GDPR compliance and the UK’s proposed overhaul

Last month, many reports in the media highlighted the UK’s proposed overhaul of existing privacy rules in its latest strategy to chart its own course ‘free’ of EU regulation. As the Conservative Party Conference gets underway in Manchester, where it is anticipated this topic will be discussed, partner James Corlett, of the Group’s specialist corporate and commercial practice, Beyond Corporate, looks at the potential implications of such an overhaul.




What does the UK’s proposed overhaul mean?

Many of the proposals laid down by the government in its report are sensible: reducing the impact of confusing consent pop-ups would be welcomed, and focusing on protection as opposed to box-ticking is a natural win for businesses and consumers alike. The report acknowledges that current rules are “putting a particularly disproportionate burden on SMEs and organisations that undertake low risk processing”.

The report seeks to find the elusive third way of data protection, that is, between too much and too little.


The UK economy

As ever, things are little more complex than that and given how closely integrated the UK is with EU regulation, the UK will be restricted by the fact that the UK’s overhaul will need to be deemed adequate by the EU, otherwise it could have severe impacts on data transfers between the UK and the EU. Which would have potentially serious consequences for the UK economy – the free flow of data to the European Union is, according to the UK government’s own figures, worth £85 billion to the UK. In this context it’s clear why the UK fought so hard to achieve adequacy with the EU.


Reducing the burden on business

The proposals suggest reducing the burden on business in several ways, including removing existing requirements to designate a data protection officer and to conduct data protection impact assessments. The government also proposes removing the requirement to maintain a record of processing activities and lowering the threshold for reporting data breaches.  Likewise, the report proposes that cookies are handled more liberally, reducing burdens on SMEs to share each and every detail of how cookies are handled in order to achieve the user’s consent.


Two regulatory regimes

It’s worth bearing in mind too that any regulatory divergence is going to have limited positive upside to businesses looking to trade with the EU, as it will mean businesses having to comply with two regulatory regimes, instead of one. However, the intention is clearly to show the world that UK is a leader in data protection regulation, and it is hoped that these steps will increase the UK’s influence in designing a global approach to data protection regulation.


What next?

It remains to be seen how many of the proposals will be adopted and how this will pan out in practice after that. The government’s response to this consultation will be published, we are told, “in due course” following its closure on November 19, 2021.  The Beyond Corporate team will continue to monitor these developments.


If you have any questions about any of the issues raised here, please get in touch. Our team of expert lawyers will be pleased to speak with you.