· Features

Revamped data rules will cut admin and drive innovation

Legislation to refine the UK’s data protection regulations may be an evolution rather than a revolution, but it is being welcomed by the industry. The changes are expected to reduce the bureaucracy associated with the legacy GDPR regs, allow for greater use of artificial intelligence and halt vexatious data subject requests, finds Adam Bernstein

In March, the UK government reintroduced the Data Protection and Digital Information Bill. First mooted in July 2022, the original bill was withdrawn to allow ministers to consider the legislation further.

Likely a welcome move for HR teams, the new bill promises to cut bureaucracy out of current General Data Protection Regulation (GDPR) and clear up employer’s obligations. It also promises fewer burdens in relation to the use of artificial intelligence (AI) in decision-making, and the ability to quickly shut down vexatious requests from employees.


Tricky areas of GDPR compliance

What HR needs to know: GDPR and AI

What a new UK GDPR law might look like

The current UK GDPR and Data Protection Act (DPA) is not even five years old. However, Jeanette Burgess, head of regulatory and compliance at Walker Morris, says that the government wants to capitalise on post-Brexit freedoms. She says: “The government’s view is that some elements of the UK GDPR and DPA 2018 create barriers, uncertainty and unnecessary burdens for businesses and consumers.”

Danyelle Holmes-Lewis, director, people and culture, EMEA at CultureAmp, agrees. She says some expect the bill to be pro-growth or innovation-focused and aligned to advances in technologies, while still maintaining UK data protection standards. However, she says: “I’m not sure that we’re going to see a revolution, but rather, an evolution.”

Delaying the bill was a welcome move she adds, and she’s now more confident that the legislation has been co-designed to create more integrity and transparency.

As to what the bill seeks to change James Potts, legal services director at Peninsula, outlines the key elements that include a simple, clear and business-friendly framework with less cost; maintenance of data adequacy with the EU; less compliance paperwork; greater confidence for organisations processing data, and clarification over the use of AI in automated decision-making.

Potts sees the bill as a constructive development. He points out that the present legislative framework has a high administrative burden and puts up barriers to innovation.

Having been involved in building GDPR and DPA assessments globally, Holmes-Lewis is also positive. She hopes the bill will cut down on unnecessary red tape. She’s especially keen on digital identity reform as it gives HR greater flexibility and confidence in checking identities while providing individuals with more choice and greater security.

Potts concurs, singling out the fact that ministers specifically sought to cut down on the amount of compliance paperwork organisations need to complete.

He says: “Only organisations whose processing activities are likely to pose high risks to an individual’s rights and freedoms will need to keep processing records. For example, if they are processing large volumes of sensitive data about health.”

He also points out that the bill gives organisations clarity about when they can process personal data without needing consent when weighing up their own interests against an individual’s rights.

However, Burgess warns that the bill doesn’t radically change the regime; employers still need to make sure that they only process personal data where they have a lawful basis to do so.

Similarly, Potts believes that those already compliant with the UK GDPR will not need to make any changes as the main principles and obligations of current data protection regime will remain.

This is a comfort to Holmes-Lewis as she says the complexity of data protection law has meant some organisations have taken five years to fully understand the 2018 legislation.

As the use of AI in HR has grown, so too have the risks. Burgess points out that under UK GDPR, solely automated decisions that produce ‘legal or similarly significant’ effects on people may only be carried out where it’s necessary for entering into or performing a contract between a controller and a data subject; if it’s required or authorised by law; or the data subject has given their explicit consent.

However, she considers it helpful the bill amends the UK GDPR so automated decision making is not restricted to these circumstances, which might make it easier for employers to use AI in situations such as screening job applications.

"Safeguards will create greater public confidence in AI and how data is used"

Though a promising development, Potts says the bill changes very little in respect of AI. He adds that it may allow broader data sets to be used in the course of research and development, without the burden of requiring renewed opt-ins each time the research purpose evolves. 

Timeline of UK GDPR law

14 April 2016 - General Data Protection Regulation (GDPR) is adopted by the European Union, including the UK. It sets out the rights and obligations for most employers when processing personal data.

23 May 2018 - UK grants royal assent to augment GDPR including criminal aspects of recklessly obtaining personal data without consent.

25 May 2018 - GDPR law becomes enforceable in the EU.

31 December 2020 - The Brexit transition period ends. Vestigal EU law is transposed onto UK law including GDPR, now known as ‘UK GDPR’.

11 March 2021 - Government announces intent to reform GDPR, to help drive economic growth.

18 July 2022 - Proposed GDPR reform bill laid before parliament.

6 September 2022 - Liz Truss takes over as prime minister, government delays second reading of GDPR reform bill.

8 March 2023 - GDPR reform bill withdrawn. A new version, the Data Protection and Digital Information Bill (No. 2) Bill, is introduced.

What the bill does not do, Potts says, is provide any codification of the law around AI. He says that this remains an unlegislated area, with the closest provisions to any kind of guidance being the EU’s regulatory framework proposal on AI.

From a legal standpoint Burgess says the bill addresses certain AI-related risks. She gives the example of a ‘significant decision’ based on special category data – race, religion, sexual orientation, etc. – that may not be taken based solely on automated processing unless certain conditions are met.

Importantly, such significant decisions require safeguards for a person’s rights, freedoms, and legitimate interests. These include providing a data subject with information about decisions made about them, enabling them to make representations about the decision, ask for human intervention and to contest it.

These safeguards are essential says Holmes-Lewis. She cites plans for an AI rule book to run alongside the bill that will be regulated by Ofcom and the Competition Markets Authority. She says: “Safeguards will create greater public confidence in AI and how data is used to ensure that it’s safe, technically secure, transparent and fair.”

Burgess too is hopeful that by clarifying the circumstances when robust safeguards apply to automated decision making, confidence in AI technologies will increase.

Another part of the bill deals with what Potts refers to the as the ‘weaponisation of data’ by employees – a frequent frustration for HR managers. Potts says: “The bill will assist HR managers in shielding their businesses from vexatious data subject requests and will also give the ICO the power to reject complaints relating to such requests.”

In more detail, Burgess says that under the proposed new regime, businesses will be entitled to charge a fee for or refuse to act on requests considered ‘vexatious or excessive’. She adds that it will be the data controller’s responsibility to prove that a request is vexatious or excessive.

Interestingly, Holmes-Lewis doesn’t see the bill giving employees more rights over their personal data. In fact, she thinks the opposite is true as the bill describes what is a reasonable request.

While many aspects of the reform bill clarify existing law which has become muddied in places, the basic principles of GDPR are unaffected and companies that already comply with the current law won’t need to make radical changes. It’s hoped that the burdens on employers are eased, but the results will take time to become apparent.


The full article of the above first appeared in the March/April 2023 print issue. Subscribe today to have all our latest articles delivered right to your desk.