Companies across the UK are facing changes to GDPR regulations but assurances have been given that new arrangements for UK companies will remain compatible with EU digital protection rules.
Michele Donelan MP, the Secretary of State for Digital, Culture, Media and Sport has reaffirmed the government intention to redraft rules on data protection following the UK’s decision to leave the European Union.
The Secretary of State believes the current data protection laws bind businesses with “ unnecessary red tape” and says this particularly causes issues for smaller companies.
This is very likely to mean changes in how data breaches are reported, as the UK will no longer be part of the EU-wide one point reporting system.
Speaking at the recent Conservative Party conference, Ms. Donelan said: “Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely. And I can promise you it will be simpler and clearer for businesses to navigate.”
The UK currently has a mechanism with the EU, known as adequacy decision arrangements, which allow personal data to flow between the UK and EU countries.
For companies who trade in the UK and EU, it will be important that any changes in UK law ensure that data continues to flow. As of November 2022, there are no details from our government as to how they will replace GDPR.
A senior official at the Department of Digital, Culture, Media and Sport, indicated that ensuring the retention of the adequacy arrangements were a high priority.
Owen Rowland, Deputy Director, told a Westminster e-forum event he was confident any new proposals would not put adequacy at risk.
This reassurance has to be good news for companies who will recall the changes that were necessary when GDPR was introduced in 2018.
Mr Rowland told the event, on 8 November 2022, that the EU were being kept informed of UK plans and had not raised any red flags.
The Government published its Data Protection and Digital Information Bill in July. However, changes at the top of Government will most likely lead to further internal reviews. The Bill intends “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” The Bill proposes amendments to the UK GDPR legislation; the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
The UK General Data Protection Regulation came into effect at the beginning of 2021. GDPR requires clear consent and justification for data to be shared.
Businesses were given two years to prepare for GDPR and any changes now the UK is no longer in the EU will be carefully monitored.