London is doing its Brexit on data protection. Indeed, contrary to what was announced last year, under the leadership of the current Prime Minister Rishi Sunak, the UK will not replace the General Data Protection Regulation (GDPR) entirely.
The goal: to establish a new regulatory framework that is more business-friendly, which will be "freed from unnecessary bureaucracy," according to Michelle Donelan, the Secretary of State for Science, Innovation, and Technology, who had already paused the flagship data protection reform, saying the government wanted to rethink its approach and inviting businesses to "co-design" the legislation with her.
The government now wants to keep the "best elements" of the European regulation, while dropping some limitations and reporting requirements for companies. This would result in more than €4.5 billion in savings over ten years.
ICO Commissioner John Edwards said, "The bill will allow my office to continue to function as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are expressed in the bill as it moves through Parliament." |
The bill would require companies to conduct processing registrations only when dealing with high-risk data, such as, for example, an individual's health data. It also clarifies that profiling is subject to the same rules as automated decision-making when a significant decision is made about an individual without significant human intervention.
With respect to international data flows, the bill will use existing transfer mechanisms if they already comply with current UK data laws.
At a roundtable discussion Wednesday afternoon, Joe Jones, director of research and analysis at IAPP, who has previously worked for the UK government in this area, said, "If you are compliant with the EU GDPR, you will be compliant with the UK." |
That said, because the regime will only apply in the UK, UK companies doing business in Europe may well choose not to change their current approach to data protection - to ensure they are still compliant with the RGPD, which continues to apply throughout the EU.
So, it's not entirely clear where the government is headed, but digital rights groups are concerned.