The UK government has revealed details of the upcoming Data Reform Bill, its proposed amendments to the country’s version of GDPR legislation. Proposed changes include new rules on web cookies, reforming data protection watchdog the Information Commissioner’s Office (ICO), and reducing compliance requirements for small businesses, which the government says will save £1bn over 10 years.
Trade body techUK, which represents technology suppliers, has welcomed the proposed reforms as an ‘evolution’, rather than a revolution, in UK data law.
The Department for Digital, Culture, Media and Sport (DCMS) published its full response to the consultation on the Data Reform Bill on Friday morning, outlining its proposed reforms. It says these updates are focused on “outcomes to reduce unnecessary burdens on businesses”.
DCMS claims the reforms will not create significant additional compliance burdens. “Almost all organisations that comply with the UK’s current regime will comply with our future regime,” it said. “The limited number of new requirements are things that are already good or best practice and that many businesses already have in place.”
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower,” said culture secretary Nadine Dorries. “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.”
UK GDPR: What’s in the Data Reform Bill?
The Data Reform Bill proposes to remove the need for certain organisations, such as small businesses, to have a data protection officer and to undertake lengthy impact assessments. Organisations will still be expected to meet the same high data protection standards, the government says, but will have more flexibility to determine how they meet these standards. DCMS claims reducing this burden will save UK businesses £1bn over 10 years.
The requirement for researchers to obtain specific consent to use patient data in research will also be removed, and replaced with a broad consent process. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study.
Privacy and electronic communications regulations, which govern how websites collect data via cookies, will also be updated to cut down on the number of ‘user consent’ pop-ups and banners. The government wants internet users in the UK to be able set an overall approach to how their data is collected and used online, rather than having to opt in for each individual website they visit. This could be done via settings in the user’s browser, the consultation response says.
The set-up of the ICO will also be changed, with a chair, chief executive and a board introduced “to make sure it remains an internationally renowned regulator.” The bill will set out new strategic objectives for the ICO, as well as new ways for it to develop statutory codes and guidance.
Information commissioner John Edwards has given his backing to the changes, saying: “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”
‘Evolution, not revolution’ on UK GDPR reform
Trade body techUK, one of the first groups to respond to the reforms, has welcomed the proposals. “When GDPR was introduced everyone recognised it wasn’t perfect, and probably not ready for things like the massive increase in data driven innovation we’ve seen,” said Neil Ross, head of policy at techUK. “But it was a really important evolution in consumer protection and gave businesses a great reference point.”
Ross added: “We’re happy with the reforms proposed, they help make GDPR clearer and more flexible without entirely ripping up the system in a way that would cost businesses a huge amount of money. This is an evolution rather than revolution approach which is very welcome.”
However, Ross said more clarity is required in some areas. “We want to see more detail on their AI policy,” he explained. “There are two strands to this; data protection, which is reasonably well dealt with here, and AI governance, which the government says will be brought forward in a white paper towards the end of the year. Businesses really need to see a clear direction on this as soon as possible.”
More detail is also needed on the policy around cookies, Ross said. “We need to know how this will work in practice,” he says. “There are questions about how widely available the technology is to implement an opt-out system, and whether this would give the company running your browser or operating system undue influence over the market.”
Earlier this week, critics of the reforms warn they would weaken the control that citizens have over their data, particularly those from minority groups. As reported by Tech Monitor, a group of 30 civil society organisations wrote to DCMS this week to express their displeasure at being “excluded” from the consultation for the data reform bill, describing the process as “rigged”. DCMS denies this claim.