It was announced during the Queen’s Speech on 10 May 2022 that the UK Government plans to press ahead with reforming the UK’s current data protection regime. This follows on from the UK Government's earlier public consultation on data protection reform proposals which was published in September 2021. In a post-Brexit world, the Data Reform Bill (the ‘Bill’) will lay the groundwork to deviate from the General Data Protection Regulation.
The EU General Data Protection Regulation was introduced in 2018 and changed the data protection landscape dramatically. The UK retained the GDPR legislation through the Data Protection Act 2018, and continued to do so post-Brexit with the data provisions of the European (Withdrawal) Act 2020. The Queen’s Speech in 2022, however, has announced an intended deviation from the existing regime, with the stated intention of the proposed new Bill to:
"Take advantage of the benefits of Brexit to create a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK."
The Bill will aim to reduce the perceived burdens on business and move to an outcome focused approach to data protection rather than the current ‘tick-box’ exercise. The Bill will also seek to modernise the Information Commissioner's Office, allowing it to take stronger action against organisations which breach data protection rules.
While the idea of simplifying data protection compliance may appeal to many businesses, the transition period is likely to bring about a period of uncertainty. The uncertainty could affect small to medium sized enterprises in particular which do not have legal departments and which will have to navigate another new regime only four years after the legislative overhaul in 2018. It has been highlighted that areas of the Bill would only apply to England and Wales only, so a divergence across the borders could create further ambiguity, especially for organisations trading throughout the United Kingdom.
A 2018 economic analysis conducted by the Department for Digital, Culture, Media and Sport and Ctrl-Shift estimated that the productivity and competition benefits from safe and efficient data flows could create a £27.8 billion uplift in UK GDP. There are though concerns that adoption of the Bill in due course could adversely impact on EU – UK data transfers by jeopardising the European Commission’s current “adequacy” assessment of the UK’s data protection framework.
Whether the prospect of a new regime is an exciting new chapter for UK businesses or brings about further uncertainty about data protection will be revealed once the Bill is finalised.
If you require any advice in relation data protection compliance, please contact a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Maya Allen, Trainee Solicitor.