Is the UK going to be free of the constraints of GDPR? If Michelle Donelan’s speech at the Conservative Party Conference is anything to go by, then GDPR’s days in the UK are numbered.
The new secretary of state for Digital, Culture, Media & Sport said GDPR had been inherited from the EU, and its bureaucratic nature was limiting the potential for businesses.
She announced that the UK would be replacing GDPR with its own business and consumer-friendly, data protection system. It wasn’t clear if this was to be the Data Protection and Digital Information Bill (which itself has superseded the Data Reform Bill), or an entirely separate initiative. Whichever it may be, apparently the plan is to protect consumer privacy and keep their data safe, whilst at the same time retaining data adequacy so that businesses can trade freely. It was promised that it would be be simpler and clearer for businesses to navigate.
Donelan stressed that businesses would no longer be shackled by unnecessary red tape which ties organisations up in knots with clunky bureaucracy. She plans to co-create a new system of data protection with businesses, looking to countries that achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand. She also promised that the reforms would not involve another wave of legislation and would avoid the pitfalls of a “one-size fits all” system. Instead, the new system will be about simplification and becoming the world’s data hub. The Data Protection and Digital information Bill includes relaxing legitimate interest and data sharing… draw your own conclusions!
As expected there has been much commentary on the announcement – some positive, some negative. Many data specialists believe changing GDPR will add to the red tape because anyone wanting to work in Europe will have to adhere to GDP anyway and the fact of the matter is most of the heavy lifting has been done already as GDPR came into being in 2018, so a change will add to workload and bureaucracy, not lessen it as suggested.
Whatever comes to pass, for us what is clear is that regulation must be the watch word. Our recent study into GDPR regulation revealed that over the past 12 months, there were only 28 rulings and five fines. In fact, the ICO has only issued a total of nine monetary penalties since GDPR came in force in May 2018, which sends the tacit message that the likelihood of being fined is remote.
Our research found that a lack of consent, failure to comply with control responsibilities and data security were three most common infringements since July 2021. Over three-fifths (61%) of the 28 enforcements were found to be in breach of Article 4.11 which states: ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Just under one on six (14%) enforcements were for Article 4.7 and 5.1.f. with organisations found to either contravene their data controller responsibilities, such as providing subject access, or failing to keep their data secure. Whilst seven percent of the organisations were in breach of Article 3, which relates to the territorial scope of data and four percent fell foul of Article 8.2 which concerns parental consent for the processing of data pertaining to children.
Moving forward (under GDPR, The Data Protection and Digital Information Bill, or A.N. other) data accuracy and responsible targeting must remain key concerns or we risk falling back into the scattergun trap which isn’t good for anyone.