Offline: Business, data but no definition

Bexley Beaumont Partner Hugh Goulborne writes that despite successive changes in leadership and policy priorities over the last few months, it’s important for consumers, businesses and regulators alike that the UK Government quickly makes clear exactly how it intends to change the law on data protection.

By anyone's standards, the last few months in Westminster have been exceptionally turbulent.

Since the start of July, we've had three prime ministers, an almost constant state of Cabinet reshuffle and a bubbling brew of legislative proposal.

Following Rishi Sunak's taking up residence in 10 Downing Street last month, the emphasis has been on achieving stability to stave off the worst impacts of what the Bank of England has warned is likely to be the longest recession since records began (https://www.bbc.co.uk/news/business-63471725).

Successive shift in policy priorities have meant certain items seemingly being relegated in importance.

One such item is the planned revision of the UK's data laws.

Only last year, the then Culture Secretary, Oliver Dowden, reiterated the intention to press ahead with what had been one of the key elements of the campaign for withdrawal from the European Union.

He described his belief to The Guardian that developing a "world-leading data policy" would "deliver a Brexit dividend for individuals and businesses across the UK" (https://www.theguardian.com/technology/2021/aug/26/uk-to-overhaul-privacy-rules-in-post-brexit-departure-from-gdpr).

That position was realised in the Data Protection and Digital Information Bill, introduced in the House of Commons in July (https://bills.parliament.uk/bills/3322).

Amid the turmoil of the last weeks of Boris Johnson's term as Prime Minister, the fine detaill of the Bill may have been overlooked.

Those paying close attention would have seen that its headline contents were, in their own way, pretty radical.

They included a dilution of protections for consumers - making it easier for organisations to access and share consumer data - as well as changes to businesses would be expected to manage information and how the whole process would be regulated.

However, a scheduled Second Reading in early September was postponed, allowing ministers to "consider the Bill further" in the light of Liz Truss appointment as PM.

Last month, the current Secretary of State for Culture, Media and Sport, Michelle Donelan, told the Conservative Party Conference that nothing had changed (https://www.ukpol.co.uk/michelle-donelan-2022-speech-to-conservative-party-conference/). Nevertheless, we are still to hear about whether - like some of the previous two administrations' parliamentary agenda - the Bill will be amended and advanced or replaced altogether.

In my opinion, that lack of clarity is important for businesses and consumers alike for several reasons.

Chief among them is the fact that companies of all sizes have already been required in recent years to adapt their operations to meet the terms of the General Data Protection Regulation (GDPR) and the Data Protection Act.

A reduction in the administrative burden faced by smaller businesses is, I would suggest, no bad thing.

After all, many individuals would question whether it makes sense for SMEs to have to abide by precisely the same obligations as much larger enterprises.

Doing away with the need for firms to employ Data Protection Officers (DPOs) is another matter entirely, though, given that they are meant to provide vital advice about whether management of consumer and employee personal information is legal compliant.

Handing the role of a DPO to a "senior responsible individual" within a business potentially removes an important safeguard and certainly doesn't make for less administration or headaches as the Government had promised.

In fact, the Bill doesn't offer organisations an entirely freer hand in relation to data management as had been touted during before the Brexit referendum. It is simply a renaming and slight dilution of what is in place at the moment.

Furthermore, it creates considerable risk that UK businesses will find themselves out of step with the rest of the EU because the proposed new regime gives no certainty about how data transferred between this country and the remaining 27 member states will be treated.

Businesses need to be able to trade without the prospect of extra administration involved in flipping between different regulatory systems.

Senior civil servants have outlined how discussions about changes to the Bill are continuing (https://www.wsj.com/articles/u-k-government-seeks-further-easing-of-data-protection-rules-11668712502).

I would suggest that it will serve Government, the business community and consumers well to make clear soon what exactly is proposed.

To discuss any of the above further, please feel free to contact Hugh: hughgoulbourne@bexleybeaumont.com  |  07748 803634