Why plans for new UK data protection laws are quackers

JCromack_MainPlans by our new Secretary of State for Department for Digital, Culture, Media & Sport (DCMS) to ditch GDPR for new UK-specific data laws might have been lost among the financial turmoil of the past few weeks, but they are likely to have far reaching effects for all UK business for many years to come.

This Government clearly needs to ‘Zoom Out’ and think of the broader consequences before rushing in to new policy announcements.

I wrote an article on the initial consultation for the Data Protection & Digital Information Bill 2022-23, which started… “if it looks like a duck, walks like a duck and quacks like a duck…it’s probably a duck”. Not sure much will change, as we need to maintain adequacy, so a new set of regulations is surely just more burden.

While the Government remains committed to high standards of data protection, the consultation concludes that the current data protection legislation leads to a box-ticking compliance regime and therefore ministers propose to place a new duty on controllers to implement a risk-based ‘privacy management programme’ (PMP).

A PMP would essentially be a form of compliance governance framework, which is intended to introduce a more ‘holistic’ and less rigid approach to accountability.

And this is where “if it looks like a duck, walks like a duck and quacks like a duck, it probably is a duck” comes in. If small business owners think they no longer need to bother with data protection, the consultation paper suggests that the PMP would need to include clear roles and responsibilities, such as who is designated as the responsible individual(s) for the privacy management programme and overseeing the organisation’s data protection compliance.

It goes on to say the designated individual(s) will also be responsible for representing the organisation to the Information Commissioner’s Office and consumers where necessary. Looks like a duck!

The PMP would need to include measures that include personal data inventories, internal data protection policies, risk assessment tools, procedures for communicating with consumers about their data protection rights and the organisation’s policies and processes, as well as plans to monitor, assess, review and revise the PMP. Walks like a duck!

Whilst the requirement for a record of processing activity (ROPA) is being removed (well not really), I found when organisations were implementing GDPR in 2017/2018, they found the ROPA process extremely valuable in delivering efficiency and generating greater value from their data.

The new requirements under a PMP would still require certain records be kept and Articles 13 and 14 of the UK GDPR will still require much of the same information to be recorded in privacy notices. Quacks like a duck!

If a PMP makes it easier for a business to understand what is required, and can be certified just like an ISMS (ISO 27001), then I’m all for this approach, as it will mean more businesses adopt it, leading to a higher level of protection for individuals. But, isn’t this just a more pragmatic view to how UK GDPR is regulated?

Businesses don’t need a different set of regulations, it will just create a greater burden for UK firms. If UK companies want to trade and have customers in the EU they need to comply with GDPR to help them thrive. They just need more pragmatic guidance on implementation.

J Cromack is executive director of innovation, partnerships and privacy at Edit and chief growth officer of The Salocin Group