The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.
The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.
"Co-designed with business from the start," Donelan said, "this new bill ensures that a vitally important data protection regime is tailored to the U.K.'s own needs and our customs."
Donelan will be a featured keynote speaker Thursday at the IAPP Data Protection Intensive: U.K. here in London.
"Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR," she said. "Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy."
In line with last summer's draft bill, the new proposal will increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is greater. Additionally, the bill would reduce the amount of consent pop-ups on websites, the government stated in a press release.
The reform bill will also reorganize the Information Commissioner's Office to include a statutory board with a chair and chief executive.
ICO Commissioner John Edwards said, "The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament."
Notably, the bill would require businesses to conduct records of processing only when it is high-risk data, such as, for example, someone's health data. It would also clarify that profiling is subject to the same set of rules as automated decision-making when a "significant decision is taken about a person with no meaningful human involvement."
Regarding international data flows, the bill will use existing transfer mechanisms "if they are already compliant with current U.K. data laws," the release states.
During a panel session Wednesday afternoon, IAPP Research and Insights Director Joe Jones, who previously worked for the U.K. government in this space, said, "If you're compliant with the EU GDPR, you'll be compliant with the U.K."
"For the most part," Snook said, "this is not a new regime but, hopefully, provides opportunities for organizations to be more flexible and have more clear rules in the U.K." He also pointed out the reforms would eliminate burdens for small and medium-sized businesses.
ICO Deputy Commissioner Emily Keaney said the ICO "worked closely with its DSIT colleagues as they've been going through the process. Our role has been to provide advice and input." She said they've also offered their technical experience and shared insight from their engagement with organizations regarding what businesses have found complicated and what could be more clear. Keaney also noted they provided input from the public regarding what bothers them.
Prior to the bill's official release Wednesday, Liberal Democrat House of Lords Spokesperson for Science, Innovation and Technology Tim Clement-Jones