General News

The Government's 'Data: a New Direction'

On September 9th, the UK Government published their Consultation Paper on Reforms to the UK Data Protection Regime-'Data: A New Direction', where they outlined proposed changes to GDPR since leaving the EU.

This has come at a time when there has been a lot of movement on the Government's plans to shake up the UK's data protection regime now that they have more power in doing so since leaving the EU, with the UK's National Data Strategy being published last year.

The Government have outlined some key areas that the proposed changes would focus on, with the aim being to secure digital enabled growth, within a regulatory framework that provides an environment of trust and confidence. There are five key areas that the paper details being of main focus- supporting digital innovation in key growth areas, such as research and AI, reducing the regulatory burden of compliance for business, ensuring the free flow of data internationally, changes to the flow of data within the public sector, and reforms to the Information Commissioner's Office. I'll summarise the key changes that the paper proposes, with the potential impacts they may have below:

Using Data for Research and Ensuring the UK Becomes a Leader in AI Research

In the paper, it states that "the government recognises that any data protection regime requires active interpretation and application to new and emerging technologies". This area of The Consultation Paper also mentions various changes to the use of personal data for research purposes, including amongst other provisions;

  • enabling the lawful ground of consent to be relied on for processing based on broad consent for scientific research; and
  • where processing is for research purposes, removing the current requirement for controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing, where it would require a disproportionate effort to do so. 

These changes would also allow organisations to rely on a list of legitimate interests reasons for using personal data without applying the balancing test, with one of the reasons being for 'ensuring bias monitoring, detection and correction in relation to AI systems.' With relation to AI, the government have also questioned to test of 'fairness' in data protection, and believe a wider scope to determine fairness, particularly in outcomes, be used in the context of AI. With relation to AI, there are also other provisions that are aimed at making the UK become a leader in AI research, which in great part will be done through the relaxing of restrictions for organisations that work with AI, such as:

  • developing a safe regulatory space for the development, testing and training of AI, which will allow organisations the freedom to experiment without causing any harm.
  • amendments to the processing of special category personal data necessary for the purposes of ensuring bias monitoring, detection, and correction in relation to AI systems.

Accountability Framework Amendments

The government believe that the current Accountability Framework that has been set out in the UK GDPR imposes an unnecessary burden on organisations, and their proposed reforms to this framework are claimed to be more proportionate and flexible, whilst still maintaining 'the principle of accountability at its heart'. These reforms include:

  • Implementing more of a risk based approach to data protection, that would take into account the volume and sensitivity of the personal information, and the type(s) of data processing being carried out. There would then be a proportionate response taking all of the information under consideration.
  • There would also be a removal of certain elements of the current legislation that have been a large part of how data protection has worked in the past-
    • removing the requirement for organisations to undertake Data Protection Impact Assessments
    • removing the requirement to appoint a Data Protection Officer. There would still be a need to appoint an individual whose responsibility it is to ensure compliance with the relevant data protection legislation in its entirety, however the specific requirement for the role won't be specified by legislation. This would mean that whilst you are still permitted to appoint a DPO to ensure data protection compliancy, you would not be required by law to.
    • Implementing a process in which organisations who have breached data protection rules, may propose a 'voluntary undertakings process' to the ICO, which they will be able to authorise without taking any further action.
    • There would also be a removal of the requirement to consult with the ICO with regards to higher risk data processing. Currently, when organisations identify that new data processing activities pose a high risk, they are required to notify the ICO, who will assess the proposed process, and decide whether the organisation is permitted to process the data.This current requirement would be removed, and organisations won't receive any penalties for failing to consult with the ICO before undertaking the processing of data in these situations.
  • Widening the threshold for notifying the ICO of a breach. Under the new legislation, organisations will only need to notify the ICO of a breach if the damage caused was of 'material' value. There will be further guidance in the future that will outline in greater detail what would constitute 'material' value and therefore reach the new threshold. This is because the Government believes that the current low threshold that exists for reporting breaches causes organisations to over-report due to fear that the ICO will fine them if they fail to report a breach.
  • A more flexible approach to record keeping, removing the current prescriptive requirements for what is needed to be in the record.

Changes to Cookies

Proposed reforms aim to tackle cookie pop ups, which the government view as a problem. One way this will be done if allowing organisation to use analytic cookies, as well as cookies that perform a similar purpose without the user's consent. They will fall under the 'necessary cookies' category that currently exists where organisations don't need to gain consent from user's. They will also allow organisations that haven't had any prior relationship with a user (eg due to membership), to use the soft opt-in way of collecting cookies. This would allow non-commercial organisations to use soft opt-in, which they are currently not allowed to.

Changes to Subject Access Requests

Under current regulations, an individual is allowed to submit a subject assess request to any organisation and receive a copy of all of the data that organisation holds on them for free. However the paper outlines plans to introduce a nominal fee that data subjects would have to pay if they submit a SAR. In addition to this, there would also be threshold to how much it would cost the organisation to fulfil their requirements in responding to a SAR. If responding would impose a cost to the organisation that exceeds the threshold, they wouldn't be required to respond to the request. Organisations would also be permitted to refuse to respond should the request be one that is deemed frivolous. 

Reducing Barriers to Data Flow and Boosting Trade

After Brussels deemed the UK an 'adequate country' in terms of how data flows, the UK is permitted to make their own decisions when it comes to assessing adequacy on personal data transfers. In the consultation paper, the government outlined their intentions to grant adequacy to other countries, groups of countries, regions and multilateral frameworks, with the aim being to boost trade and minimise restrictions and hold ups in the flow of data between the UK and other countries. They've also stated that adequacy regulations made under current laws will remain in place under the new rules.

The government will also remove the current requirement for the adequacy of countries to be assessed every four years, and will instead prioritise an ongoing review of a country's relevant rules and regulations. They're also proposing to remove UK international transfer restrictions on 'reverse transfers', when an organisation has received data from an international source, and wishes to send data back to the organisation they received it from. The government have also outlined their intentions to look at the possibility of making legislative changes to the suite of alternative transfer mechanisms that are available to UK organisations to ensure that they are "clear, flexible and provide the necessary protections for personal data", including 

  • allowing organisations to use their own alternative transfer mechanisms, in addition to those listed in Article 46 of the UK GDPR.
  • allowing an increased flexibility for the use of derogations.

Changes to the ICO

The paper proposes numerous changes to the role the ICO will play, and the powers they have under the new legislation.The ICO and how it is run is also an area of change under the new regulations. Currently, the ICO is a non-governing public body however under new regulations, the government would have more control on how it operates, and would set their agenda and control their pay. The changes that have been proposed include amongst other things:

  • placing a duty on the ICO to have regard for economic growth and innovation when making decisions.
  • having a criteria by which the ICO can decide not to investigate something.
  • putting in place a requirement for a complainant to solve their complain with the data controller directly, rather than involving the ICO.
  • requiring data controllers to have a simple and transparent complaints process.

 Public Services

The government proposed changes in the area of data sharing in Public Services include:

  • organisations that are carrying out an activity on behalf of a public body may rely on their lawful grounds for processing data under Article 6(1)(e) of the UK GDPR.
  • introducing compulsory transparency reporting on the use of algorithms for public authorities, government departments and government contractors using public data.
  • clarifying that public and private bodies are allowed to lawfully process health data when necessary for reasons of substantial public interest.


As you can see, under the new proposed reforms of GDPR, there will be numerous and far reaching changes to how organisations are allowed to process and deal with user data, and ultimately there'll be a reduction in the freedoms data subjects have when it comes to accessing and having control over how organisations use their data. It's hard to see at the moment how these changes will be implemented should they all be imposed, however any updates that do come, we'll be sure to update you.