Data Reform Bill

The key points behind the UK data reform bill. Do the changes affect you?

GET A QUOTE

Data Reform Bill 2022

On May 10th 2022, the UK Government announced a new Data Reform Bill in the Queen’s Speech, intending to reform the UK’s Data Protection Act. If you are a UK business owner, you may be wondering:

  • How will these reforms affect my business?
  • What changes will I need to make?
  • What advantages will the Data Reform Bill offer my business?

Whatever concerns and questions you may have, we remain committed to providing you with the up-to-date information that you need to remain compliant and informed.

“depending on the circumstances of your business, you may be able to take advantage of the proposed changes in the Data Reform Bill for greater flexibility…”

Data Reform Bill Explained

The UK government has described the EU’s GDPR as “highly complex”, stating that it has held back businesses from using data effectively due to “red tape and pointless paperwork”. The new Data Reform Bill changes are intended to create more clarity around data protection and make it easier for businesses and researchers to use data within a “risk-based accountability framework”.

Changes to the UK’s Privacy and Electronic Communications Regulations (PECR) such as allowing charities and ‘not for profits’ to use analytics cookies without consent as well as permitting ‘soft opt-in’ – electronic marketing for existing customers. The government intends to allow cookies to be used without explicit consent for ‘non-intrusive purposes’. This will include cookies and technologies which allow businesses to measure web traffic and improve service to users. Political representatives will also be able to contact individuals who have expressed interest, for example by making a donation to the political party, as long as they have been provided the chance to refuse such contact when initially giving their details.

DCMS Data Reform Bill

The Department for Digital, Culture, Media and Sport (DCMS) published a response to the Data Reform Bill consultation indicating several changes expected in the GDPR landscape. The DCMS secretary Nadine Dorries stated: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retain our global gold standard for data protection.”

Data Reform Bill Key Points

There is still some time to go before the intended Data Reform Bill changes will take effect, as the full details will be subject to the scrutiny of Parliament. The details revealed by the UK government in the Queen’s Speech, however, indicate an intention to take advantage of a post-Brexit UK to create less rigid and onerous data protection laws and allow more flexibility. Some key points include:

Fewer obstacles and burdens on UK businesses

Some compliance burdens could be removed, which could especially benefit small businesses whose operations are based solely in the UK. The new Data Reform Bill UK should give businesses more flexibility in how they manage data risks, removing the need for certain organisations to have a data protection officer (DPO) where the risks are low. Businesses will still be required to identify and manage risks across their organisation, but will not need to undertake Data Protection Impact Assessments (DPIAs) or report data breaches when individual risk is not material. Organisations will no longer need to adhere to the requirements of Article 30, UK GDPR.

Data Reform Bill Cookies

The new data reform bill may lead to the end of the ‘box-ticking exercise’ of seeking explicit consent for specific purposes. A new ‘opt-out’ model should allow users to set their online cookie preferences to automatically opt-out, thus reducing the need to deal with consent banners/cookie pop-ups on each website visited. This will mean internet users will be able to control how their data is used via their browser settings rather than having to click to ‘opt-in’ to cookie collection each time they visit a new website.

Greater clarity for scientists and researchers

The new Data Reform Bill should more clearly define the bounds of scientific research and inform researchers on when they do, and don’t, need to obtain explicit consent to collect and use data for research. This should help researchers to obtain consent for data to be used for broad purposes, for example general cancer research rather than studies of specific cancer types.

Data Reform Bill ICO

Under the proposed new reforms, The Information Commissioner’s Office (ICO) would have clearer objectives, taking into account business competition and innovation, with more accountability to Parliament, when making judgements. The UK data regulator will be reorganised to have a chair, chief executive, and a board. Considerations such as economic growth will factor into decisions, rather than going purely by the letter of the law. Parliament would be able to overrule judgements made by the ICO. The government press release on 17th June 2022 has more information regarding the Data Reform Bill gov.uk
uk data reform bill

PECR fines

The maximum fine under the Privacy and Electronic Communications Regulations (PECR) is currently £500,000 – the government intends to increase PECR fines up to a cap of £17.5m or 4% of a business’s global turnover.

Data Reform Bill concerns

One of the main Data Reform Bill GDPR concerns is the question of adequacy. The European Commission granted the UK adequacy, which permits personal data to flow from the EEA to the UK, but the EC stated its intent to keep this decision under review. Any major changes caused by the Data Reform Bill could result in adequacy being revoked. This could cause significant problems for businesses which rely on trading with the EU and need to comply with the EU GDPR. The UK government has responded to these concerns by saying “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

AI automated decision making

Another major concern was the issue of automated profiling. The majority of consultation respondents opposed the proposal to amend Article 22 and it was confirmed that the right to human oversight was an essential safeguard. There will be an upcoming white paper on AI governance.

Data Reform Bill Summary

GDPR has long been recognised as the global standard, but the UK government has argued that the current rules place a disproportionate stress on smaller businesses. The new Data Reform Bill is intended to ease the burden on micro-businesses and allow innovation and growth through a more simple and clear system of data protection. Some key changes include:

  • Removed requirement to appoint a Data Protection Officer
  • DPIAs no longer required
  • Article 30 requirements no longer necessary
  • Greater clarity on when explicit data consent is or isn’t needed
  • Fewer annoying consent pop-ups for web users
  • Web users to be able to automatically opt-in via browser settings
  • Reorganised ICO with more responsibilities
  • Increased PECR fines up to 4% of turnover

The government has estimated that over £1 billion will be saved by businesses over the next ten years due to reduced GDPR burdens, based on an analysis by the Department for Digital, Culture, Media and Sport (DCMS).

Businesses that are already compliant with the current UK GDPR won’t necessarily need to make any major changes and can continue to use DPIAs but tailor them to their particular processing requirements.

Reducing some compliance burdens from small businesses could be beneficial, especially if you are a micro-business with operations limited to the UK. For larger operations that deal with the EU, you may not wish to significantly change the way you currently obtain and process data – the GDPR remains the global standard for data protection and recognised compliance. However, depending on the circumstances of your business, you may be able to take advantage of the proposed changes in the Data Reform Bill for greater flexibility that the new legislature will allow.

How can I utilise the new reform in my business?

We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.

What to do next:

  • Please contact us now and let us remove the stress of managing data compliance in your business.
  • We handle the complete scope of any data privacy requirement

Clear, Transparent Pricing

Just like the GDPR demands your processing be transparent at all times, our fees are also transparent – there are NO hidden, or unexpected costs. Everything is explained clearly to you in advance, ensuring you never exceed your budget.

GDPR Gap Analysis

A detailed comparison between your current data protection practices and requirements of the GDPR

£150 per hour + VAT

Project price based on project scope

  • GDPR Gap Analysis
  • Compliance and risk analysis
  • Document review
  • RAG report
  • Compliance action plan
GET STARTED

GDPR Compliance

Create an effective Data Protection Framework by addressing identified areas of non-compliance

£150 per hour + VAT

Project price based on project scope

  • Create or update relevant policies
  • Define and implement processes
  • Train on record management
  • Support 'Data Protection Culture'
  • Guide on compliance and risk
GET STARTED

Outsourced DPO

Managing your Data Protection Compliance Framework and upholding obligations

From £595 +VAT per month

Available from ½ day per month

  • Designated qualified DPO
  • Interacting with the ICO
  • Supporting DSARs & DPIAs
  • Conducting Due Dilligence
  • Guiding on compliance and risk
GET STARTED

GDPR Training

Training portal available as part of a package or as a standalone service

Online training
From £2.50 +VAT

per user per month

E-learning platform

  • GDPR/Privacy training
  • Supports Compliance Framework
  • Bespoke training programmes
  • In-person training for key staff
GET STARTED

Free PRIVACY HELPER GDPR / Cyber Security training starter pack available with any new project - terms apply.

why choose icon

Why choose us?

Find out more about us, and why we are a leading UK privacy consultancy.

ABOUT US
cost icon

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

PRICING PAGE
what next icon

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

CONTACT US

Other services you may be interested in from PRIVACY HELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GET STARTED
training courses icon

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.

GET STARTED
marketing compliance icon

Marketing

Is your marketing activity legal? We can make sure it is.

GET STARTED