Upcoming Changes to UK Data Protection Law: How Will They Affect Data Handling?

The UK government has started work on plans to revamp data laws in the wake of Brexit. Its “new direction” for data intends to create a “better data protection regime” in the future. 

So, what does it all mean, and what impact will it have on data handling and those responsible for it? 

Are there new laws in the pipeline that will ease the workload of CDOs in the UK as well as for those around the world who work with UK residents’ data?

The short answer is, probably not, and certainly not imminently. This article breaks down why, and what we know so far. 

The Story So Far

Between September and November 2021, the UK Government ran a closed consultation on the UK’s data protection laws. This laid out skeleton plans to “secure a pro-growth and trusted data regime.” It sought feedback from affected companies and stakeholders. 

The UK’s departure from the EU means that it no longer has to be bound by the same compliance burden as EU member states. At the center of this, for data protection, are the GDPR regulations that — it’s fair to say — plenty of businesses have found burdensome. 

For now, the UK has passed the GDPR rules into domestic law. They remain in place and are now referred to as “UK GDPR”. While the consultation referred to “build(ing) on key elements” of UK GDPR, the detail does hint at a break away from some of the stricter requirements. 

This is something that the UK is now free to do, and will affect everyone whose organization deals with UK-based customers and/or partners. 

It’s important to note that at the time of this writing, only the consultation has taken place. This means that nothing has been decided yet. 

However, the content of the consultation documents provides some hints as to what’s to come. 

What To Expect

The UK’s revamped data laws will come under the remit of the new UK Information Commissioner, John Edwards. 

It’s worth noting that implementing the recommendations that follow this consultation will be one of many assignments hitting Edwards’ desk at the start of his five-year term. Edwards will also be heavily involved in the non-insignificant tasks of overseeing the Freedom of Information Act and implementing the controversial Online Safety Bill. 

The wheels of government turn slowly at the best of times, and businesses are usually given a generous timeframe to comply with new legislation. As such, it’s fair to assume that it could be some time before anything changes on the ground.

What will change when things do change? Well, reading between the lines, the content of the consultation documents suggests that businesses might be able to look forward to less complex legislation in the future. 

A focus on “agile and adaptable” data protection law and mentions of “specific measures relating to reducing burdens on business” hint at less onerous regulations. The current government has frequently spoken of a “bonfire of red tape”, so it’s reasonable to assume this is the kind of thing it’s referring to.  

All CDOs understand the burden of compliance that comes with the current GDPR laws. As an example, the AgeUK charity publishes no less than 16 related policies on its website. It seems unlikely that any business would complain about a reduction in that number.

GDPR Subject Access Requests also appear to be under the microscope. The consultation documents refer to the possible introduction of a fee regime, and “capacity restraints” when dealing with these requests. 

As things stand, EU (and UK) citizens can make GDPR Subject Access Requests free of charge as Which explains, including to companies who are based in the U.S. and elsewhere in the world. 

Changing this would be a significant divergence from EU GDPR policy, but could prove popular with businesses struggling with the administrative burden of such requests —or those hesitant to expand to the EU and UK markets because of such strict requirements. 

Financial savings from processing SARs are among the quantitative benefits listed in the government’s “Analysis of Expected Impact,” currently estimated at “around 9 SARs on average per year at a cost of £75/SAR for SMEs and £375/SAR for large businesses”. These are mere estimates, however, as the report explains they are “derived from the best available evidence, [but] there remains a large degree of uncertainty”.

Though the UK government obviously aspires to make these less costly for businesses, we are still at the consultation stage so nothing is set in stone yet.

More Freedom to Make Use of Data?

While CDOs will likely focus on the intricacies of complying with the law, other areas of the business may look with interest at the mention of “creating a limited non-exhaustive list of legitimate interests that businesses can use personal data for, giving organizations more confidence to process personal data without unnecessary recourse to consent.”

This kryptonite for privacy campaigners may well see marketing and advertising firms (and perhaps even insurance companies) rubbing their hands together at the prospect of a regime that does less to stop them using customer data as they please. Perhaps firms will view the post-Brexit UK as a place where they can do more with data than they can elsewhere.

However, as we will see in a moment, life isn’t necessarily that simple in a globalized world. 

Things to Consider for CDOs

As previously mentioned, nothing will happen fast. And despite the “bonfire of red tape” intentions of the government, any company that does business beyond UK shores will still likely need to remain fully GDPR compliant. 

Much of the GDPR legislation isn’t about where a business is located but about the location of its customers. For example, as ConvertKit explains, you need to be GDPR compliant if you have subscribers that reside in the EU or EEA. 

The location of the business or website is immaterial. It’s well-known that operating across borders creates complexities like this. 

Furthermore, the UK’s need for “adequacy status” with the EU, when it comes to trade, is likely to curtail any particularly dramatic departures from the current way of doing things. 

Let’s work through a few hypothetical scenarios: 

KYC Data

Businesses that process KYC data have to think not just about processing the data but where they store the related records. SEON already describes KYC verification as a “logistical nightmare for companies working with an international user base.” This won’t change just because the UK tweaks its laws.

Imagine a scenario where the UK has introduced less “strict” laws. 

If they depart significantly from existing standards, they likely won’t adequately cover storage of KYC records for customers from outside the UK. As such, it may prove simpler for firms to continue to aim for “full” GDPR compliance.  

Email Marketing

Companies that engage in email marketing already have to navigate some complex international laws. These can vary depending on the locations of businesses and customers, and whether the companies do Business to Business (B2B) or Business to Consumer (B2C) marketing.

Imagine, as an example, that the UK decided to relax the “double opt in” rules for sending marketing emails. There would likely be little benefit to removing opt-in emails only for UK customers. They would still be needed for those outside the UK. 

We can already see these things playing out in practice, with US organizations having to decide whether to comply with GDPR rules, or to region-lock their websites. California CCPA privacy laws have created similar dilemmas. And the landscape is likely to get even more complicated moving forward. 

Working with Third Parties and Across Borders

As anybody who has managed a GDPR implementation knows, the talons of the legislation reach out into far-flung areas of the business and the infrastructure. There’s more to think about than the UK-specific laws when there are customers overseas, and there’s even more to think about when businesses host systems and services overseas.

Yes, there are companies that operate entirely within UK borders. But how many insist on a UK-based web host, lock down only to UK-based customers and turn their back on any chance of international trade?

Let’s say that the UK’s new regulations do “give organizations more confidence to process personal data without unnecessary recourse to consent.” That doesn’t remove rights from EU citizens who are still protected by GDPR. And companies wishing to earn from clients abroad will still be expected to comply with their laws. 

When you consider this as a US-based business, it’s even more complicated. If you have invested in expanding your activities overseas, would you want to target the UK market exclusively, but not the EU, when logistics and other considerations are still so similar for both?

Conclusion

It’s difficult to prejudge the outcome of these changes, especially when they are some ways off and it’s not yet known which will make the final cut. 

It seems probable that plenty of UK-based CDOs won’t thank the government for moving away from GDPR legislation that’s already been arduous to implement. Just how tangible the benefits will be is hard to judge, especially given the global nature of modern business. 

One piece of good news is that there’s a clear intention for small/micro businesses to benefit more from the proposed changes. As things stand, tiny businesses can find themselves in a position where they have a similar compliance burden to a multinational, but no resources to do the required work. 

As an example, independent bloggers with an audience spread across the world can face the same liabilities and responsibilities as global news sites with a team to take care of such matters. Should the government manage to make lives easier for these SMEs, the policy changes are sure to win some plaudits. 

How realistic that is remains to be seen. Most data will remain both an asset and a liability — with global implications — regardless of how much individual governments tinker with policy. And the practical concerns laid out above do raise the question of just how much the UK can do independently while still keeping its trading partners happy. 

With that being said, the ongoing crises that governments have to face mean such changes might be seen as less pressing by the authorities. Is going back to the GDPR drawing board a top priority? Perhaps not.  

In any case, US businesses considering expanding to serve the UK market could be facing less red tape moving forward. But then again, perhaps not. 

 About the Author

Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He's the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager/Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.