Newsflash: UK government publishes its responses to consultation on reform of data protection law

It’s what we’ve all been waiting for! Well…everyone at OBEP anyway. The UK government has today published its responses to its consultation on the reform of UK data protection law.

In September 2021, the UK government published a consultation titled ‘Data: A New Direction’ with proposals to reform UK data protection law (and potentially have differences to the EU GDPR). On 17 June 2022, the government published its response to the consultation, providing an overview of the views it received, and which of the proposals it does or does not intend to take forward. In May 2022, the Queen’s Speech announced a Data Reform Bill, which is expected take forward these proposals.

I am still making my way through the full set of proposals. A few initial points on some issues I have been following.

• Some of the international data transfer proposals will not be taken forward, including exempting ‘reverse transfers’ (in other words, sending personal data back to the party that originally provided it), and explicitly allowing repetitive use of derogations (such as where a transfer is ‘necessary’ for performance of a contract with a data subject).
• The government does intend to make reforms to allow proportionality when assessing risk for ‘alternative transfer mechanisms’ when making an international data transfer. Alternative transfer mechanisms are generally needed where the country of transfer has not been deemed to have adequate data protection laws by the UK government.
• In relation to an individual’s right of access to personal data, the proposal to re-introduce a nominal fee for responding to subject access requests is not being taken forward. However, the government is proposing to lower the threshold of the ‘manifestly unfounded or excessive’ exemption to ‘vexatious or excessive’.
• The government intends to remove the UK GDPR requirement to conduct data protection impact assessments (DPIAs). Even though the majority of respondents to the consultation disagreed with this proposal, the government intends to provide more flexibility for organisations in how the identify and manage risks within new privacy management programmes. DPIAs would still be an option for organisations in order to address risks.
• Also to be replaced with more flexibility under new privacy management programmes: the government intends to remove requirements to appoint a data protection officer (DPO) and to keep records of processing activities.

The government’s response to its consultation is available here.

Olivia Whitcroft, principal of OBEP, 17 June 2022

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details