UK announces new data security reform – EURACTIV.com

In the UK, details of the country’s proposed data reform bill have been released. It seeks to make changes to the data protection framework in the post-Brexit UK version of the EU Public Data Protection Regulation.

The proposals were released on Friday (June 17) in response to the consultation. It also includes plans to restructure the Information Commissioner’s Office (ICO), the UK’s data protection regulator, to introduce a opt-out model for approving cookies and facilitating new data partnerships with other countries.

The Data Reform Bill, announced earlier this year as part of Queens Speech and as part of the annual presentation of this year’s legislative agenda, aims to replace the data protection and privacy protection introduced in 2018 with the implementation of the Public Data Protection Regulation.

In 2019, the EU found that the UK data protection regime was strong enough to allow data exchanges between the UK and the EU to continue.

However, the EU has taken steps to reverse this decision if necessary. It also includes a “section rule” that provides for the reassessment and renewal of a decision for 2024.

However, the final impact of the reforms, while significantly deviating from EU rules, should be noted, some observers have noted.

“While many of these reforms may seem significant, in practice they may have little impact,” Robert Batman, content leader of the GRC World Forum, told EURACTIV.

“Many companies operating in both the UK and the EU are not likely to change as they have to comply with EU strict regulations,” he added.

Modernization of the UK Data Protection Authority

Is a key component of a proposal to “modernize” the ICO overseeing data security in the UK.

According to plans, the agency will have a chief executive, information officer, a chairman, a manager and a board of directors. In addition, the authority must set “new goals.”

According to the UK government, these will allow for better parliamentary and public scrutiny and greater focus on development, innovation and competition.

It also aims to reform the ICO legal code and guidelines, including the panel of experts, which require the approval of the Secretary of State before such work can be submitted to Parliament.

The government’s proposals were welcomed by Britain’s current Information Commissioner John Edwards on Friday.

Privacy management

Another key goal of the reforms is to allow companies greater flexibility to comply with data security standards while reducing the administrative burden that the government relies on.

Batman said the reforms proposed in these areas are one of the most important projects, and that there may be several steps that must now be taken to become compulsorily voluntary.

For example, under the proposal, small companies would not need to appoint a data protection officer to conduct a data security impact assessment for their risk management if they can independently prove that their approach is appropriate.

“A company can not only regulate its data protection officer to carry out his / her duties,” Batman said. “This means that even if it is against the interests of the company, the data protection officer can theoretically protect the rights of the data subjects.”

However, Bozana Bellamy, head of the Information Policy Leadership Center, welcomed the high-risk and decision-based approach to data security management because it provides better and more adequate security.

“This does not in any way mean the end of data protection authorities and data security impact assessments because companies still need to demonstrate how they monitor the program and manage the risks,” he told EURACTIV.

He further added that the move by other governments in this direction was a “global trend”.

International data transfer

The reforms are aimed at strengthening the UK’s ability to improve data transport links with international partners.

The bill provides for the International Data Transport Expert Council to be empowered to remove barriers to data traffic. The council consists of a group of companies, technology companies and scientists.

London’s willingness to enter into new data alliances with countries such as the United States, Australia, Singapore and South Korea has raised concerns in Brussels that data from EU citizens will also be transmitted if data traffic between the EU and Great Britain continues. Adequate data may be sent to third countries that do not have security standards.

“The UK government is properly considering developing rules and guidelines for managing data traffic,” Bellamy said. “This is a major compliance and regulatory concern for all businesses, large and small. It is not sustainable in the long run.

Cookies, marketing calls and research

The UK government also plans to impose fines for unsolicited marketing calls and messages. The bill would increase the maximum fine from £ 500,000 to £ 17.5m or four per cent of total revenue, whichever is higher.

The existing rules are being revised to reduce the number of cookie endorsement pop-ups by introducing a deviation model that applies to the user’s entire web browser.

Researchers are gaining more flexibility and clarity about data usage. Specifically, it refers to asking whether people agree that it is used for research in a particular field of study.

[Bearbeitet von Luca Bertuzzi/Nathalie Weatherald]