How is data protection changing in the UK?

August 5, 2022 Matthew Peake

On the 18th July the UK government unveiled the Data Protection and Digital Information Bill – broadly a response to the ‘Data: A New Direction’ Consultation, which looked to create ‘a new ambitious, pro-growth and innovation-friendly data protection regime in the UK’. 

The new Bill seeks to take the UK in a different direction from the EU and its GDPR data protection and privacy rules, which it is free to do following Brexit. Indeed this reform is being described as a ‘Brexit Dividend’ Bill by the UK government – one that can be seen as a clear benefit of leaving the EU. The government seems convinced of these benefits, choosing to release the Bill amidst the significant political uncertainty caused by Boris’ resignation and the ensuing leadership contest. 

Does the Bill threaten the existing data adequacy decision? 

One key question stemming from the Bill is how will breaking from GDPR and implementing new rules impact businesses who operate across the UK and EU? The UK government has been in close contact with the European Commission throughout the reform process, so it’s unlikely that changes risk the UK losing its EU adequacy decision. Adequacy is a status granted by the EU to non-EU countries and territories. It basically states they have an ‘essentially equivalent’ level of data protection to that which exists within the EU, and enables the frictionless exchange of data between the EU and other countries – enabling a variety of businesses to seamlessly operate across both.

It’s certain the European Commission will closely monitor the Bill’s passage through the Parliament and its implementation. The European Commission’s preliminary decision could also change if the government is forced to accept backbench amendments that move the Bill further from the status quo.

Impact of data reform

Due to the desire to maintain data adequacy, the scope of the changes introduced by the Bill may be less revolutionary than some stakeholders wanted. Nevertheless, the overall proposals represent a step in the right direction.

The proposals cover a wide range of areas – key ones for tech companies include: 

Creating a statutory definition of ‘scientific research’ and consolidating the definition of consent for scientific research. While this may help to boost research-related activity it is not yet fully clear whether this includes commercial R&D activities 

Providing a list of areas that are recognised as ‘legitimate interests’, where processing will be lawful without the need for data processors and controllers to consider the weighing-and-balancing of risks. This list is currently very narrow and further consideration needs to be given to widening it to bring in line with the consultation proposals.  

Further clarity on automated decision-making in the context of AI-related technologies. This includes definitions of the types of permitted automated decisions and the information that must be provided to data subjects. However further clarification is needed on how this will interact with the Government’s approach to future AI governance (something that the EU is also currently evaluating).

The Bill also provides the statutory underpinning to digital identity verification services (DVS) in the UK. It’s likely this will build on the ‘UK digital identity and attributes trust framework’ published in June 2022, which aims to enhance standards and trust in DVS. One key action suggested by the framework was establishing a register of DVS providers that meet agreed standards.

Proposed changes to The Information Commissioner's Office

The Bill has also outlined significant reform of the key data regulator, the Information Commissioner's Office (ICO) – renamed the ‘Information Commission’. While its role and responsibilities will remain the same, new objectives will be aligned to growth, innovation and competition. To this end, the Bill also proposes transforming the ICO’s governance structure to have a statutory board plus a Chair and Chief Executive to consider the economic impact of its decisions, develop a robust international strategy, as well as new transparency and reporting requirements. 

What’s next for UK data reform?

The UK is keen to forge its own path when it comes to data – perceiving a Brexit dividend and the opportunity to realize a more industry-friendly stance. However, multinational businesses still face the traditional challenges derived from facing more prescriptive requirements elsewhere which could cause friction in meeting KYC (know your customer) and anti-money laundering requirements.

This global patchwork of different approaches to data protection seem destined to continue, at least in the near term. It seems unlikely that global consensus will be reached on common rules and approach in the near term. The UK is taking a positive step by seeking to improve its approach to data privacy, and I believe it will drive a positive result for tech companies, innovation, and their customers.

To learn more about how Onfido can help your business navigate identity verification requirements, get in touch.

About the Author

Matthew Peake

Matt is Onfido's Global Director of Public Policy. He has nearly 20 years experience in public policy roles in telecoms and technology. Prior to Onfido, he spent over 10 years as Head of Policy for UK and Ireland at Verizon, the US tech giant, overseeing policy across a range of areas including digital competition, cyber security and privacy. Matt holds a law degree (UEA), MBA (Henley Business School), post-graduate diploma in Competition Law (Kings College) and diploma in business international relations and the political economy (London School of Economics).

More Content by Matthew Peake
Previous Article
Onfido & UnionBank at World Financial Innovation Series Philippines
Onfido & UnionBank at World Financial Innovation Series Philippines

We're excited to be talking with UnionBank of the Philippines – learn what we'll be discussing and how to j...

Next Article
Onfido’s take on culture
Onfido’s take on culture

At Onfido, we take pride in our company culture. Here is a closer look at where we stand today and how we p...