UK firms face double burden of data protection rules post Brexit, warns Clyde & Co

There remains uncertainty about how far the UK government will go in distancing itself from the EU’s GDPR, but law firm Clyde & Co said proposals for a new bill on data protection are unlikely to ease the burden on UK businesses. At the same time, businesses can expect a more rigorous regulatory response to cyber risks in 2023, the law firm said.

“Many British businesses will need to comply with both UK and EU data privacy laws,” Clyde said. This will only add to the regulatory burden that the government had wanted to ease after its exit from the EU, it added.

“With the proposed changes in legislation, we question the extent to which departing from the GDPR may lighten any existing burdens,” said Helen Bourne, partner at Clyde & Co.

“There are many organisations in the UK that process personal data in the EU or of EU individuals, and in these circumstances will be required to comply with both the EU GDPR and the new UK legislation and regulations. Any divergence between the two is likely to increase rather than decrease their data protection obligations,” she added.

The UK government introduced a new Data Protection and Digital Information Bill to Parliament in July but its progress slowed with successive change of prime ministers. The government confirmed in October that the bill will be developed in due course but with no firm timeframe and with few details about content.

Reviewing the current draft bill, Bourne said businesses can expect to see changes to the accountability framework, in particular requirements to appoint a data protection officer and undertake data impact assessments.

The bill could also change GDPR requirements for data subject access requests, which will bring it into line with the UK’s freedom of information regime, and change the assessment of third countries’ adequacy with UK data protection rules.

Bourne said the Information Commissioner’s Office (ICO) could also see reform to improve consistency of fines.

Last month the UK government said it plans to update the Network and Information Systems (NIS) Regulations, which are based on the EU’s NIS directive, to increase security and cyber incident reporting. Under the planned reforms, managed service providers would be brought into the scope of regulations.

At the same time, the appointment of new information commissioner John Edwards this year has set the stage for “renewed vigour” to cyber regulation. Rosehana Amin, legal director at Clyde & Co, said businesses can expect changes to the regulatory approach in 2023, with monetary fines and use of children’s data two key areas for the next 12 months.

The ICO has indicated that it will be less likely to impose fines on public authorities from 2023 but will instead publish all reprimands, which Amin said will come with its own set of implications. “While the ICO is likely to be more circumspect in the issuing of fines to organisations, particularly public authorities, we anticipate that the publication of reprimands will increase potential litigation risk exposure and reputation damage for organisations subject to such reprimands,” she said.

Another key area in line for greater regulatory scrutiny is biometric technology, Amin said. After it fined Clearview AI £7.5m for collecting data to create a facial recognition database in May, the ICO said it plans to issue guidance on the use of biometric technology in spring 2023.

Back to top button