A new UK GDPR bill re-introduced to parliament this week could end up adding cost and complexity to corporate compliance efforts, and lead to some “unintended consequences,” legal experts have warned.
The Data Protection and Digital Information (DPDI) Bill was announced to much fanfare on Wednesday, with the government claiming it could save UK firms up to £4.7bn ($5.6bn) over the coming decade while bolstering data protection and privacy.
Keen to show some benefit from leaving the EU, the government focused on reducing paperwork for businesses and providing more flexibility about how they can comply with the localized version of the GDPR.
However, legal experts questioned some of the proposals, arguing that firms with European operations would either not be able to take advantage of the new efficiencies or be forced to change their existing compliance frameworks.
“The things that critics of the previous bill focused on – removal of data protection officers, broadening of consent and restricting individual rights – have remained,” explained Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice.
“That will be music to the ears of some businesses, but those with European operations must now decide whether or not to maintain a single compliance standard across the EU and UK, which will reduce some of the compliance efficiencies they would have hoped to make.”
Those that do not maintain a single standard will have to spend time and money adapting their stance, added Cordery partner Andre Bywater.
“Whatever the final outcome, international organizations that have devoted much work, time and resources trying to ensure compliance with both the existing UK GDPR and EU GDPR may find that there is more work for them to do on the UK side of things – such as with regard to work to be done on the so-called ‘Senior Responsible Individual’ or ‘Records of Processing,’" he wrote.
Given that the EU is the UK’s largest trading partner, accounting for 42% of all exports and 45% of imports, this could impact a large number of British organizations.
Experts also raised concerns about the consequences of making compliance easier for businesses – particularly in the new rule that only organizations whose processing activities are likely to pose “high risks” to personal rights and freedoms need to keep processing records.
“A number of the proposed changes are sensible, but I do worry that cutting red tape for the sake of it could have unintended consequences,” warned Machin.
“Although no one is going to complain about a reduction in paperwork, removing the requirement for most businesses to maintain personal data inventories means they might struggle to understand how and where they hold data, which isn’t in anybody’s benefit.”
Chris Denbigh-White, security strategist at data loss prevention firm, Next DLP, added that the balance between the rights of data subject and processor may have tipped too far in favor of the latter.
“Revisions in the handling of Data Subject Access requests (DSARs) show a slight favoring of the data processors over the data subjects,” he argued.
“While safeguards around ‘vexatious’ and ‘abuse of process’ data requests are a sensible step to take, their introduction does include a certain layer of uncertainty as to the threshold of what can be determined as ‘vexatious’ and who sets that threshold. It could serve to weaken data subjects’ rights to data access.”
Antonis Patrikios, a partner and global co-chair of the data privacy and cyber security practice at Dentons, agreed with Denbigh-White that there is a “justified concern” that the bill may impact the UK’s data adequacy in the eyes of the European Commission.
However, he took a more positive view of the bill overall.
“Clarifications around legitimate interests, scientific research and automated decision-making are bound to make it easier for companies to explore the potential of new technologies and AI without worrying for the risk of technical non-compliance with rules that lack clarity. The reduction of formalities and paperwork are bound to improve efficiency and reduce compliance costs, while not reducing substantive levels of data protection,” said Patrikios.
“The ability to perform two of the most basic digital business functions – operating a website or an app and sharing data with group companies in other regions – with legal certainty and without having to conduct expensive detailed legal analyses of complex legal must be welcome news for everyone.”