What will the Data Reform Bill mean for UK businesses?

What will the Data Reform Bill mean for UK businesses?

The government recently outlined a set of proposals for the Data Reform Bill in a shake-up of the UK’s data protection laws as part of the UK’s post Brexit national data strategy. Current legislation comes from the UK Data Protection Act 2018 and the retained EU GDPR which is referred to as the UK GDPR.

The Data Reform Bill aims to reduce the burden of data protection compliance – moving away from the prescriptive current legislation to a more outcome focused regime providing businesses with more flexibility in managing data protection risks. For example, reform will strip away the requirement in some circumstances for organisations to have a mandatory Data Protection Officer (DPO) or to carry out data protection impact assessments. Releasing small businesses of these time-consuming duties should allow them to better unlock the power of data for economic growth.

Organisations will be required to have a ‘privacy management programme’. Although reform will strip away some regulatory burdens the accountability principle of the UK GDPR will remain true to the heart of UK reform. From a data protection law perspective what may appear as lax reform could be seen a political point aimed to get positive publicity.  

One favorable takeaway of the reform (which will benefit individuals and businesses) is that PECR rules (rules surrounding electronic communications) will be overhauled and the requirement to gain user consent will be dampened down. Moving to an opt-out model for cookies should make it easier for websites to provide a better experience and remove the need for annoying pop-ups when browsing through multiple websites. 

The UK received an adequacy decision in June last year which allows the free flow of personal data between the UK and the European Economic Area. Data protection experts, including myself, are concerned that any divergence away from the EU GDPR to a more flexible and less burdensome regulatory regime may put any future adequacy decision at risk.

The European Commission included a ‘sunset clause’ in the UK’s adequacy decision, limiting the duration of the decision to four years, and will only be renewed if the UK continues to ensure an adequate level of data protection. The aim is to protect the EU against future divergence by the UK from GDPR, and the European Commission has been clear that it will monitor UK compliance during this period and could intervene at any point.  

It will be interesting to see whether the proposed data reforms will result in intervention by the Commission and how the UK government might react. A loss of adequacy could make transferring personal data outside the UK very complex and burdensome, and any immediate cost of adjustment would hit UK businesses hard. 

Perhaps more fundamentally, could it be that the UK’s need to open data protection reform and to spearhead innovation is seen as a contradiction to the essence of data protection laws which is to protect the fundamental rights and freedom of individuals. By loosening the current regulatory regime will individuals have less privacy. This remains to be seen.   

Our subject expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is an experienced data protection and privacy lawyer who qualified in 2008. She advises clients on a broad range of matters - from strategic compliance with a global stance to day-to-day operations. Her role also includes Harper James' Head of DPOaaS division (Data Protection Officer as a Service), where we act as the external DPO for a business or provide support to existing DPOs.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry