sdecoret - stock.adobe.com

UK GDPR faces changes under planned reforms

DCMS is launching a major consultation on proposed changes to the UK’s data protection regime, under which several key elements of the GDPR are likely to change

This article can also be found in the Premium Editorial Download: Computer Weekly: The cities planning for ethical use of AI

A year after the publication of the UK’s National Data Strategy, the Department for Digital, Culture, Media and Sport (DCMS) is embarking on a major new consultation centring on proposed changes to the UK’s data protection regime in a post-Brexit environment, alongside reforms to the Information Commissioner’s Office (ICO).

The wide-ranging set of proposals supposedly build on the provisions of the General Data Protection Regulation (GDPR) and 2018 Data Protection Act (DPA) and are intended to address a lack of clarity as to how the GDPR is applied and reduce the burden on organisations that are trying to do the right thing.

Among the reforms on the docket are changes to requirements for data protection officers (DPOs), an end to mandatory data protection impact assessments (DPIAs) and changes to rules on breach reporting.

The government sought to ease fears that it is embarking on a bonfire of GDPR regulations, describing its planned data regime as “based on common sense, not box-ticking”, and insisted that its proposals are not a “watering down” of the GDPR legislation.

“Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society,” said digital secretary Oliver Dowden.

“These reforms will keep people’s data safe and secure while ushering in a new golden age of growth and innovation right across the UK, as we build back better from the pandemic,” he said.

DCMS insisted the government would maintain world-leading data protection standards, building on the current GDPR and DPA-based set-up, such as principles around data processing, data rights, and supervision and enforcement mechanisms.

However, it said it was aware that the current regime “places disproportionate burdens” on some organisations, such as small businesses that face the same data protection processes as multibillion-pound enterprises, therefore it wants to move away from a one-size-fits-all approach to let different types of organisations demonstrate data protection compliance in ways that are more appropriate to their circumstances.

Dowden said that far from being a barrier to innovation or trade, renewed regulatory certainty and high data protection standards would let British businesses and consumers thrive online, and added that protecting personal data would remain at the heart of the future regime.

As part of this, the proposed overhaul of the Information Commissioner’s Office (ICO) – alongside the recently announced appointment of New Zealand’s John Edwards as the next information commissioner – will help to “drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats”.

The ICO reforms will include a new overall structure, including an independent board and chief executive that more closely mirrors the governance structures of related regulatory bodies, such as the Competition and Markets Authority (CMA), Financial Conduct Authority (FCA) and Ofcom.

Part of the aim of this structural reform is to reduce the burden of complaints the ICO receives every year by placing more onus on complainants to resolve data disputes with organisations before involving the ICO, just as one would complain about one’s broadband to one’s internet service provider prior to complaining to Ofcom. It hopes this will also have the effect of enabling the ICO to broaden its remit to champion sectors and businesses that are using personal data in new, innovative and responsible ways to benefit people’s lives.

The government believes this will ultimately help deliver more agile, effective and efficient public services, and strengthen the UK’s position as a “science and technology superpower”.

Information commissioner Elizabeth Denham said: “People’s personal data is used in ever more novel ways; it is right that government looks to ensure a legislative framework that is fit for the future. A framework that continues to be independently regulated to maintain high standards of protection for people while delivering social and economic benefits.

“My office will provide constructive input and feedback as the work progresses, including through our public response to the consultation, ensuring that the ICO can effectively regulate this legislation. We will be considering the detail of the proposals and intend to publish our response as soon as possible.”

Bojana Bellamy, president of the Centre for Information Policy Leadership (CIPL), said the overall plan was bold, much needed and could be a win-win.

“It enables organisations to leverage data responsibly, for economic and societal benefits and to build their brand as trusted data stewards. It gives individuals assurances and more effective protection from genuine harms,” she said.

“Accountability, risk- and outcome-based approaches will be welcomed by all – these are the founding blocks of modern regulation and a modern regulator. I hope other countries follow the UK’s lead.”

Sue Daley, director of tech and innovation at TechUK and co-chair of the National Data Strategy Forum, added: “The data reform consultation is the start of an important conversation that must include a wide range of stakeholders to explore how we could make the UK’s data protection framework work better for citizens and businesses.

“The National Data Strategy Forum has a key role to play to make this happen, as well as supporting the other activities announced today to deliver the missions of the National Data Strategy.”

Ethics in AI data usage

Recognising that the use of algorithmic and automated decision-making is on the rise and shows no signs of abating, the reform package also contains a strong emphasis on building confidence that AI-powered services are a force for good and won’t inadvertently harm people.

As such, some of the proposals set out in today’s consultation document are designed to help organisations get to grips with the risk of bias in their algorithmic systems by identifying factors that drive bias and enabling them to take steps to ensure their services do not replicate societal or historical discrimination, or make unfair inferences, such as health insurers monitoring people’s purchasing habits to predict their fitness levels.

The problem of AI assurance forms a key plank of the Centre for Data Ethics and Innovation’s (CDEI’s) 2021-22 programme of work, and to this end, the government has also today named several world-leading experts to the CDEI’s refreshed advisory board, including Jack Clark, co-founder of Anthropic and former policy director at Open AI; Rumman Chowdhury, director of machine learning, transparency and accountability at Twitter; Jessica Lennard, senior director of global data privacy and AI initiatives at Visa; and James Plunkett, executive director of advice and advocacy at Citizen’s Advice.

Read more on Privacy and data protection