The government has published the results of its recent consultation on adjusting data protection laws. This is likely to form the basis of the government’s forthcoming Data Reforms Bill.

Here are some of the highlights of how UK businesses might benefit.

  • Cookies: This is the change that has garnered the most headlines. The government intends to remove the need for websites to display cookie banners to UK residents. Instead, it will permit cookies to be placed on a user’s device without explicit consent for a small number of non-intrusive purposes. In time, it will move to an opt-out model of consent for cookies in conjunction with a browser-based solution. Given the international nature of websites and other technologies, it will be interesting to see if developers make this adjustment for the UK.
  • Align PECR enforcement with UK GDPR. PECR deals with cookies, direct marketing and nuisance calls. The government intends to increase the ICO’s powers for dealing with nuisance calls and direct marketing in line with UK GDPR. This means broader enforcement powers and fines of up to 4% of global turnover. This is a popular change.
  • Privacy management programmes. The government intends to introduce “privacy management programmes” while maintaining the same level of data protection. This will be the framework around which it will then remove a number of requirements:
    • DPOs. It will replace data protection officers with a "designated senior individual" with responsibility for data processing. It will be interesting to see how this differs from what UK GDPR already allows.
    • DPIAs. While most respondents agreed that data protection impact assessments are helpful, the government proposes to remove the need for them. Instead, businesses will use risk assessment tools under the privacy management programme.
    • Removal of the record of processing activities. Despite the majority of respondents seemingly disagreeing, the government intends to remove this requirement. Instead, organisations will document the purposes of processing under their privacy management programme.
  • Breach reporting requirements. After reviewing the responses, the government has decided not to alter the breach reporting requirements.
  • Subject access requests. The government recognises the value of subject access requests. But it proposes to change the threshold for refusing to respond to or to charge a reasonable fee for a subject access request. This will switch from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. This will bring it in line with the Freedom of Information regime but is a small change.
The government's intention is to “reduce the burdens on businesses” and “deliver concrete advantages for the UK while preserving data subjects’ rights”. But it is interesting to note that the government now intends to abandon some of its less popular proposals. In particular, it notes the importance of not losing the UK’s adequacy status which would make data transfers to and from the EEA harder.

In its desire to flex new freedoms after Brexit, the government appears to have produced more heat than light. The reforms it now proposes look like tinkering around the edges rather than producing a big reduction on the burdens businesses face. It is a shame it didn’t undertake this type of exercise while still a member state of the EU. This could have fed through to the original text of GDPR.

Watch this space for timings of these changes. Part 2 is here.

If you need advice, contact me or +44 (0) 20 7611 2338.