Posted: Wed 5th Oct 2022
A new data privacy regime will be introduced in the UK to replace the European Union's General Data Protection Regulation (GDPR), the government has announced.
GDPR, the rules organisations need to follow when managing personal data, is still in force in the UK despite Brexit.
But speaking at the Conservative Party conference in Birmingham, culture secretary Michelle Donelan said the "bureaucratic nature" of GDPR is "limiting the potential of our businesses".
She claimed that in a survey conducted by the Department for Digital, Culture, Media and Sport, 50% of businesses complained "that the EU's mainly one-size-fits-all GDPR system had led to excessive caution amongst their staff when handling data".
She described as "mad" letters to the government from churches saying they were worried that newsletters were breaching data protection rules.
Small businesses don't have the resources to navigate GDPR, Donelan claimed, so the government intends to replace "GDPR with our own business and consumer friendly British data protection system".
"Our new data protection plan will focus on growth, on common sense, on helping to prevent losses from cyber attacks and data breaches, while also protecting data privacy.
"This will allow us to reduce the needless regulation and business-stifling elements, while taking the best bits from other countries, to create a truly bespoke, British system of data protection."
The government has previously said it intended to reform data protection regulations in the UK. Measures were included in the Data Reform Bill, announced in the May 2022 Queen's Speech, but the debate for the Bill's second reading in Parliament was scrapped when Liz Truss become prime minister.
What could the GDPR replacement mean for small businesses?
The government has not yet provided any further detail on how the new data privacy regime would work but some experts have expressed concern that it could actually add extra bureaucracy for small businesses, particularly for those handling personal data from the EU.
Samantha Oakley, Enterprise Nation member and founder of So Law, said:
"It has taken years for small businesses to get a grip on GDPR and how to implement it. After navigating some choppy waters, we have finally hit some calm waters.
"However, this announcement feels like we are being tossed back out there with the unintended consequences of small businesses having to incur more legal costs to ensure compliance, at a time when they are facing a cost of living crisis!
"Although cutting red tape sounds good on the face of it, small businesses have invested a lot of time and money getting GDPR compliant. As EU GDPR relates to EU citizens in the UK and selling goods/services in the EU, UK businesses with customers in the EU will likely still have to be compliant with the current laws - so it risks a more expensive two tier system."
Raj Shah from law firm Collyer Bristow added:
"There is a real risk that these plans, if implemented, could invalidate the UK's 'adequacy' decision by the EU agreed as part of the Brexit deal. If that were to happen, transferring personal data between the UK and any EEA country would require reams of additional documentation and higher administration costs."