10 May 2022
The Data Reform Bill
By Dr Kit Good, Senior Data Protection Advisor
All the news in the run-up was about Prince Charles delivering the Queen’s Speech on his mother’s behalf, but for the data protection sector, the line “The United Kingdom’s data protection regime will be reformed” was the most significant, if long expected.
The government’s briefing pack gives a two page summary of the ‘Data Reform Bill’ and anyone who has read the 2021 ‘Data: A New Direction’ can see the natural progression of the concepts in that document.
On one hand the Bill summary describes a new law regime that ‘reduces burdens on businesses’ and ushers in ‘a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.’ The government’s earlier consultation explored recommendations such as removing the obligations around Article 30 record keeping (the “ROPA”), data protection impact assessments (DPIAs) and removing the requirement to appoint a data protection officer (DPO). Saddle up for a new era of deregulation.
And yet on the other hand, the Bill also looks to ‘[m]odernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules’. A better resourced regulator will surely mean organisations will be called on more often to maintain and produce the means to account for their data processing. To go back to the consultation document, a lengthy passage detailed the introduction of ‘privacy management programmes’, encompassing ‘leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation and improvement.’ Many data protection professionals will wonder why they hadn’t tried implementing this before. The documentary ‘burden’ is not necessarily going anywhere or, in this form, a bad thing.
The GDPR is not a sacred text. It’s a principle based legislation which is still being formed and reshaped in caselaw, advice and enforcement. The Data Reform Bill will create a new series of challenges in interpretation and implementation. Some of these will likely be improvements. The bill summary provides a range of eye watering monetary savings, whilst not acknowledging the cost impact of a loss of EU adequacy status or the existing efficiencies inherent in the record keeping and governance procedures the existing law mandates.
Here at Naomi Korn Associates, we’ll continue to track the developments of the law and help you put in place the practical policies, training and advice you’ll need to keep data protection at the heart of the services you provide. Contact my colleague Jess Pembroke, Head of Data Protection email@example.com to find out more.