What’s happening with the Data Protection Bill?

The UK’s data protection laws continue to face an uncertain future, with the government recently confirming it will once again be going back to the drawing board on reforms.

Owen Rowland, Deputy Director for Domestic Data Protection Policy at the Department for Digital, Culture, Media and Sport (DCMS) has said further consultation will be required to ensure the country’s legislation is fit for purpose.

Talking to delegates at a Westminster Forum event on October 28th, Mr Rowland suggested this would likely delay the passage of the proposed Data Protection and Digital Information Bill (Data Protection Bill) through parliament.

The scheduled second reading of the Bill was already postponed in September, less than 24 hours after Liz Truss was appointed as the UK’s new prime minister. Following Truss’s resignation in October, and her replacement with Rishi Sunak, it’s no surprise there is confusion about the Bill’s future.

Is it still going ahead? How long will the new consultation be? And what do these developments mean for organisations and data professionals? Let’s take a look at what we currently know.

How are data laws changing?

Under the Johnson Government, changes to the UK GDPR were due to be made through the Data Protection Bill, which was introduced into Parliament for its first reading in June 2022 after an extensive consultation.

However, the Bill was only set to amend the existing Data Protection Act 2018 and UK GDPR. At the Conservative Party Conference in early October, DCMS Secretary of State Michelle Donelan unveiled new plans that, if taken at face value, sought to go much further.

“I am announcing that we will be replacing GDPR with our own business and consumer-friendly, British data protection system,” she stated. (Our emphasis).

“Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyber-attacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”

Where does this leave the Data Protection Bill?

Like many party political statements, Ms Donelan’s speech was heavy on the rhetoric and relatively short on details. For example, she promised to reduce red tape and support job creators – which many businesses will be pleased to hear – but didn’t offer any insight into what changes would be made to achieve this.

The announcement therefore seemed to raise more questions than it answered. And what will happen now that Rishi Sunak is prime minister?

Ms Donelan remained in her post following Sunak’s Cabinet reshuffle, perhaps suggesting there will be no major reversals of the government’s DCMS policies. Indeed, Mr Rowland’s recent confirmation that a new consultation will be carried out aligns with comments made in Ms Donelan’s conference speech.

“I will be involving [organisations] right from the start in the design of a tailored, business-friendly British system of data protection,” she stated.

However, it’s still not clear at this stage whether the intention is to amend the Bill to include a new GDPR regime, or whether the Bill is being scrapped entirely. In October, the government claimed more information about its future would be released in the coming weeks and months, but it has not been particularly forthcoming since.

So, for the moment, the Bill is in limbo. No new date has been set for the scheduled second reading, or whether a second reading will go ahead at all.

How will legislative changes affect organisations?

Without any firm commitments from the government regarding the changes that will occur, it’s difficult to predict what these developments mean for businesses. That said, it’s likely any new data protection system would need to overcome many of the same challenges that the Data Protection Bill faced.

A key criticism of the Bill was that any comprehensive changes to UK data laws could risk the country’s ‘adequacy decisions’ status with the EU. Adequacy decisions are a designation that enables the free flow of personal data between the EU and other countries.

It’s a formal recognition that a particular territory, nation, state or organisation has data protection levels that are essentially equivalent to the EU’s. At the moment, the UK’s version of the GDPR means it falls under this designation. However, any large-scale reforms to the country’s data laws could threaten this status, preventing organisations from transferring data between its UK and EU operations.

This would have a significant impact on multinationals. According to the government’s own statistics, 41% of large organisations transfer data digitally overseas. A government impact assessment has calculated the cost of losing data adequacy:

“We estimate the impact of adequacy with the EU being discontinued… to be between £190 million and £460 million in one-off SCC (standard contractual clauses) costs and an annual cost of between £210 million and £410 million in lost export revenue.”

Any data-related reforms must therefore tread a fine line. Change too little, and they are unlikely to achieve their stated goals; change too much and the UK could lose its data adequacy status.

Ms Donelan tried to allay some of these concerns in her speech, saying:

“[Our new system of data protection] protects the consumer, protects data adequacy and increases the trade that good data protection enables, while increasing productivity and also avoids the pitfalls of a one-size-fits-all system.”

More recently, Mr Rowland offered further assurances that data adequacy considerations weren’t being ignored.

“Data adequacy with the EU is at the heart of the approach we are taking going forward,” he was quoted by Tech Monitor as saying.

What does this mean for data jobs?

One of the more notable reforms in the Data Protection Bill was a proposal to remove the UK GDPR requirement for organisations to designate an independent Data Protection Officer (DPO) if they are ‘Controllers’ or ‘Processors’ of data.

Most respondents to the government’s consultation disagreed with the proposal, which would have instead seen the DPO role transferred to a ‘senior responsible individual’ (SRI) within the organisation. Any business with ‘low risk’ data processing activities would be exempt from this obligation.

Ultimately, the government decided to go ahead with the reform anyway, despite opposition.

This raised a number of questions about what would happen to DPOs already in place. Would they be promoted to senior management positions within organisations? Or could an SRI be selected and then delegate their responsibilities to an existing DPO?

Some organisations also questioned the purpose of the reform itself. After all, if the DPO’s role and responsibilities were simply being transferred to another individual, what meaningful changes were being made?

With the Bill now on pause, we may not get answers to these questions anytime soon. And Ms Donelan’s speech didn’t mention DPOs or data jobs specifically, instead saying the new laws would “support our job creators”.

What happens next?

Organisations and data professionals will unfortunately have to wait longer to find out how – and when ­– the government is reforming the country’s data legislation.

Adding to this uncertainty is the ongoing tumult in the UK’s socio-political and economic landscape. Ms Truss resigned after just 44 days as prime minister, and the Conservative Party still trail Labour by an average of 20 percentage points in the polls.

As such, many organisations will understandably be taking a wait-and-see approach until further information comes to light.

The UK Government seems keen to insist they’re trying to unleash the potential of data in the country to spur growth and job creation, while reducing bureaucracy. Data protection professionals, however, seem sceptical this will be achieved.

In the meantime, we will endeavour to keep both clients and candidates up to date with the latest developments and opportunities available in the market.

Barclay Simpson has specialised in the recruitment of data professionals since 2003, and our services now cover roles in data privacy and protection, data engineering, data architecture and data governance.

So if you would like to discuss your data recruitment needs, please give me a call on 0207 936 2601 or email me at Ali Asamoah, aa@barclaysimpson.com. Or get in touch via the contact form.