UK GDPR

On 10 September 2021, the UK government launched a public consultation to overhaul data protection policy and UK GDPR under planned reforms announced by Digital Secretary, Oliver Dowden.  

Over the coming months, key experts on data protection and UK policymakers will come together to consider the results of the consult so they may create a new data policy which encourages innovation, supports small business and start-ups, all while protecting the public from major data threats.

This consult “Data: A New Direction” tackles Mission 2: Securing a pro-growth and trusted data regime of the National Data Strategy Framework which was published in September 2020.

“Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” said the culture secretary Oliver Dowden. 

However, any new data freedoms will be restricted by the need for policies to be deemed adequate by the EU to allow for data transfers between the EU and the UK to continue.  

National Data Strategy Mission 1: Unlocking the value of data across the economy 

Since the consult occurred, the DCMS has released a policy paper on Mission 1 of the National Data Strategy. It provides some detail on how the government is already exercising reasonable cause for intervening with existing data protection laws in the UK when it comes to private and third sector use of data.  

Mission 1: Unlocking the value of data across the economy – What this actually means

Mission 1 of the National Data Strategy framework is divided into two main components:

  1. Principles for intervention: A set of principles that government will use to guide the function of data outside current data laws in seeking to unlock data across the economy, to ensure the most effective approach is employed to deliver public benefit. 
  1. Priority areas for action: The above principals can be applied to predetermined specific areas for action, which can address some of the key barriers to data sharing for public benefit. 

The principals for intervention and priority areas for action and how they are applied in impact assessments can be seen in the table below.

Principles for intervention > Improve demonstrate incentives Reduce legal and regulatory burden  Improve knowledge Reduce costs Support ways of addressing risks 
Priority areas for action  
1. Promote the development of good data foundations so that data is held according to the FAIR principles.  ✔ ✔ ✔  
2. Encourage the development and uptake of Privacy Enhancing Technologies.  ✔  ✔ ✔ 
3. Support the development of a thriving intermediary ecosystem that enables responsible data sharing. ✔ ✔ ✔ ✔ ✔ 
4. Support the development of infrastructure that promotes the availability of data for research and development purposes. ✔ ✔ ✔ ✔ ✔ 
5. Use incentives to maximise value for money data sharing in support of public good. ✔ ✔ ✔ ✔  
6. Support effective and well-functioning markets by addressing data practices that distort competition and consumer outcomes — including by widening access to data, where appropriate ✔    ✔ 
7. Learn from international partners and support UK’s data economy and innovation agenda on the world stage ✔ ✔ ✔ ✔ ✔ 

OpenSafely:  

An example of such an intervention lies in the provision of access to patient records to a privately held company called OpenSafely. This open-source analytics platform was allowed pseudonymised access to primary care records of 55 million patients, which makes up 95% of the UK population. The platform allows live analysis of patient records by analysts based anywhere in the world.  

This new way of processing and anonymously analysing data was done via remote computation within secure data centres and cloud environments that were processed with algorithms using dummy datasets. The real-time analysis enabled by the OpenSafely platform has been critical to the response to COVID-19, through the early identification of risk factors.  

What intervention means for the private and third sector

Intervention within the scope of the National Data Strategy involves special focus from the government on areas of interest that could benefit from the testing of alternative ways to handle data and the consideration of new laws. 

To determine the need for intervention, the DCMS performs a self-regulated impact assessment that considers priority areas and the reasons for intervention that apply. This can be seen in the table below.  

In some cases, a change of data protection law could benefit priority areas. The areas for interventions that could result in a change of law are being considered in the ‘Data; A New Direction’ consult.  Results of this consult have yet to be released. 

What the pandemic and this data protection reform could mean for personal data and UK GDPR 

Personal data has been more widely shared since the outbreak of Covid-19. The UK government aims to expand on this by making the personal data of British Citizens more easily accessible by key public sector services within the healthcare and policing sectors.   

Policy experts say that making the personal data of British Citizens more easily accessible by the police and healthcare professionals could make the management of healthcare and public safety more effective in light of the recent pandemic with talk of a single, centralised database of personal information for use by public sector workers.  

However, recent reports have revealed that the UK’s £37 billion Test and Trace Scheme was a failure which may suggest that free movement of personal data within government bodies can no longer be justified. 

A leading compliance expert has said that the anticipated open sharing of citizen data will be more focused on information from clinical trials to allow medical progress to happen more quickly. 

The risk versus the benefit that is weighed in Mission 1 for impact assessments for interventions can be seen in the below graph.

Data: A New Direction – the public consultation  

Plans for the data protection reform were first announced on 26 August 2021 when the government published a press release saying fundamental changes were going to be made with regards to international data transfers and the necessity of cookie banners.   

“The UK is starting to show that there is room for diversion from EU data protection law whilst still retaining the GDPR as a framework. What this means in practice is that the way in which international data flows are approached is not identical to the way the same data flows are treated in the EU, but this doesn’t necessarily mean that the protection is going away,” said Ustaran, Global Co-head of the Hogan Lovells Privacy and Cybersecurity practice.  

The public consultation asked for a varied cross-section of the UK population to contribute their opinions on the Uk’s data protection policy including international leaders in data protection.   

Particular relevance was given to:  

  • Start-ups and small businesses   
  • Technology companies and data-driven or data-rich companies   
  • Civil society organisations focused on consumer rights, digital rights, privacy and data protection   
  • Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right  
  • Organisations involved in international data standards, regulation, and governance   
  • Law firms and other professional business   
  • Services  

(Source: Gov.uk)  

What we can expect from the new UK GDPR?  

The new data regulations will be structured to convince other nations that the UK’s data protection policy fulfills their own standards to allow for free movement of data across international borders. Particular emphasis has been placed on gaining adequacy agreements with the US, South Korea and Australia.  

The reforms outlined in this consultation aim to:  

  • Cement the UK’s position as a science superpower, simplifying data use by researchers and developers of AI and other cutting-edge technologies.  
  • Build on the unprecedented and life-saving use of data to tackle the COVID-19 pandemic.  
  • Secure the UK’s status as a global hub for the free and responsible flow of personal data – complementing our ambitious agenda for new trade deals and data partnerships with some of the world’s fastest growing economies.  
  • Reinforce the responsibility of businesses to keep personal information safe, while empowering them to grow and innovate.  
  • Examine what more can be done to mitigate algorithmic bias  
  • Ensure that the ICO remains a world-leading regulator, enabling people to use data responsibly to achieve economic and social goals.  
  • Toughen penalties on nuisance calls and text messages  

Implications of Mission 1 on Mission 2 of the National Data Strategy 

No findings have been released about Mission 2 since the consult on Data: A New Direction was closed in November 2021. However, if the examples of intervention laid out in Mission 1 are brought forward as policy later on in 2022, the way citizen’s private information is processed could also be affected in ways that were stipulated in Data: A New Direction.  Some significant proposals are listed below.  

  1. Create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test. This will give organisations confidence to process personal data without unnecessary recourse to consent 
     
  1. Separate lawful ground for research, subject to suitable safeguards 
  1. Remove the existing requirements to designate a data protection officer 
     
  1. Remove the requirement for organisations to undertake a data protection impact assessment 
     
  1. Remove the requirement for prior consultation with the ICO (and no fines for not consulting with ICO) 
     
  1. Consider changing the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not material.  
     
  1. Consider whether to introduce a fee regime (for Data subject requests) for access to personal data held by all data controllers 
     
  1. Option for organisations to use analytics cookies and similar technologies without the user’s consent. 
     
  1. Amend international transfers regime to give organisations greater flexibility in their use of transfer mechanisms (Binding Corporate Rules, Codes of Conduct and Certification Schemes) 
     
  1. Establish an independent board and a chief executive officer at the ICO 
     
  1. Individual non-executive members of the ICO’s future board and its chief executive officer role will also be appointed via the Public Appointment process 

Merit’s Data Protection Officer (DPO), Dheeraj Jayaprakas commented that ‘If different standards are applied to different localised areas, this could lead to confusion and difficulty in achieving data compliance.  

Our clients are global companies. They want to know they are being compliant no matter where their data is being moved and processed in the world. With that in mind Merit aim to uphold the toughest standard and maintain that as a benchmark to allow the safe movement of data globally whilst ensuring compliance and benefit to our clients.” 

(Source: Gov.uk) 

Do the UK still follow the EUs GDPR rules after Brexit? 

The GDPR data protection rules were introduced by the EU in May 2018. In the same year, the Data Protection Act, introduced by Theresa May’s government, wrote the UK’s GDPR. Otherwise known as The Data Protection, Privacy and Electronic Communications (DPPEC) Regulations of 2019, the UK’s GDPR was written to mirror the EU’s GDPR regulations and came into effect on the 1st of January 2021.  

Until the results of the consult are determined, drafted into an Act and voted in by parliament, the DPPEC remains in effect. Policy makers are likely to also give the public a year to prepare for any transition, with some leading policy experts saying the new laws won’t come into effect until the end of 2022 or early 2023. 

DPPEC or UK GDPR and how it works in the UK 

The UK data protection framework is very similar to the one in Europe. Both impose strict laws on what data controllers can do with personal data. And when it comes to the acquisition of personal data, both require one of the following: 

  • Consent from the individual 
  • Contractual necessity involving the individual  
  • The data controller’s legal obligation  
  • The necessity to protect the public interest or exercise official authority  
  • A legitimate interest of the data controller or third party  

(Source: GDPR Article 5 (1) (a))

However, some still argue that these policies do little to protect individuals from their private data being misused after the fact.  

Adequacy decision for the transfer of personal data from the EU to the UK 

British data protection law differs from the EU by providing exceptions to cases involving national security or immigration. Despite rejection from the EU Parliament, the EU Commission approved an adequacy decision for the UK on the 28th of June 2021 for the transfer of personal data from the EU to the UK.  

The Commission states that: “although the UK is no longer an EU member state, the same legal provisions for the protection of personal data are still in place. Significant safeguards are in place in case the UK’s privacy framework diverges from EU standards in the future to protect the rights of EU citizens which allow the EU Commission to intervene, if necessary.” 

The adequacy decision contains the following elements: 

  • Despite leaving the EU, the UK’s data protection system continues to be based on EU standards, as was the case when the UK was a member state of the EU. 
  • With respect to access to personal data by public authorities in the UK (notably for national security reasons), the UK system provides for strong safeguards: 
    1. Data collection by intelligence agencies is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to the objective pursued. 
    2. If data subjects, companies, organisations, etc. feel that they have been subjected to unlawful surveillance, they may bring an action before the Investigatory Powers Tribunal. 
    3. The UK also remains subject to the jurisdiction of the European Court of Human Rights and must adhere to the European Convention on Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The latter is the only binding international convention in the field of data protection. These obligations under international law constitute essential elements of the legal framework assessed in the adequacy decision.
  • The adequacy decision for the UK is also the first decision to contain a so-called “sunset clause”, which strictly limits its duration. The decision automatically expires four years after its entry into force. Renewal is only possible if the UK continues to ensure an adequate level of data protection. But even during these four years, the EU Commission may intervene at any time if the level of data protection in the UK deviates from the level of protection currently in place. If, after the four years, the Commission decides to renew the adequacy decision, the adoption process would start again. 
  • The criticised data transfers for immigration control practised by the UK are excluded from the material scope of the adequacy decision adopted under the GDPR. This is due to the recent decision by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions of data protection rights in this area. This decision has been taken into account in the adequacy decision. However, once the situation has been remedied under UK law, the EU Commission will reassess the need for this exclusion. 

(Source EU Commission: Commission Implementing Decision) 

Exceptions to the EU Commissions Adequacy Decision 

The approval of the adequacy decision by the EU Commission allows data to flow from the EEA in most cases under UK GDPR law but does not cover data transferred for the purposes of immigration control.  

This does not apply if: 

  • An entity never transfers personal data outside the UK and never receive personal data from outside the UK; or 
  • An entity only transfers personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers. 

In the case of GDPR compliance, the UK includes England, Scotland, Wales and Northern Ireland. It does not include Crown dependencies or UK overseas territories, including Gibraltar.

How long will the adequacy decision last? 

The adequacy decision will remain in place, as long as the UK GDPR is enforced the way it stands, until the 27th of June 2025. During this period, the EU Commission will monitor any developments in the UK’s GDPR laws to ensure it continues to provide a level of data protection equivalent to the EU’s GDPR. If deemed necessary, say if the UK decide to overhaul their data protection laws, the Commission can amend, suspend or repeal the adequacy decision.

UK's Data Protection Laws

International data transfers that rest on adequacy agreements 

Adequacy agreements are crucial for international relations and data transfers. The EU has spent several years tussling over whether the US provides adequate protection for EU citizens’ data, particular when it comes to government surveillance. For a while, the EU considered the US safe for personal data from the EU under the Safe Harbour Agreement. However, after the Snowden revelations, the European Court of Justice ruled the agreement as invalid.  

The ramifications of this ruling are still being felt today by US entities, a consequence UK policymakers should hope to avoid over the coming months.  

If the new policy differs too much from that approved by the EU Commission, the UK could lose its adequacy agreement which will result in the loss of a lot of business with the EEA. 

Some leading policy experts say that if the new data act is similar to the EU’s GDPR, there will be little risk of losing the adequacy agreement and that the current majority conservative parliament won’t give rise to much conflict in the upcoming discussions on what the new data policy will entail. 

What happens if the UK GDPR loses the adequacy decision?  

If a case is made and won against the UK’s new data protection Act, the Frozen GDPR would apply to personal data from the EU if it was processed in the UK  

  • Before 1 January 2021 or 
  • Under the basis of the Withdrawal Agreement 

(Source: ICO) 

What this means is that every batch of data moved between the EU and the UK will be subject to case law from the EU Court of Justice predating the Brexit transitionary period.  

Cookie banners have been commonly associated with the implementation of GDPR in 2018. In reality, the cookie policy predates GDPR, having been implemented in the EU’s 2002 ePrivacy directive in 2002. Dowden has suggested that the reform could remove the requirement for websites to ask permission for the low impact use of personal data but an alternative has yet to be suggested.   

Who will be responsible for the UK’s new Data Protection Act?  

With so many stakeholders and interest groups affected, the consult aims to involve a broad cross-section of individuals in the decision-making process. The Information Commissioner and the board of the Centre for Data Ethics and Innovation will play major roles in drafting the new Data Protection Act which will be voted on in Parliament in early 2022. 

The UK’s new Information Commissioner to spearhead the UK’s GDPR  

A new information commissioner will be appointed to the Information Commissioner’s Office (ICO) to oversee the data protection reform. John Edwards, currently the privacy commissioner of New Zealand, is currently the government’s preferred candidate to replace Elizabeth Denham, whose term in office will end on 31 October 2021.  

Centre for Data Ethics and Innovation (CDEI)  

The UK government also recently announced that global leaders in data have been appointed to the advisory board of the Centre for Data Ethics and Innovation’s (CDEI).   

Established, in 2018, the organisation consists of a multidisciplinary team of specialists and expert thought leaders who work to deliver, test and refine trusted approaches to data and AI governance and address barriers to innovation.   

The newest board members include:   

  • Jack Clark – Co-founder of Anthropic and former Policy Director at OpenAI  
  • Dr Rumman Chowdhury – Director of Machine Learning Ethics, Transparency and Accountability at Twitter  
  • Jessica Lennard – Senior Director of Global Data and AI Initiatives at VISA  
  • James Plunkett – Executive Director of Advice & Advocacy at Citizens Advice  

So far, the CDEI have been working closely with the Ministry of Defense, the Centre for Connected and Autonomous Vehicles and the Department for Business, Energy and Industrial Strategy to develop ethical principles, Smart Data Schemes and due diligence to ensure the responsible and innovative use of data and AI across key industries.  

The CDEI’s 2021/22 work programme focuses on three themes:   

  1. Maximising the public benefit of data by enabling it to be used and shared responsibly  
  1. Building a strong AI assurance ecosystem in the UK  
  1. Supporting the delivery of transformative data and AI projects in the public sector, with a focus on high impact use-cases.  

(Source: CDEI) 

Sources: 

https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-and-the-eu-in-detail/the-uk-gdpr/

https://www.theguardian.com/technology/2021/aug/26/uk-to-overhaul-privacy-rules-in-post-brexit-departure-from-gdpr

https://www.theguardian.com/technology/2021/aug/26/what-gdpr-why-does-uk-want-reshape-data-laws

https://www.itgovernance.co.uk/eu-gdpr-uk-dpa-2018-uk-gdpr

https://uk.practicallaw.thomsonreuters.com/w-026-8528?originationContext=document&transitionType=DocumentItem&contextData=(sc.Default)&firstPage=true

https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/

https://www.cookiebot.com/en/uk-gdpr/

https://www.gov.uk/government/news/uk-launches-data-reform-to-boost-innovation-economic-growth-and-protect-the-public

https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1016471/Data_Reform_Impact_Analysis_Paper.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1022315/Data_Reform_Consultation_Document__Accessible_.pdf

https://www.gov.uk/government/consultations/data-a-new-direction

https://dcms.eu.qualtrics.com/jfe/form/SV_4PCGczFraZqi1aC

https://www.fieldfisher.com/en/insights/legacy-data-under-article-71-of-the-withdrawal-agreement

https://www.activemind.legal/gb/guides/adequacy-decision-uk/ 

https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf

Dods Group Monitoring 

Related Case Studies

  • 01 /

    Automated Data Solution For Curating Accurate Regulatory Data At Scale

    Learn how a leading regulatory intelligence provider is offering expert insights, analytics, e-Learning, events, advisory and consulting focusing on the payments and gambling industries

  • 02 /

    A Unified Data Management Platform for Processing Sports Deals

    A global intelligence service provider was facing challenge with lack of a centralised data management system which led to duplication of data, increased effort and the risk of manual errors.