Culture secretary Michelle Donelan announced on Monday that the UK will have its own version of GDPR to replace the EU’s system.
General Data Protection Regulation (GDPR) first came onto the scene in 2018, but for UK businesses morphed into UK GDPR in January 2021.
The Government announced a Data Protection and Digital Information Bill to replace GDPR last June, but that has been put on hold and reconsidered. This was based on the existing EU framework, with some easing of small business regulations.
What do we know about the new UK version of GDPR?
Donelan didn’t list many concrete details about what the new legislation would entail when speaking at the Conservative Party Conference in Birmingham but said: “I can promise … that it will be simpler and clearer for businesses to navigate.”
She added it will be built on “common sense, helping to prevent losses from cyberattacks and data breaches, while protecting data privacy”.
It was also revealed British businesses would get a say in the shaping of the new data protection system.
See also: Do you know your data protection responsibilities?
The data adequacy question
Fears were raised back in June with the original Data Protection and Digital Information Bill that new legislation may not be compatible with GDPR in Europe and threaten the UK’s data adequacy agreement with the EU.
Data adequacy means other countries’ legislation being of a similar or higher standard – something required by the EU to ensure the flow of data between it and an external country.
Data adequacy is due for a full review by the EU in 2025.
For British businesses that rely on European customers, a removal of this agreement by European lawmakers could see a £1bn drop in trading revenue and £420m in compliance costs over five years, according to the Centre for European Reform.
The hope from the UK government is that the EU will grant whatever the new legislation will be to have data adequacy and this threat to be removed.
Donelan cited Japan, Canada, South Korea, Israel and New Zealand as examples of data regulations working outside of GDPR.
Notably, the US does not have data adequacy with the EU. It has, however, agreed in principle on a new Trans-Atlantic Data Privacy Network after the EU-US Privacy Shield was declared no longer valid in July 2020.
Donelan admits data adequacy is central to the plan for the new bill so businesses can continue trading freely.
What does the new GDPR version mean for small businesses?
Donelan claimed at the conference that current GDPR regulations are creating a disproportionate burden on small businesses, saying they are currently “shackled by lots of unnecessary red tape” and “caps” business profits by 8 per cent.
See also: Government slashes red tape for thousands of businesses
Tina McKenzie, policy and advocacy chair at the Federation of Small Businesses (FSB) told Small Business that any potential update or replacement for GDPR must have at its core a commitment to lower costs and compliance issues for small businesses.
She said: “Changes should balance streamlining and easing the burden, while also preventing additional barriers to cross-border data sharing and trade with the EU, US and other major markets.
“It’s important for mooted changes to reflect that small firms have already expended considerable time and effort in ensuring they comply with the current GDPR rules.
“Small firms are looking for more support and flexibility in compliance, easy-to-use and accessible guidance, and fewer prescriptive requirements. Divergence from the EU GDPR must both work domestically, as well as protecting small businesses’ ability to trade.”
Stephanie Clarke, employment solicitor at SA Law told Small Business she hopes the new law does what is needed to achieve data protection without being a “nuisance”.
She said: “The UK GDPR in its current form is notoriously bureaucratic and is disproportionately onerous on small businesses, where there is often excessive caution in handling data at the expense of growth and innovation.
“Whilst the core principles of data protection law are solid and I do not anticipate an erosion of data security requirements, especially around issues of cyber security, there are some more peripheral areas which could benefit from simplification.
“It might be the case that there are changes around the use of data for marketing purposes, including a possible derogation from EU cookie law, along with changes to the principles around data retention. These are often seen as areas where there is no obvious need for protection and where UK businesses have particularly struggled with compliance.”
Neil Thacker, CISO of cybersecurity company Netskope, is sceptical that small businesses will benefit from the new legislation, however, saying: “Having to process data differently for any region adds to the costs of businesses, so for any organisation working internationally, adding yet another international regulation will bring cost and further resource burden.
“In addition, gaining adequacy confirmation with the GDPR is a process that takes time, which risks causing yet more uncertainty for British businesses and those looking to trade with the UK.
“Lawyers will get work from this, info security and data professionals will get headaches from this, and data subjects can only be more confused.”