Government shares plans to overhaul data laws 

The government has rounded off London Tech Week by publishing its response to a consultation which aims to “harness the power of data” to “help British businesses trade abroad, boost the UK’s position as a science and technology superpower, and improve people’s everyday lives”.

It sets out how the Data Reform Bill – announced in this year’s Queen’s Speech – aims to strengthen the UK’s data protection standards while reducing the burden of prescriptive compliance on businesses. 

The government said it aims to “clampdown on bureaucracy, red tape and pointless paperwork”. It said since the introduction of the General Data Protection Regulation (GDPR), many organisations have been held back from using data as dynamically as they could.

A lack of clarity and understanding of the law appears to have led to an over-reliance on ‘box-ticking’ to seek consent from individuals to process their personal data to avoid non-compliance. Many organisations struggle to apply the law to their business and rely on a ‘one-size-fits-all approach’, regardless of the relative risk of their data processing activities.

The government said the bill will remove the UK GDPR’s prescriptive requirements, including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments.

Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain, but organisations will have more flexibility to determine how they meet the required standards.
Analysis by the Department for Digital, Culture, Media and Sport (DCMS) has suggested the reforms will create more than £1bn in savings over 10 years by reducing burdens on all businesses.

The Data Reform Bill will also increase financial penalties for companies that pester people with nuisance calls and the ICO will have tougher powers to crack down on those that break the law in this respect. The new Bill will increase fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR), which aim to prevent companies contacting people for marketing purposes without consent.

The fines will increase from the current maximum of £500,000 and be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5m, whichever is greater.

PECR rules will also be updated to cut down on ‘user consent’ pop-ups and banners – the boxes users currently see on every website – when browsing the internet.

Currently, users must consent to cookies (the data points which allow sites to remember information about an individual’s visit) to be collected. Users must ‘opt in’ to cookie collection every time they visit a new site.

The government will introduce a new opt-out model for cookies will reduce the need for users to click through consent banners on every website they visit, meaning people will see far fewer pop up boxes online.

Under the new rules, users will be better enabled to set an overall approach to how their data is collected and used online – for example, via their internet browser settings.

Before the legislative changes are commenced, the government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt out via automated means. This will help web users to retain choice and control over how their data is used.

Digital Secretary, Nadine Dorries, commented: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.

“Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation”.

The plans also include proposals to modernise the Information Commissioner’s Office (ICO) so it can “better help businesses comply with the law”. 
John Edwards, UK Information Commissioner, said: “I share and support the ambition of these reforms.

“I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill”.