Connect with us

Hi, what are you looking for?

World News

‘Pro-growth’ data reforms bring opportunities and risks

On 1 January 2021, following the end of the Brexit transition period, the UK’s data protection laws were changed. Out went the EU’s General Data Protection Regulation, and in came the UK’s very own version of the GDPR.

Changes were also made to the Data Protection Act 2018. But these were mainly technical. The rights and obligations remained largely the same. Until now.

The UK government has recently dropped some strong hints that substantial change may be on its way. In a comment piece in the Financial Times, the Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, argued for a new approach to data protection in the UK. He wants data protection to be focused more on the positive benefits of using data rather than seeing it solely as about risks and harms. And in a speech reported by Sky News, Dowden is quoted as saying that the UK should have a “more pro-growth, more pro-public policy approach” to data protection.

What does all of this mean in practice? It isn’t entirely clear what a ‘more pro-growth’ approach would look like, although the tone of Dowden’s comments certainly suggests that the government is seeking to reduce some of the more onerous requirements that data protection law places on businesses. This could mean reducing or even removing completely some of the accountability obligations, such as the requirements to appoint data protection officers, keep detailed records of processing activities and carry out data protection impact assessments. Whilst there is no doubt these can be costly for some businesses, other businesses are already exempt from these requirements. Other potential changes could include broadening the circumstances in which personal data can be used, narrowing some individual rights and widening exemptions to the rules to allow greater innovation in the use of data.

There are opportunities here. Our data protection laws are far from perfect and there is much that could be improved. The obligations are overly complex and difficult to interpret, the language is technical and the laws are very widely misunderstood. Not for nothing has the Information Commissioner needed to publish a series of blogs about ‘GDPR myths’, trying to combat fake news about data protection which continue to flourish due to this lack of understanding.

One option may be to remove small and medium sized businesses entirely from compliance with certain data protection obligations. Although this may be superficially attractive to allow new and growing businesses to innovate, it is arguably more costly in the longer term (not to mention far riskier) to bolt on data protection compliance to a mature business, rather than building it in from the start.

So the government will need to tread very carefully in making any changes. Whatever amendments are proposed, these should not put at risk the European Commission’s intention to grant the UK the ‘adequacy’ decision it requires to continue the free flow of data between the EU and the UK, which is crucial to so many businesses in the UK. For this reason, it is unlikely that the government will radically alter the rights of individuals, such as right to be told about how their data is processed and the right of access, or the enforcement regime currently operated by the Information Commissioner. Any major relaxation of the data export rules will also risk undermining the prospects of an adequacy decision.

Another potential risk for making wholesale changes is that UK businesses which operate in the European Union or which sell to customers within Europe will continue to need to comply with the EU’s GDPR. Currently, UK law is very closely aligned to the EU’s GDPR, and so this requirement to comply with two different legal regimes is actually relatively straightforward. However, if the UK government chooses to make significant changes, a large number of businesses will need to adapt their activities in order to comply with both the EU’s and the UK’s (potentially very different) data protection laws. This is likely to add to, rather than reduce, the compliance burden.

In my December column, I made some predictions about what 2021 may bring to the world of data protection. In light of these developments, it appears I was right to mention the possibility of changes to the UK’s data protection laws, although perhaps I was wrong to say “don’t expect to see a significant shakeup”. Businesses will await the government’s detailed proposals with interest.

Jon Belcher

Jon Belcher is a specialist data protection and information governance lawyer at Excello Law.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt.


Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione.


Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum.


Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora.

Disclaimer: it's managers and its employees (collectively "The Company") do not make any guarantee or warranty about what is advertised or above. Information provided by this website is for research purposes only and should not be considered as personalized financial or health advice. Copyright © 2021 Buzz Clever. All Rights Reserved