On 9th September 2021 the UK Government published a consultation paper, ‘Data – a new direction’, which details new ways the government want to proceed in how businesses can process data, and is the driving force behind their consultation.
The Government feels there will be significant opportunities for businesses if the UK moves away from the ‘one size fits all’ methodology of data protection and that by moving away from EU regulations it will be better for businesses. Currently, the forms and details regarding GDPR that, for example, a hairdressers has to complete and adhere to is the same as that of a large corporate company and the Government feel this does not make sense.
Whereas GDPR focuses on individuals’ rights, the focus will now be on enhancing business and will remove some of the barriers, using data protection as a resource. This will give potential for global growth outside of the EU. Having received the Adequacy decision from the EU, the UK wants to use that decision to trade with other parts of the world – the US; Dubai; Australia, Brazil etc. and hopes that this will enable the UK to be the bridge between the wider world and themselves, as the UK becomes a more attractive data processing country.
The idea is that by moving away from GDPR this will better enable AI, especially in research and will give a brand-new lawful basis in which to carry out research, particularly in healthcare. These proposals will make it easier to use AI and automatic decision-making by scrapping Article 22 of GDPR, as it does not allow this presently.
Changes to Legitimate Interest
With regards to legitimate interest, the consultation looks to remove the need for a balancing test before deciding whether legitimate interest is applicable. Currently a balancing test needs to be conducted before using this category of data processing and the removal of this would be a wide-ranging change. This would help with internal research so that businesses could present new kinds of aims for better customer experience and collect customer information for one purpose, but be allowed to use it in different areas for other purposes.
For charities and political parties there would be the soft opt-in for electronic marketing which can be used by these types of non-commercial organisations if they have been in touch with a data subject previously, as long as they have given the data subject the opportunity to opt out when they communicate with them and every time they do communicate – currently this is for corporate businesses only, but now charities and political parties look to be included.
Direct marketing – PECR (electronic marketing) breaches will now have a government levy of £17.4m or up to 4% of global turnover which brings it into line with GDPR fines; currently the maximum fine for this type of breach is £500,000. This will also mean that the fines will be more like those of Ofcom or the FCA.
The Government’s aim by making these changes is to encourage trading deals with other countries so that the UK can break down the barriers in data flow and to encourage innovation in new products and better business services.
But the cautionary words to this is that too much diversion could stop the EU granting the UK adequacy in the future. These are of course just proposals, and the final legislation could be quite different. The outcome of the consultation will be published in due course following its closure on 19 November 2021.
What do our Gateway members think of these proposals? It can certainly enhance business trading but what about individuals’ rights, are they now going to be ignored? We’d love to know your views please.