A period of transition for the U.K. data regime has morphed into a complete overhaul. Along with its recent announcement on the future of international data transfers, the U.K. government is now planning further shakeups that could dramatically alter the country's data protection landscape.

U.K. Secretary of State for Digital, Culture, Media and Sport Oliver Dowden announced Thursday the government opened a consultation on a series of reforms aimed at reshaping the U.K.'s use and regulation of data with emphasis on innovation, growth and threat prevention. The comment period on the proposed reforms will be open through Nov. 19.

The U.K. Information Commissioner's Office will lead the reforms, with the DCMS noting the ICO will take up a new governance model the government hopes "will broaden the remit of the ICO and empower the Information Commissioner to champion sectors and businesses that are using personal data in new, innovative and responsible ways to benefit people’s lives." Notably, the planned reforms come after New Zealand Privacy Commissioner John Edwards was named by the DCMS as the preferred nominee to serve as the next U.K. Information Commissioner.

"Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society," Dowden said in a statement. "These reforms will keep people’s data safe and secure, while ushering in a new golden age of growth and innovation right across the U.K., as we build back better from the pandemic."

The DCMS made clear the protection of personal information will be at the heart of these reforms, noting the consultation "presents proposals that build on the key elements of the current U.K. General Data Protection Regulation." The department's announcement specifically pointed to the U.K. working to maintain its position as "a global hub for the free and responsible flow of personal data," while noting intentions to ensure businesses continue to be responsible and accountable with their data practices.

"It's trying to find the 'third way' that treads the line between maintaining high data protection standards while also promoting innovation," Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, said. "That's something we should applaud, especially if it means that a greater emphasis will be placed on outcomes, and less on forms and box-ticking that deliver little real protection in practice but place significant burdens on organizations."

Lee added the consultation is as wide-ranging as the DCMS touts it to be. In addition to addressing data transfers, reforms will affect data subject access requests, cookie consent, data protection officers, data protection impact assessments and more.

"Such flexibility could include removing existing requirements to designate a data protection officer and to conduct data protection impact assessments. The government also proposes removing the requirement to maintain a record of processing activities and lowering the threshold for reporting data breaches," Promontory Senior Principal John Bowman, CIPP/E, CIPM, FIP, said. "These are all radical suggestions, and it will be interesting to see how industry, academia and civil advocacy groups respond to the consultation."

The DCMS also highlighted intentions to raise ICO fines on nuisance calls and further explore best practices for algorithmic bias mitigation.

A key callout in the DCMS's announcement was a recognition that data protection compliance can't be "one-size-fits-all." Reforms will address the "disproportionate burdens" organizations currently face, with the DCMS pointing to how small- and medium-sized businesses are required to allocate time and resources to compliance they don't possess. The proposals will allow companies of any size to "demonstrate compliance in ways more appropriate to their circumstances."

"This reform may very well be the middle way that businesses and citizens have been seeking, which balances privacy rights with a practical approach to implementation — one that is readily understandable, practical, and reflects the increasingly digital approach to our lives and workplaces," said London Stock Exchange Group Chief Privacy Officer Vivienne Artz, who currently serves on the IAPP's board of directors. "Are we ready for 'common sense' privacy? Too many approaches have been overly legalistic in recent years, but the approach proposed by the consultation opens the door to an outcome-based privacy regime, evidenced through an accountability framework."

The planned reform will undoubtedly sow a seed of doubt among the U.K.'s partners in the EU as the results of the consultation may well create a divergence in data protection standards that ultimately negate the EU-U.K. adequacy agreement struck in June. Hogan Lovells Partner Eduardo Ustaran, CIPP/E, urges caution in passing such judgment too soon.

"It would be a mistake to see this as simply a softening of the law. You can rest assured that the outcome that will emerge will still include outcomes-focused rules and a strong independent regulator," Ustaran said. "The U.K. is also aiming to increase its influence alongside the EU and others in driving a global approach to data protection regulation. It’s actually very exciting because having a globally accepted framework in this area would do a lot of good."

Photo by Jamie Street on Unsplash