Explaining new UK data laws and what they mean for your business

From revolutionizing healthcare to streamlining financial management, data has become the lifeblood of progress in the modern world, increasing the need for robust data protection and privacy regulations. Several countries around the globe have embarked on a transformative journey, paving the way for a new era of data governance. Among them is the UK with a promising new initiative — the UK Data Protection and Digital Information Bill. Initially introduced last summer, the bill was subsequently paused in September 2022, so “ministers could engage in a co-design process with business leaders and data experts”, a statement from the newly created Department for Science, Innovation and Technology (DSIT) said.

Steering away from the cookie-cutter approach of the European Union’s General Data Protection Regulation (GDPR), this forward-thinking legislation aims to establish data adequacy while catering to the unique demands of a rapidly evolving digital landscape. The bill sets forth a series of key principles, including:

• Introducing a business-friendly framework that is simple, clear, and cost-effective to implement, incorporating the best aspects of GDPR. This framework will grant businesses more flexibility in complying with the new data laws.
• Ensuring that the new regime maintains data adequacy with the European Union and instils broader international trust in the comprehensive data protection standards of the UK.
• Further reducing the administrative burden on organisations by minimising the amount of paperwork required to demonstrate compliance.
• Promoting international trade by avoiding additional costs for businesses that are already compliant with existing data regulations.
• Providing organisations with increased confidence in determining when they can process personal data without explicit consent.
• Enhancing public and business trust in artificial intelligence (AI) technologies by clarifying the specific circumstances where robust safeguards are applied to automated decision-making.

The potential for substantial cost savings for businesses emerges from the impact assessment, published alongside the details of the bill. The assessment indicates that the proposed data reforms could save £4.7 billion for the UK economy over the course of the next decade, reinforcing the aim to uphold the well-established data protection standards of the UK and ensuring that businesses can maintain seamless trade relationships with global partners, including the European Union. 

Science, Innovation and Technology Secretary Michelle Donelan emphasised the collaborative approach taken with businesses in designing the bill. She expressed that the legislation ensures a data protection regime tailored to the specific needs and practices of the UK while capitalising on the opportunities of post-Brexit Britain. The new system aims to simplify compliance, freeing businesses and citizens from the complexities associated with the “barrier-based European GDPR”. By reducing unnecessary bureaucratic hurdles, these new laws will unlock new opportunities, drive the advancement of cutting-edge technologies, stimulate job creation, and bolster the overall economy of the United Kingdom.

While the complete text of the bill is yet to be released, according to DSIT, the revised version eliminates the requirement for all businesses to maintain data processing records, a provision previously mandated by GDPR. Instead, this obligation will now be applicable only to companies involved in high-risk activities, such as handling health data. The bill will outline specific scenarios where personal data can be processed without the explicit consent of the individuals, particularly in cases of certain public interest activities related to law enforcement and safeguarding vulnerable individuals.

The legislation also includes an updated definition of scientific research, ensuring that commercial organisations have the same privileges as academic institutions in conducting innovative scientific research. This provision aims to simplify data reuse for research purposes, reducing administrative burdens and legal expenses for researchers while fostering increased scientific exploration within the commercial sector.

Additionally, the bill addresses the role of AI systems in decision-making, granting citizens the right to challenge and appeal against automated decisions, and providing them with the opportunity to have their cases reviewed by a human. This provision aims to promote transparency and accountability in AI-driven processes.

The UK government assures that the laws proposed in the bill align with GDPR and other global data regimes. As a result, existing international data transfer agreements will remain intact upon the enactment of new legislation. The UK currently maintains a data adequacy agreement with the EU, established after the Brexit deal, but the EU retains the authority to revoke the agreement if it perceives a decline in UK data protection standards.

According to a statement by DSIT, the UK is committed to upholding high data protection standards and facilitating the seamless flow of personal data among like-minded nations. The updated bill ensures that businesses can continue utilising their existing mechanisms for international data transfers if these are in compliance with the current UK data laws. This eliminates the need for British businesses to incur additional costs or undergo new checks to demonstrate adherence to updated regulations.

Julian David, CEO of techUK, stated that the reforms will provide organisations with more clarity and flexibility when utilising personal data, enhancing companies' legal confidence in conducting research, delivering essential business services, and developing emerging technologies, while maintaining data protection standards aligned with the highest global benchmarks.