The Data Reform Bill

Ahead of publication of the Data Reform Bill, Ibrahim Hasan sets out the changes can we expect to the UK GDPR.

Prince Charles has outlined the government’s priorities for the year ahead, as he delivered the Queen’s Speech. The speech highlighted some of the 38 laws that ministers intend to pass in the coming year. This includes a new Data Reform Bill which is predicted to make sweeping changes to the UK GDPR. The draft bill will published this summer but you don’t have to look too far back for clues about its contents.

On 10th September 2021, the UK Government launched a consultation entitled“Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. 

Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government: 

“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.” 

Many of the recommendations made in the TIGRR Report can be found in the latest consultation document. The government believes the reforms will benefit the UK economy, but should the reforms go too far, they could risk the UK's adequacy status with the EU.

So what can we expect in the Data Reform Bill? Page 57 of the press briefing accompany the Queen’s Speech sets out the main elements of the Bill are:

• Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
• Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
• Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

At the very least we can expect the accountability requirements to be relaxed as has been trailed in the consultation document. The Government wants to allow data controllers to implementing a more “flexible and risk-based accountability framework”, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out.  To support the implementation of the new accountability framework we think the government will, amongst other things, remove the requirement to:

• Designate a data protection officer
• The requirement to undertake a data protection impact assessment
• Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)
• The record keeping requirements under Article 30
• The need to report a data breach where the risk to individuals is “not material”

Ibrahim Hasan is a solicitor and director of Act Now Training. 

Find out more about Act Now's programme of GDPR workshops.