Data Protection Reforms – Simplification of Compliance and International Data Transfers

On 10 September 2021, the UK’s Department for Digital, Culture, Media & Sport issued a consultation seeking views on the government’s plans to reform the UK’s data protection laws, specifically the GDPR (as implemented in the UK) and Data Protection Act 2018 (the UK GDPR). The aim of the reforms is to create a more pro-growth and pro-innovation data regime by removing unnecessary burdens on businesses or barriers to transfers, whilst also maintaining high standards of data protection and public trust.

Among the proposed changes, the following are likely to affect our clients:

1. International data flows – There is acknowledgment that global networks of data flows are critical to our prosperity and modern way of life and businesses are therefore becoming increasingly reliant on international flows of personal data. The plan is to implement a more risk-based approach to making adequacy findings and consider whether to make such adequacy regulations for groups of countries, regions and multilateral framework, thus reducing barriers for international data flows. Adequacy decisions allow for the transfer of information without the need for additional safeguards. The government will also continue to improve the design of alternative data transfer mechanisms to assist this transfer of data.
2. Innovation – There is increased clarity on the UK GDPR (for example, the rules on using data for research) so organisations are able to use data as fully as possible without concerns about legality. It is hoped that this greater clarity will allow UK law to keep pace with the development of cutting-edge data-driven technologies.
3. Flexibility – There is a clear effort to reduce burdens on businesses and deliver better outcomes for people. Businesses will be equipped with the tools to more effectively respond to subject access requests and given greater flexibility on compliance within the accountability framework. The proposed reform of the accountability principle will require organisations to implement a privacy management programme tailored to their processing activities on a more flexible and risk-based basis, which should avoid a disproportionate burden on SMEs that undertake low risk processing. The hope is that these more proportionate and flexible compliance activities will help businesses to unlock the value of their data assets rather than being seen as a regulatory burden. Critically, these reforms will not require businesses to change many of their current processes if they already operate effectively, but it will provide the flexibility to do so if other processes can deliver the same or better outcomes in more innovative and efficient ways.
4. Safeguards – The safeguard mechanisms have been made more flexible and tailored depending on the risk assessments of the country of import.

It remains to be seen whether these proposed changes will have the desired effect of fostering more growth and innovation in the digital economy, but we will seek to provide an update when the results of the consultation are released after it closes on 19 November 2021. Further details about the proposed changes can be found here.  We would be happy to assist any client in understanding how these proposed changes may impact their business or more general guidance on data protection compliance.