The UK Government has launched a public consultation on post-Brexit changes to its data protection laws, continuing to distance itself from GDPR, and proposing relaxing data protection laws to some degree. The consultation can be found here and is open until 19th November 2021.
The main idea is for a new system “based on common sense, not box ticking.” The government wants to achieve 3 objectives:
- to promote the use of data by businesses (but in a protected and responsible manner, of course), as it is a valuable business asset;
- in the light of Covid-19, to simplify medical data sharing; and
- to alleviate the costly data protection burden that has fallen on small businesses.
“Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society,” says Digital Secretary Oliver Dowden, continuing, “These reforms will keep people’s data safe and secure, while ushering in a new golden age of growth and innovation right across the UK, as we build back better from the pandemic.”
A reduced data protection burden for smaller organisations?
The Government also claims that, when it comes to data security, a “small hairdressing business” should not have to go through the same data protection procedures as a multinational technology firm, such as Facebook. Instead, organizations should comply with systems “more appropriate to their circumstances.”
It certainly seems like the Government do not intend to make the burden on the large organisations such as Facebook lighter, as they won’t want to be seen to encourage a repeat of Facebook’s previous data breaches.
The Government suggests that we can use our new regulatory freedoms, having left the EU, to “take bold action in the national interest and in the interest of British businesses and consumers.”
Relaxing data protection laws for smaller organisations does make a lot of sense. The EU’s GDPR brought in both a rigorous protection system (with no exceptions for small businesses, voluntary organisations or small charities) and a harsh system of potentially enormous fines for breaches. Certainly we are fans of reducing the potential level of fines for smaller businesses. They are ridiculous when compared to fines for breaching other laws.
It remains to be seen what the new future of data privacy in the UK will entail in practice, and in particular whether the fines will be reduced for smaller organisations. While this may appear to be a good thing, lowering the UK’s data protections to any significant degree would disqualify it from equivalence with GDPR, which is required for transferring data to the UK from the EU.