GDPR in the UK: what will it look like?

Written By Ian Hughes

The Federation of Small Businesses says that the new UK GDPR must focus on lowering costs and compliance issues for small businesses.

According to Culture Secretary Michelle Donelan, the UK will have its own GDPR system to replace the EU's.  

General Data Protection Regulation (GDPR) was first introduced in 2018, but became UK GDPR in January 2021.  

Last June, the government announced a Data Protection and Digital Information Bill to replace GDPR. The regulations for small businesses were eased based on the existing EU framework.

How does the new UK GDPR compare to the old one?

When speaking at the Conservative Party Conference in Birmingham, Donelan did not provide many details about what the new legislation would entail, but stated: "I can promise ... that it will be simpler and clearer for businesses."  

In addition, it will be based on "common sense, protecting data privacy while preventing losses from cyberattacks and data breaches.".  

British businesses will also have a say in the new data protection system.

Adequacy of data

With the original Data Protection and Digital Information Bill in June, there were concerns that new legislation may not be compatible with GDPR in Europe and could threaten the UK's data adequacy agreement.  

In order for the EU to ensure the flow of data between it and an external country, other countries' legislation must be of a similar or higher standard.  

2025 is the deadline for the EU to review data adequacy. 

According to the Centre for European Reform, removing this agreement would result in a £1bn drop in trading revenue and £420m in compliance costs for British businesses that rely on European customers.  

According to the UK government, the EU will grant whatever the new legislation is to have data adequacy and remove this threat.  

As examples of countries outside of GDPR, Donelan cited Japan, Canada, South Korea, Israel, and New Zealand.  

A notable difference between the US and the EU is the lack of data adequacy. After the EU-US Privacy Shield was declared invalid in July 2020, a new Trans-Atlantic Data Privacy Network was agreed upon in principle.  

As part of the new bill, Donelan acknowledges that data adequacy is key to businesses' ability to trade freely.

How does the revised GDPR version affect small businesses?

During the conference, Donelan claimed that current GDPR regulations create an disproportionate burden on small businesses, saying they are "shackled by unnecessary red tape" and "cap" profits by 8%.  

Tina McKenzie, policy and advocacy chair at the Federation of Small Businesses (FSB) said that any potential update or replacement for GDPR must have at its core a commitment to lower costs and compliance issues for small businesses.  

She said: “Changes should balance streamlining and easing the burden, while also preventing additional barriers to cross-border data sharing and trade with the EU, US and other major markets.  

“It’s important for mooted changes to reflect that small firms have already expended considerable time and effort in ensuring they comply with the current GDPR rules.  

“Small firms are looking for more support and flexibility in compliance, easy-to-use and accessible guidance, and fewer prescriptive requirements. Divergence from the EU GDPR must both work domestically, as well as protecting small businesses’ ability to trade.” 

Stephanie Clarke, employment solicitor at SA Law told Small Business she hopes the new law does what is needed to achieve data protection without being a “nuisance”.  

She said: “The UK GDPR in its current form is notoriously bureaucratic and is disproportionately onerous on small businesses, where there is often excessive caution in handling data at the expense of growth and innovation. 

“Whilst the core principles of data protection law are solid and I do not anticipate an erosion of data security requirements, especially around issues of cyber security, there are some more peripheral areas which could benefit from simplification.  

“It might be the case that there are changes around the use of data for marketing purposes, including a possible derogation from EU cookie law, along with changes to the principles around data retention. These are often seen as areas where there is no obvious need for protection and where UK businesses have particularly struggled with compliance.”   

Culture secretary Michelle Donelan announced on Monday that the UK will have its own version of GDPR to replace the EU’s system.  

General Data Protection Regulation (GDPR) first came onto the scene in 2018, but for UK businesses morphed into UK GDPR in January 2021.  

The Government announced a Data Protection and Digital Information Bill to replace GDPR last June, but that has been put on hold and reconsidered. This was based on the existing EU framework, with some easing of small business regulations.   

Ian Hughes
Previous

Webinar: Preparing for the Cash Flow challenges ahead
Next

What does ‘being a better director’ mean in 2022?