In the four years since the General Data Protection Regulation - or GDPR as it’s more commonly known - came in, no one has been able to determine whether it has truly been a success or not. Yes, it’s helped improve data protection rights and brought some firms to justice over irresponsible data management by fining them accordingly, but aside from the couple of firms who truly fell foul, has it really provided the punitive financial deterrent it initially promised?
Its critics have also argued that its burdensome requirements are doing more harm than good. Small businesses appear to be disproportionately hit, having to manage a complex requirement without the expert resource to call upon that larger firms can afford. There’s also the question as to whether it hampers innovation or customer experience. Ensuring people provide clear consent for every possible data point can lead to what feels like the endless box ticking exercises the GDPR was supposed to remove. And causing admin for websites and users alike.
Therefore, there was some interest when the UK government announced its proposed deviation from GDPR, instead pivoting to the Data Reform Bill. Would this bring some light relief to firms allowing them to operate more flexibly whilst maintaining stringent user data protection rights? Here are our thoughts.
So, what’s changing?
Data-driven trade generated nearly three quarters of the UK’s total service exports in 2019, contributing an estimated £234 billion to the economy that year. Whilst the changes in the Data Reform Bill are aimed at helping UK businesses and making their lives easier, we also can’t overlook the trade angle here, and how lucrative this is. The new reforms may well enable more harmonious trading with key partners such as the US and India, presenting opportunities for UK firms who want to trade outside the EU.
Closer to home, the new legislation promises to remove the red tape implemented via GDPR. For example, removing the need to hire an independent Data Protection Officer and replace this with a ‘designated individual’ responsible for a privacy management programme. Replacing DPIAs and ROPAs with more general requirements to identify and minimise data protection risks. It also promises to crack down more effectively on nuisance calls and cookies, helping to reduce consumers’ digital footprints.
Another big change will see how data is processed in a scientific setting. The consent issue looks to simplify the legal requirements around research so that scientists are not needlessly impeded from using data to innovate and make major breakthroughs.
On the face of it, these changes look favourable for many UK firms. It reduces administrative burden and helps the UK export its services more easily. However, the devil remains in the detail, and actually, while these lofty ambitions seem to herald a more flexible future, there could be stumbling blocks along the way.
Watertight or watered down?
Perhaps the most pressing concern relating to the ‘easing of burdens’ is whether this makes the legislation less stringent and actually ends up weakening data protection rights. Whilst there is no doubt that adherence to GDPR can be cumbersome, it’s also designed to make firms act in a coherent manner and bring consistency to a disperse geographic area.
Adequacy is a huge issue, and one which could significantly impact our trading relationship with the EU moving forward. Deviating from GDPR means potentially being seen to water down requirements from UK firms in terms of data duties, potentially adversely affecting customers in the UK and in Europe. For the time being, the UK is still viewed as an EU member, or treated so during the transition period. However, in 2025, this status is up for review, and if the Data Reform Bill’s changes are deemed to have weakened what’s required of UK firms in terms of due diligence, the UK’s data trading relationship with Europe could deteriorate. Whilst a cessation is hard to fathom, the UK’s relationship with countries such as Australia has already caused ructions, meaning from 2025 firms may be required to jump through extra hoops when dealing with Europe, due to Brexit.
Another issue that we may be faced with is the lack of clarity on the requirement for encryption. Working in financial services, this is a particularly pertinent point. If firms are not obliged to provide encryption, the digital world as we know it will diminish. Confidence in internet shopping will dissipate, and everyday commodities like internet banking will be hampered. Encryption is a vital tool in fighting cybercrime and identity fraud. The Bill as things stand makes no mention of encryption - quietly sweeping it under the carpet will not work - firms need to know how they will be affected. The UK relies on its financial services heritage, contributing so much to the economy. Therefore, issues such as encryption need to be central to any legislation moving forward, otherwise the internet as we know it could become merely a news and search tool, as opposed to the integrated lifestyle enabler it is now.
Standardisation helps to solve uncertainties
Whatever route the Data Reform Bill takes, the ultimate takeaway is that changes are quick and easy to implement, and remain relatively consistent with our global peers. GDPR took years of preparation, costing firms time, money and resource. Any changes the UK government now make cannot be anywhere near this scale, otherwise our well-documented productivity issue will further spiral. Most importantly, it needs to ensure we don’t hurt ourselves in the hope of making things easier. Data adequacy is worth the perceived admin, and whilst it is right that we try to make the legislation less pernickety than previously (allowing a more common-sense approach to what processing activities consent pertains to), the UK’s reputation as a leader in data protection rights is in danger. Keeping the requirement for adequate security such as encryption, so financial service institutions can continue with a free-flow of information as required, while maintaining the safety of customers, is key.