The UK Government has invited responses from stakeholders within an evidence-based approach to developing a risk-based data protection framework fit for the future.

As data is considered to be the driving force of the modern economy and one of the most important resources in the world, the aim of the process is to seize the opportunity from new regulatory freedoms following Brexit to build a framework of laws based on common sense, not a box-ticking exercise. The aim is to build on key elements of GDPR, not to water down the current legislation. The clear message is that protection of personal data must remain at the core of any new regime to maintain public trust.

The plan has been described as bold, well thought out and much needed in the context of criticism from businesses who have found the existing regulations to be complex and unclear creating uncertainty and a barrier to data access. The reforms will introduce a more flexible regime and encourage organisations to use data responsibly.

The key changes proposed include removing the need to:

• Appoint a DPO, either in all cases or just in public bodies
• Conduct a data protection impact assessment (DPIA)
• Consult the Information Commissioner’s Office (ICO) regarding high-risk processing
• Keep records of processing activities.

The wider reforms include the creation of an ‘exhaustive’ list of situations where the legitimate interest test will apply without having to conduct a balancing exercise, aimed at creating greater certainty for business when complying with the legitimate interest test without a detailed analysis.

The regime will also allow the use of data for AI projects and other innovations. There are specific provisions for AI, such as allowing the use of data to monitor bias in AI systems and allowing the use of personal data for research by widening the situations where data can be used for new purposes.

There will be no change to the central principles of GDPR; the data protection principles and the lawful bases for processing remain intact. The division between controller and processor will also stay.

The strict requirements within GDPR will be replaced by a more flexible obligation to implement a ‘privacy management programme’. The changes will not amount to a bonfire of the GDPR regulations as there will remain obligations to create defined roles and responsibilities for data protection including a designated individual to take responsibility for the programme and be a contact point for the ICO. The move is intended to encourage organisations to invest effectively in the process of governance, policies, people and skills that protect personal data with an outcomes-based focus.

The proposal also aims to reform the ICO and its powers, including measures to move the ICO away from handling high-volume, low-level complaints to dealing with the most serious cases.

Within its impact assessment, the government anticipates the changes will create cost benefits of £1.04 billion over 10 years by removing the barriers to responsible data use. That figure could rise to £1.45bn if adequacy status with the EU is retained. The changes are expected to benefit small and medium sized businesses proportionately more.

It remains to be seen whether the responses from stakeholders encourage the government to go further in reducing the burden on business of the existing GDPR regime towards a more radical reform without jeopardising its adequacy status with the EU, which is vital to the free transfer of data between the EU and the UK.

If you need further advice and support on compliance issues, look no further than ESA Risk. Our risk management and business consulting teams are here to help your business manage risk, excel and grow. Contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)843 515 8686 or via our contact form.