This week, the current minister responsible for the proposed UK GDPR reform, Michele Donelan, made a statement at the Conservative party conference that the UK Government wishes to get rid of #GDPR and replace it with a ‘made in London’ version. The same government has delayed the current bill placed before parliament barely two months ago, “to allow ministers to consider the legislation further”. The latter is a tinkering with the existing UK GDPR to make it look more ‘made in London’ but still contains elements of the GDPR to ensure it does not risk our adequacy status.
The statement drew excitement from those in the conference hall, but in essence the reality is that such a move would be counter – productive in reducing the burden on businesses generally and SMEs in particular. When was the last time your builder or plumber showed you their privacy notice!
Key Considerations For Organisations
When evaluating the government’s statements with regard to the UK’s data protection legal framework, the following are some of the major considerations to bear in mind:
- The UK Government proposals for growth include “Freeports & Enterprise Zones” where foreign investors would be free to invest. The hook is lower taxes and free trade and that requires that data can flow in and out of the UK unfettered from our trading partners, many of which reside in the EU. The current UK GDPR and our adequacy arrangements with the EU allow this. The changes in the proposed bill were “tweaks”, unlikely to affect the UK adequacy status. If one believes the rhetoric, the further divergences to this proposal that the government is proposing could put adequacy at risk and be quixotic as freeports fail to deliver benefits because the companies operating there are mired in “red tape” caused by running parallel data compliance programmes.
- The current adequacy status of free flowing personal data is based upon the current legislation and our acceptance of the safeguards to privacy, with redress to the European Court of Human Rights. Thus, any changes to one or both of these statuses would likely see the UK joining China, Russia and North Korea as a third state for personal data transfers.
- UK businesses that trade or have visitors to websites from outside the UK need to be compliant with the laws that govern data protection in the country that the service users are in when accessing the websites. In the case of Ireland or France for example, they need to conform with the EU GDPR. There is no escaping the fact that any changes made as part of the UK GDPR reform would only apply to data wholly collected and processed within England, Scotland and Wales.
- The UK Government has a busy parliamentary agenda, with only two years left to deliver the finance bill, the growth agenda, fracking, and freeports are high on the legislative timeline. However, since the election of Liz Truss, whilst on paper there is a majority of 71 MPs, events of recent weeks show that the government cannot rely on that too much. The government no longer has set in concrete the absolute loyalty of MPs to their legislative agenda. This means that the government will need to face off many internal battles to ensure its flagship legislation gets through. With friendly fire in both Houses of Parliament, even the casual observer would point out that there will be delays to key elements of legislation, which will cause a knock on effect to less politically important legislation such as UK GDPR reform.
- A change beyond the current bill’s contents would require a new public consultation, which once again threatens the parliamentary timetable.
- My final point is on cost. UK businesses have successfully integrated GDPR into their businesses, culture and DNA. Businesses have absorbed the costs already. There are no savings to be had for organisations that have access from overseas, as organisations will need to maintain dual compliance, and for multinational companies who run these programmes, the addition of a new data protection compliance programme will incur extra costs.
Final Thoughts on UK GDPR Reform
I founded and own a management consultancy who would stand to gain from a new data protection regime in the UK. We would gain more business managing the change and supporting our clients. However, I have loyalty to them and UK businesses. As an SME owner and an academic with a speciality in entrepreneurship and small business management, any proposal to go beyond the current legislative proposals within the Data Protection Bill is frankly erroneous and risks the UK Government’s wider growth agenda.
My professional advice driven by nearly 40 years in business is leave it alone, now is not the time to undertake such a proposal whose only reasoning seems to be political, as the DCMS policy wonks are struggling to define the benefits.
If the government wished to change the current arrangements the benefits to UK SME businesses would only amount to the saving of the ICO notification fee. However for those who have to undertake a change programme to comply with a new set of regulations, the cost will be high and outweigh the benefits, it could derail the whole premise of the “freeport” concept as data would have to meet multi data protection compliance regimes of other countries not just the UK, and if you run parallel schemes your cost will increase again, outweighing any benefit the fifth sponsoring minister in the last 4 years tells you!