BCS Highlights Concerns Over Government’s Approach to GDPR

By Ben Carey on 24 October, 2022

Swindon-based BCS, the Chartered Institute for IT, has highlighted concerns about the Government’s plans to ‘replace’ GDPR.

The Government’s announcement that it will replace GDPR and pause the Data Reform Bill has raised fresh questions about the UK’s EU data equivalence, according to leading tech and data lawyer Dr Sam De Silva, Chair of the Law specialist group at BCS.

Dr De Silva warned that UK businesses may find themselves having to potentially comply with two regulatory regimes following the legislation. 

He said,At the moment, the UK has the benefit of an EU adequacy decision that allows the free flow of personal data from the EU to the UK. However, that adequacy decision requires the EU Commission to continuously monitor developments in UK law in order to assess whether the UK still provides ‘essential equivalence’.

“What this means is that significant deviation from the GDPR will risk the UK losing its adequacy. Interestingly, DCMS Secretary of State, Michelle Donelan, made it clear in a recent speech that the intention is that the UK would retain its adequacy decision. It’s not clear how practical that is if the Government is aiming to fundamentally move away from the GDPR.”

“We need more detail on what this means in practice.One interpretation is there are no plans to retain any aspect of the GDPR in UK law, and therefore the Data Reform Bill (currently paused) is now defunct – the reason being was the Bill appeared to only modify the GDPR in certain areas.

“It appears that the Government wants a ‘light touch’ approach to regulation, but it’s not clear what that would mean in practice.

“Or will the Government propose something completely new? Most UK businesses have been working with the GDPR for over four years and most have invested significant time and money establishing and operating their compliance programs. Of course, UK businesses that have customers in the EU will still have to comply with the EU GDPR notwithstanding what the new UK law is in place. The risk for UK businesses is that they will have to comply with two regulatory regimes. I expect that most businesses will continue to apply the stricter rules anyway.”

Dr De Silva said that lost profits are often cited by the Government (based on an Oxford University report) as a reason to remove GDPR, but urged caution in that conclusion for three reasons (as mentioned by the authors of that report):

  • The negative impacts on firm performance we observe may partly reflect temporary adjustment costs.
  • If the GDPR gradually becomes a global standard as more countries adopt similar regulations, companies targeting EU companies will become less disadvantaged over time.
  • Any calculated estimates appear to be silent on its aggregate welfare effects, which are likely to account for potential benefits to citizens concerned with data protection.