Data reform bill: Experts criticize UK’s GDPR replacement | Daily News Byte


The UK wants to opt out of the EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018.

Four years later, in May 2022, the UK government proposed a new bill to amend the current regime and bring in the UK’s application of the 2018 Data Protection Act, the UK GDPR and the EU’s ePrivacy Directive, the Privacy and Electronic Communications Regulations (PECR). under a directive.

The proposed bill, officially named the Data Protection and Digital Information Bill and known as the ‘Data Reform Bill’ (DRB), passed first reading in the House of Commons in July and was stalled following changes in the second in September. Govt

If adopted, the DRB will introduce a number of changes to the current UK GDPR. These include limitations on the scope of personal data; Modification of the use of personal data for legitimate interests to facilitate the use and sharing of data for scientific research and the public sector; redefinition of Data Protection Impact Assessments (DPIAs) to ‘high risk process assessments’; and a change in the current threshold for refusing or charging a reasonable fee for a Subject Access Request (SAR) from ‘manifestly unfounded or excessive’ to ‘precipitous or excessive’.

The need to appoint a Data Protection Officer (DPO) will also be extended to nominate an appropriate Senior Responsible Person (SRI) to be responsible for data security risks within their organizations or delegate that task to suitably skilled individuals.

The government estimated the changes would deliver savings for businesses of more than £1bn over 10 years.

Criticism from experts

Some data protection experts have heavily criticized the proposed bill, arguing that it does not necessarily eliminate red tape at all.

“The general idea was to remove some red tape to help plumbers find GDPR a burden. However, in some ways, it will bring more red tape,” said Jonathan Armstrong, partner at compliance firm Corderi*. Infosecurity.

A significant burden on the DRB is that many businesses will be forced to operate under two regimes. UK companies that deal with clients, customers, partners or suppliers overseas will see a piece of regulation on top of existing rules.

“Any UK organization with links to the EU economy will have to comply with two data protection regimes rather than one,” Armstrong noted.

Michelle Moody, managing director of consulting firm Protiviti, agreed that it could complicate things for British businesses, and she said Infosecurity that some organizations “may choose to comply only with the GDPR, which is more restrictive.”

Armstrong also argued that some of the proposals are mere name changes that would complicate the compliance task with no trade-offs.

“An SRI can be a DPO by another name, and then you have to modify the terminology in all the compliance documents,” he complained.

Moody commented: “The only change I can see between the two terms is, perhaps, more emphasis on SRI’s seniority.”

political attitude

Additionally, the DRB introduces concepts such as high-risk processing that, if not controversial, are “difficult to evaluate,” Armstrong argued.

Moreover, it reintroduces some of the red tape that GDPR repealed, such as the need for businesses to register with the Information Commissioner’s Office (ICO).

“Meanwhile, other controversial elements of the GDPR, such as the requirement to report a data breach within 72 hours, which in some cases is nearly impossible to achieve, are kept in the proposed bill,” Armstrong warned.

Dan Middleton, UK and Ireland VP at data management firm Veem, admitted that “DRB has some elements that seem beneficial to UK businesses, such as the addition of a requirement to implement a risk-assessment approach when working with new partners. “

However, Middleton quickly added that “that’s the only area to look at in this bill at this stage.”

Armstrong described the bill as a “political stance”. He said: “A lot of the changes are wrapped up with the theory that Brexit hasn’t done much and more needs to be done and Europe has imposed GDPR and a lot of that will have to be reversed. But that’s a false promise: the UK started legislating on data protection in 1984 – And some of the elements that the DRB wants to scrap, such as DPIA, were first introduced by the UK’s Data Protection Act.

While the draft bill is still officially on hiatus until further notice, the UK government has confirmed it wants to move away from the EU data protection regime.

On November 23, 2022, while the country was finalizing its first independent adequacy partnership with South Korea, allowing UK organizations to securely share personal data with the Asian country from December 19, 2022, UK Information Commissioner John Edwards announced GDPR financial Critiqued the penalty and outlined it. A new, more relaxed approach focuses on fixing the problem rather than financial penalties.

*Cordary is part of RELX Group, its owner Infosecurity Magazine


Source link