Punit Bhatia

UK Data Protection Reform - A Perspective

UK Data Protection Reform - A Perspective

Recently, the UK initiated a consultation of its data protection regime under the name "Data- A New Direction". On 17 Jun 2022, a response to this consultation was released. Let us understand this consultation response better. 

The Objectives of National Data Strategy

Basis the UK government's response, one can conclude that there are five broad objectives as the government seeks to future proof the data protection regime.
  • Reduce barriers to responsible innovation
  • Reduce the disproportionate burden on business in being able to deliver outcomes to people
  • Boost trade and reduce barriers to data transfers
  • Deliver better public services
  • Reform the ICO
For more details click here to read the full response to the consultation by the UK government.

Understanding the Key Changes Proposed

As I read through the consultation response, I recall the following as key changes that are being proposed.

Data Protection Officer

Privacy responsibility with a senior business person instead of DPO.

The consultation response states that government plans to replace the requirement to appoint a Data Protection Officer with a requirement to designate a suitable individual to oversee the organization’s data protection compliance. At present, the larger organizations did appoint a 'privacy sponsor', 'privacy owner' or 'privacy executive' to work with DPO to oversee compliance as privacy management requires business understanding and buy-in, And understanding and buy-in are with business executives. Even large organizations never had the budgets for appointing DPO and were reliant on business executives to shoulder responsibility. However, what has been missed is the fact that understanding privacy requires deep knowledge of data protection law which was facilitated by the DPO role.

In my view, this does not change much except that reality on the ground is formalized in regulation because larger organizations will appoint DPO for ensuring the right knowledge, skill and oversight is available to the business executive. Of course, it would make things easier for smaller businesses wherein the appointment of DPO was overhead and often confused.

Replace current Data Protection Impact Assessments (DPIA) with risk assessments

The consultation response states that the government plans to remove the requirement for DPIA and DPA consultation for high-risk processing. At the same time, the consultation states "organisations will still be required to consider risk through the implementation of their risk-based privacy management programme, and therefore this in itself is likely to mitigate the potential risk of protected characteristics not being identified".

In my view, this may seem to make things easier but what does "consider thorough risk-based privacy management" mean? It indirectly means conducting a risk assessment and that is exactly what DPIA offered. So, what would change? Nothing in my view except the name.

Removal of balancing test for certain processing under Legitimate interest

To address issues with regard to the current balancing test for processing under legitimate interest, there is a proposal that certain processing activities that shall not require a balancing test. For example, processing to prevent crime or report safeguarding concerns, or processing activities necessary for other important reasons of public interest may be allowed without the need for a balancing test.

In my view, this is a welcome change as it will set the precedent on what can be processing activity based on legitimate interest.

Move from opt-in to opt-out for cookies

Almost all of us dislike cookie banners. To address issues with regard to cookie banners, the government plans to legislate to remove the need for websites to display cookie banners to UK residents. This will be in two steps.

  • Step 1: In the immediate term, the government considers allowing the placement of non-intrusive cookies without user consent.
  • Step 2: In the longer term, the government to work with industry and regulators for finding solutions like browser-based solutions, and opt-out preferences.

In my view, this is a welcome change and must be pursued globally by creating a global standard for cookie management on websites.

Ease data transfers through adequacy risk assessment

We all know that the data transfer scenario is a mess. To address issues with regard to data transfers, the government plans "to take this reform forward and ensure new mechanisms". What does this mean? There has been talk about adequacy risk assessment but it is not yet clear on how it shall be different from current requirement for transfer risk assessments.

In my view, there were some interesting proposals with no consensus or mixed opinion, we got to live with the challenges we have for now.

In addition, there are other changes being proposed in the context of:
  • reforming the Information Commissioner's Office to ensure that regulator is strong and relevant in a data-driven world. I cannot agree more on this because the use of personal data needs to be regulated and compliance with regulation is best seen by a strong and independent regulator.
  • ensuring the explainability and intelligibility of AI-powered automated decision-making. I believe these can better be addressed through AI regulation because Artificial intelligence and machine learning is going to the core of the new digital world we are moving into. 
  • records of processing activity (ROPA) requirement of GDPR Article 30 may be adapted with a recommendation to keep data inventories. In my view, smart organizations realize the value of knowing the data they have and the role it plays in leveraging the value of such data. So, organizations that understand this would keep on maintaining data inventories but in a more simplistic way.
In summary, and without going into too much detail, the emphasis is on simplifying data protection compliance by laying more emphasis on a risk-based privacy management program that allows an organization to demonstrate accountability with principles of data protection and not compliance with requirements. And, in doing so, burdens on businesses and barriers to innovation shall be removed (or at least reduced), compliance with data protection law made simpler and understanding of data protection for end-users made easier (instead of clicking "yes" to meanless cookie banners)

The reaction of the Information Commissioner's Office

John Edwards, UK Information Commissioner has fully endorsed this consultation by stating 
“I share and support the ambition of these reforms.
I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.
We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”
A fair reaction as one would expect the Information Commissioner's Office to support the government of the land. For details of ICO response, click here.


The EU General Data Protection Regulation (GDPR) has been setting the bar very high. Now that the UK has its own version of data protection regulations inform the Data Protection Act 2018 and the UK General data protection regulation (UK GDPR), this is a step in the right direction that takes data protection forward. In my view, most of these changes are practical and necessary to make privacy management pragmatic and less burdensome.
Let us not get too ahead. This is a response to the consultation. Nothing has changed in data protection law. The Data Protection Act 2018 and UK General Data Protection Regulation (GDPR) are still ae applicable for now. It remains to be seen how far the actual legislative changes would go. While time will tell what is the direction of data protection standards, the developments in the UK shall be keenly watched and debated. And, I am sure that privacy professionals, supporters, and subjects would support constructive and pragmatic changes because none of us likes the current situation with regards to personal data transfers and cookies, to say the least.
Created with