Search

How can we help?

Icon

UK Government’s plan to replace UK GDPR 

The Data Protection and Digital Information Bill (‘DPDI Bill’) was due to have its second reading in Parliament on 5 September 2022. The aim of the Bill was to update the UK’s data protection framework. However, this was halted due to the appointment of Liz Truss as the new Prime Minister.

Instead of proceeding with the DPDI Bill, the Government has now announced plans to replace the UK GDPR altogether. In a speech on Monday the 3 October 2022, Michelle Donelan, the Secretary of State for Digital, Culture, Media and Sport, stated that the UK GDPR currently limits the potential of UK businesses, and referred to putting an end to EU ‘red tape’ entailing excessive regulation which is considered bureaucratic and hinders action or decision-making. Donelan stated, “many of these smaller organisations and businesses only employ a few people each. They don’t have the resources or money to navigate the regulatory minefield that GDPR puts in their way. And yet right now, in the main, they’re forced to follow the same one-size-fits-all approach as a multinational corporation.”

So, what are the implications for UK businesses?

The government is seeking to implement a new system to be both business and consumer-friendly at the same time, which will no doubt be a difficult balance to achieve. In addition, it is hoped that the system will protect consumer privacy and keep individuals’ personal data safe, whilst retaining data adequacy for the UK and being simpler and clearer for businesses to navigate.

Whilst this sounds like great news for businesses, there are several implications businesses should consider:

Costs of implementation

Chris Bryant, Chair of the Standards and Privileges Committee, said the new regulation could result in increasing work and responsibilities for data protection officers and increasing costs for businesses. It is important to note that businesses that have customers in the EU will still have to comply with the GDPR regardless of the new system the UK introduces. Such businesses may therefore have to comply with two regulatory regimes instead of one.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

It is important to note that businesses that have customers in the EU will still have to comply with the GDPR regardless of the new system the UK introduces.

The UK GDPR has become well established for businesses to have become familiar with it and many businesses have previously invested substantial amounts of time and money to understand and ensure compliance with the framework.

Flow of personal data to EU

‘Adequacy’ is a term the EU uses to describe entities that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. The regulatory framework of the Data Protection Act 2018 ensures that the UK maintains adequacy on the collection, processing and storage of data. The UK GDPR was the UK’s way of maintaining adequacy, in order to facilitate the free flow of personal data between the UK and the EU. In June 2021, the European Commission published two adequacy decisions which deemed that the UK’s laws and systems for protecting personal data were ‘adequate’ until 27 June 2025.

Any move away from the GDPR will no doubt be monitored by the European Commission to assess whether the UK still provides ‘essential equivalence of adequacy’ and such assessment is due to commence in 2024. If it does not extend the adequacy decisions, the current adequacy decisions will expire on 27 June 2025. Whilst Michelle Donelan commented that the UK would retain its adequacy, she also indicated that there would be a complete move from “EU red tape”. As of yet, it is unknown how this will be achieved, and it will certainly be a challenge. This may also pose difficulties for UK businesses to do business with the UK’s largest trade partner.

What businesses should look out for

As we approach the General Election in 2024, if a new Government is elected, it may choose not to deviate from the current regime or decide to implement its own data protection regime. We would suggest keeping an eye on any updates from the Government as currently, the Government has a two-year window to introduce the announced change. This may not be achievable given the other issues the Government is dealing with, in particular, the costs of living crisis and potential recession. Whether this new system is actually implemented is therefore uncertain and we await further details from the Government.

 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights