Data Protection Reform Bill to change the UK GDPR

In the Queen’s Speech 2022 (read by Prince Charles) on 10th May 2022, one of the lines was

“The United Kingdom data protection regime will be reformed”

Such a small phrase, but with potentially huge impact for us all.

The briefing pack for the Queen’s Speech 2022 added some more insight into the government’s thinking. It states under ‘key facts’ that

The UK General Data Protection Regulation and Data Protection Act 2018 are highly complex and prescriptive pieces of legislation. They encourage excessive paperwork, and create burdens on businesses with little benefit to citizens.
Because we have left the EU, we now have the opportunity to reform the data protection framework. This Bill will reduce burdens on businesses as well as provide clarity to researchers on how best to use personal data.

Queen’s speech 2022: background briefing notes page 58

The main elements of the Bill will be:

Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.

Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.

Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

Queen’s speech 2022: background briefing notes page 58

We would expect the next step to be a formal response by the UK government to their ‘Data: A New Direction’ consultation, which will give a better sense of what will be changing, and then the publication of the draft Data Reform Bill. As soon as clear proposals for change are made, we will be running a free webinar to explain what is proposed, how it will affect non-profits, and what to do about it.

In the consultation there was talk of not requiring consent for email and SMS marketing in some cases, much like the ‘soft opt in’ which commercial organisations have been able to rely on for many years. So it will be interesting to see if that is part of the Bill.

We have heard two other views expressed today, with which we have some sympathy. The first is that any deviation from the EU GDPR could put the EU’s adequacy decision at risk, and that has very significant implications. The second is whether making things perhaps a little easier is worth the upheaval, when organisations have for the last 4 years (at least) baked the UK GDPR into their policies and procedures.