· Comment

What a new UK GDPR law might look like

Rishi Sunak’s recent comments during the launch event for Treasury Connect have been used in the media to suggest that the UK is going to abandon GDPR entirely, and that there will be no alternative. This, however, is false. 

The UK is simply investigating whether they want to come up with their own version of the GDPR and how this reform would look. 

The intention of the UK government is therefore not to abandon GDPR completely, but rather rewrite some of the data protection principles and articles from the UK GDPR to empower businesses to innovate, while continuing to protect citizens' data.  

HR, GDPR and the new world of work:

What Brexit and coronavirus mean for GDPR

HR bears brunt of GDPR compliance

HR analytics and ethical trade-offs – the unconsidered narrative

Since the introduction of the adequacy decisions by the UK for the EU and vice versa, data has been allowed to flow freely between the two geographies. Leaving the EU has made it easier, in some ways, for the UK to do business with countries outside of the EU. But the UK government still feels that it would benefit the economy and the UK as a whole to introduce some changes to the stringent data protection framework currently in place. 

MP Oliver Dowden commented on this: “Now that we have left the EU, we have the freedom to create a bold new data regime, one that unleashes data’s power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection.”

Data has been widely recognised to be the driving force of the modern economy and GDPR has caused some barriers to businesses that want to seamlessly trade internationally. A reform, therefore, would be welcomed by most private businesses in the UK. 

The question is how the UK intends to strike a balance between innovation that makes use of emerging technologies and the protection of people, which is the main topic of conversation. 

The proposed reform tackles a range of issues with the current UK GDPR; from the freedom research institutions have to re-use personal data, to the mandate of the ICO to take action against non-compliance. 

The reform is expected to take years. A new law, especially one as comprehensive and far-reaching as the one we’re discussing here (where people’s privacy is the main concern), does not come about quickly. 

Until a new law has been passed, all rules from the UK GDPR apply, which means that:

  • All personal data, including that of an employee, needs to be protected by technical measures. Companies that process personal data in some way need to have all necessary policies in order to comply with the UK GDPR
  • Companies that have employees need to always abide by the UK GDPR in addition to the applicable HR laws
  • All staff need to be regularly trained on handling personal data and how to deal with incidents regarding data
  • Companies may be required to carry out criminal background checks on applicants. Criminal background checks are not always allowed. Under the GDPR there needs to be a lawful basis for carrying out a criminal record check
  • There are special retention periods for HR related data. These do not come from the GDPR but different UK laws and sometimes have to be determined by companies themselves
  • Some companies are required to register at the ICO and appoint a data protection officer. Certain companies are further required to appoint a European representative, carry out a data protection impact assessment and consult the ICO prior to the start of a specific processing activity if the processing entails high risk for an individual. Failure to do so can result in hefty fines
  • Consequences for non-compliance can lead to fines up to £17.5 million, or 4% of total worldwide annual turnover. A lot of companies think this won’t ever happen to them, but the ICO has started giving out smaller fines to smaller companies (with less than 100 employees) which average at £15,000

It is critical that all businesses start to take GDPR and cyber security seriously and consider investing in ongoing protection and advice in the same way they would hire an accountant to manage their accounts.

Nadia Kadhim is GDPR lawyer and CEO of Naq Cyber