In September 2021 the UK Government consulted on changes to UK data protection law, then in early May 2022 in the Queen’s speech the intention to introduce the Data Reform Bill was announced.
Greater onus on UK Businesses?
Following BREXIT, the European Commission announced that they would keep a watchful eye over the UK Data Protection Law in the context of the adequacy decision. If the European Commission deem the new UK data protection law is not equivalent to its own, this could to disrupt data flows for those UK businesses who collect and share data within the European Union (EU).
We have seen that where countries laws are not adequate, that alternative assurances and protections are required of companies. This means it is likely that many UK companies will be required to provide contractual assurance that they will continue to comply with the gold standard of the EU Data Protection laws where processing data in the EU.
In February 2022 the European Commission published its proposal for a Data Act which aims to improve trust in data sharing and enable the sharing of industrial data between connected devices and devices on the Internet. The Act will aim to:
- implement new rules allowing customers to effectively switch between different cloud data-processing service providers
- Improve access to private sector data for the public sector
- Improve fairness of data access and use in business relationships
As the gap between the European Union and UK legal framework grows it is likely to put more onus on individual UK businesses wishing to continue to conduct business in the EU, to demonstrate compliance with all relevant laws.
Data Reform Bill changes
Below is a summary of some of the key changes which are likely to be included in the new UK Data Reform Bill:
- Introducing “privacy management programmes” as a compliance requirement
- DPO requirement to be replaced with a requirement for a suitable individual responsible for the privacy management programme
- Removal of DPIAs in favour of allowing organisations to choose their own approach to assessing privacy risks
- Replace Record of Processing Activities with a personal data inventory, as part of the privacy management programmes
- Raise the threshold for data breach reporting to the Information Commissioners Office (ICO)
- Amend the data subject access request provisions to introduce a cost limit modelled on the Freedom of Information Act
- Additional powers for the ICO
What steps can you take to prepare?
The law has not changed yet, but it is a good idea to ensure that you are assessing data flows in line with current legal requirements and start to analyse the impacts of potential change. Here at Midland Data Protection, we can help support with all your data protection needs, we simplify complex requirements in an effort to prevent any disruption to your business, contact us today.