that continue to pass data to and from Europe may simply remain committed to the stronger EU GDPR rules for the sake of business streamlining and simplicity.

New UK GDPR draft signals government commitment to reducing “business burden” at expense of personal protections

A press release from the Department of Science, Innovation and Technology (DSIT) framed the new UK GDPR draft as a “common sense” reduction of “pointless paperwork” that would save billions of dollars annually. Privacy advocates point to reduced standards from those that data subjects enjoyed under the EU GDPR terms.

The revised UK GDPR does not go as far as some lawmakers suggested when development of the draft was paused in October, when there were some calls to replace the current regulation (largely copied from the EU GDPR) entirely. But it does hew to government promises that the reduction of “red tape” would be a central focus, potentially at the expense of some user privacy.

The Data Protection and Digital Information (No. 2) Bill would cut down on the types of records that UK businesses are required to keep. This could reduce the ability of data subjects to view, correct and request deletion of certain information; it would also likely make data breach reports less comprehensive and accurate, as businesses would not be required to keep as close of a watch on what they lost.

ICO, the regulator for data breaches and privacy violations, would also be subject to review of its procedures by a new board composed of members the secretary of state appoints. This has raised the question of possible political interference in what is currently an independent body. This particular element could be a sticking point for keeping the UK GDPR equivalent with its EU counterpart for international data transfer purposes, however, as independent regulation has proven to be one of the key points in adequacy decisions. The UK is slated for a review of its data transfer status in 2025, but it is possible for the EU to initiate a review before that if it sees indications that the data of its citizens is at risk.

There would also be some expansion to the “legitimate interest” exception that allows businesses to process personal data without asking for consent, adding some “public interest” circumstances that are not already covered by current rules (such as national security and law enforcement). And automated AI-driven decision making may be unshackled somewhat, with more limited circumstances in which a human would be required to intervene and review these decisions.

There are some added protections and benefits for UK citizens in this draft, however, some of which were at least partially carried over from the prior edition. There would be higher fines for the sorts of nuisance texts and calls favored by spammers, new digital ID options would be added and made available for online access to government services, and a broader array of data could be classified as “scientific research” in the public interest for the purposes of facilitating easier access to it by academics.

UK GDPR draft firms up government direction, but details are still up in the air

The release of this UK GDPR draft cements the idea that the government will simply be making tweaks to the existing law, rather than rewriting whole portions of it. Controller and processor requirements and data subject rights remain mostly unchanged, and organizations that are presently GDPR compliant would not be asked to do anything new to remain within the lines of the law, but there is a definite watering down of privacy rights in some areas that is not matched by as much of a strengthening in others.

There is also still some distance to go before the final form of the UK GDPR reveals itself. Parliament will still have to weigh in, revisions will undoubtedly be made, and interest groups are already lining up to push for changes. Privacy and civil society groups are already lining up against the proposal due to its reduction in personal protections, while some trade and technology associations have come forward with statements of praise. DSIT has claimed that the new UK GDPR draft will save the national economy over £4 billion over the coming decade, an estimate that is up from a projected £1 billion savings in the prior draft.

Dr. Ilia Kolochenko, Founder of ImmuniWeb, falls on the latter side of this debate and articulates its central points: “The proposed bill, more specifically as an underlying purpose of de-complexification, may serve as a laudable example to EU lawmakers. Amid the rapidly growing EU GDPR fatigue, inconsistent enforcement among the EU member states and growing costs of formalistic compliance that merely fosters the tick-a-check-box-and-forget “security”, European companies would gain a significant competitive advantage on the global market if European GDPR goes through a similar set of improvements and simplifications.”

“The current EU’s cybersecurity regulatory landscape is commencing verging on overregulation, making it a disservice to both European individuals and businesses. In the meanwhile, even more EU-wide legislation on AI, cybersecurity and privacy is coming in 2023-2024 – often promoting hardly compatible values and objectives thereby making compliance extremely complicated and unnecessarily expensive. If the trend of overregulation persists, we will probably see a massive and deliberate non-compliance as costs and penalties for non-major infringements will likely be much less important than costs of a holistic implementation of the mushrooming EU cybersecurity regulations and directives,” noted Kolochenko.