Data protection experts have put the boot in to the Government’s plans to go further with data protection reforms by ditching GDPR and replacing it with its own “bespoke” scheme, arguing that it will not only increase costs for most but also create more uncertainty.
The move, announced by Culture Secretary Michelle Donelan at the Conservative Party conference, includes a fresh delay and possibly a complete redraft to the Data Protection & Digital Information Bill 2022-23.
Donelan said the Government planned to replace GDPR with a “business- and consumer-friendly British data protection system… that will focus on growth and common sense, helping to prevent losses from cyber attacks and data breaches, while protecting data privacy.
“This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”
But Raj Shah, a senior associate at Collyer Bristow claims that scrapping GDPR will add further red tape and regulation for UK businesses that trade across the EU and EEA.
He explained: “While some businesses may welcome the Culture Secretary’s aim to remove what she describes as ‘lots of unnecessary red tape’ in respect of data protection laws, repealing the GDPR to replace it with new legislation generally appears counterproductive.
“Firstly, the GDPR will continue to apply directly to any business selling to customers in the European Economic Area. Introducing new domestic privacy laws that diverge from this will double the compliance workload for those businesses rather than reduce it.
“Secondly, there is a real risk that these plans, if implemented, could invalidate the UK’s ‘adequacy’ decision by the EU agreed as part of the Brexit deal. If that were to happen, transferring personal data between the UK and any EEA country would require reams of additional documentation and higher administration costs.
“Thirdly, GDPR has only been in force for four years. Overhauling this regime at this stage may not be particularly welcome when businesses have only just invested time and effort into achieving compliance.”
Meanwhile Anthony Drake, director of tech advisory firm ISG, said the UK creating its own version of GDPR was “more of a headline generator than anything meaningful for business”.
“Donelan’s announcement that GDPR would be replaced by a data-protection system that is both business- and consumer-friendly generated plenty of headlines. But the reality is, that’s a tough balance to get right.”
Drake agrees with Shah that claims the move would cut red tape for businesses simply do not add up, again pointing out that organisations which operate from the UK into the EU would still have to comply with GDPR – as well as the new UK regulations.
“The introduction of new, competing regulations will do little to lessen the burden of red tape.”
Ruth Boardman, partner and data protection specialist at law firm Bird&Bird, is equally sceptical. She said: “The minister’s speech suggests more far-reaching changes. We need the details to know if these will allow the UK Government to manage Boris Johnson’s favourite trick, of having cake and eating it – in this case, maintaining an adequacy decision while reducing bureaucracy and also protecting individuals.”
For Natalie Cramp, chief executive of data science firm Profusion, the move will bring more unwelcome uncertainty for UK businesses.
She explained: “On a practical level, it’s difficult to see how a new bill could be written and passed with adequate consultation ahead of the next general election. We could see the Conservatives passing this legislation in 2024, a Labour Government confirming that GDPR will remain, or an entirely different approach which may not be finalised until 2025 or beyond.”
Finally, Alexander Milner-Smith, partner at Lewis Silkin’s Data & Privacy Group, told City AM: “We had the Data Reform Bill, it had some sensible enough changes whilst also towing EU adequacy line, Whether we need further change really is questionable. It already arguably struck that balance, so this latest news seems a little redundant.”
Related stories
Let the tinkering begin: Data reform bill hit by delay
Data reforms are first on the agenda when MPs return
Firms ‘face higher costs, not savings, under data laws’
Govt claims business will save £1bn from new data laws
Data Reform Bill back on track in Tory leadership race
ICO regulatory masterplan barely raises an eyebrow
ICO vows to get tough on predatory calls and FoI mess
Axe data fines for charities, too, say agency chiefs
Industry claims victory as Data Reform Bill is revealed