New UK cyber legislation unlikely to ease burden of GDPR

Many British businesses will need to comply with both UK and EU data privacy rules

Following Brexit, the UK government’s view is that the UK GDPR and DPA 2018 have created barriers for businesses and consumers. Following its consultation Data: a new direction, the new Data Protection and Digital Information Bill (the Bill) was introduced to Parliament on 18 July 2022. However, progress through Parliament has stalled with the change of Prime Ministers but the government confirmed in October 2022 the Bill will be developed ‘in due course’.

Limited information has been forthcoming as to how the Bill will now be developed, with the new Secretary of State for Digital, Culture, Media and Sport commenting that this will now be ‘our own business and consumer-friendly British data protection system’, observing that the GDPR is a ‘one-size fits-all’ approach. Looking to the current draft of the Bill, we may expect to see:

• Changes to the accountability framework, including alternatives to the requirements to undertake data impact assessments and appoint a data protection officer.
• Change to data subject access requests, to bring this into line with the UK’s freedom of information regime.
• Changes to the assessment of adequacy of third countries and the requirements for international data transfers, introducing a risk-based approach.
• Reform of the ICO, including consistency in the level of fines that can be issued, bringing the Privacy and Electronic Communications Regulations in line with other legislation

On 30 November 2022, the government also announced that it will be updating the Network and Information Systems (NIS) Regulations, which were originally derived from the EU’s NIS directive. Changes will aim to boost security standards and increase reporting of series cyber incidents, by bringing managed service providers into the scope of the regulations and improving incident reporting. The updates will be made ‘as soon as parliamentary time allows’.

With the proposed changes in legislation, we question the extent to which departing from the GDPR may lighten any existing burdens. There are many organisations in the UK which process personal data in the EU or of EU individuals, and in these circumstances will be required to comply with both the EU GDPR and the new UK legislation and regulations. Any divergence between the two is likely to increase, rather than decrease their data protection obligations.

View all our Insurance 2023 Predictions here