The UK’s new GDPR bill, which was resubmitted to parliament this week, could ultimately add cost and complexity to companies’ compliance efforts and lead to some “unintended consequences,” said a legal expert. The house warns
The Data Protection and Digital Information (DPDI) Bill was unveiled on Wednesday and the government said it could save UK businesses up to £4.7bn ($5.6bn) over the next decade while boosting data protection and privacy.
The government was keen to demonstrate the benefits of leaving the EU, with a focus on reducing paperwork for businesses and providing flexibility on how to comply with localized versions of the GDPR.
But legal experts questioned some of the proposals, arguing that companies operating in Europe would be unable to take advantage of the new efficiencies or would be forced to change their existing compliance frameworks.
Edward Machin, Senior Counsel for Data, Privacy and Cybersecurity at Ropes & Gray said:
“While that will be music to the ear for some companies, those operating in Europe will have to decide whether to maintain a single compliance standard across the EU and the UK. This reduces some of the compliance efficiency we were hoping for.”
Cordery partner Andre Bywater added that companies that do not maintain a single standard will need to spend time and money to adapt their stance.
“Whatever the final outcome, international organizations that have expended significant effort, time and resources to ensure compliance with both the existing UK and EU GDPR have more work to do on their UK side. You may notice that with regard to the work done for so-called ‘senior officials’ or ‘records of processing’,” he wrote.
Given that the EU is the UK’s largest trading partner, accounting for 42% of all exports and 45% of imports, this could affect many UK organizations.
Experts also expressed concern about the consequences of making compliance easier for businesses. Especially in the new rule that only organizations whose processing activities are likely to pose a “high risk” to the rights and freedoms of individuals should retain processing records.
“Many of the proposed changes make sense, but I fear that reducing the red tape will have unintended consequences,” warned Machin.
“While no one complains about the reduction in paperwork, the fact that most businesses no longer need to maintain an inventory of personal data means that they will have a much easier time understanding where and how they keep their data. It means you can have a hard time, which is in no one’s interest.”
Chris Denbigh-White, security strategist at data loss prevention firm Next DLP, added that the balance between data subject and processor rights may be tilting too far in favor of the latter.
“Revisions in the handling of Data Subject Access Requests (DSARs) show a slight favor for data processors over data subjects,” he argued.
“Although safeguards around ‘nuisance’ and ‘process abuse’ data requests are sensible measures, their introduction requires some consideration of what can be considered ‘nuisance’ and who sets that threshold. It contains some degree of uncertainty. It may weaken the data subject’s data access rights. “
Antonis Patrikios, partner and global co-chair of Dentons’ data privacy and cybersecurity practice, said there was a “legitimate concern” that the legislation could affect the adequacy of UK data in the eyes of the European Commission. I agree with Denbigh-White that there is a .
However, he took a more positive view of the bill as a whole.
“Clarification around legitimate interests, scientific research, and automated decision-making will allow companies to explore the potential of new technologies and AI without worrying about the risk of technical violations of ill-defined rules. There is no doubt that the reduction in procedures and paperwork will increase efficiency and reduce compliance costs without compromising the substantial level of data protection,” said Patrikios. .
“Two of the most basic digital business functions – operating websites and apps, and being able to share data with group companies in other regions – have legal certainty and are free from complex legal costs. We don’t have to do a lengthy and detailed legal analysis, which is welcome news, folks.”
