UK employers have just about got used to the idea of GDPR, but the government has launched a consultation on reforms to the data protection regime.
The GDPR (a.k.a., the EU's General Data Protection Regulation), was implemented in the UK pre-Brexit in 2018. After Brexit, GDPR was cemented into UK law (with some small UK specific tweaks) and UK employers are required to ensure that their contracts, policies and practices comply with it.
Now that the UK is no longer part of the European Union, the UK is consulting on whether it can "reshape its approach" to data privacy legislation (in the words of the government).
Some of the key proposals which may be of interest to employers are as follows:
- Data subject access requests ("DSARs") – many UK employers will be familiar with the time and resources it takes to comply with requests from individuals to access copies of their data. The consultation proposes introducing a fee regime for individuals to access copies of their data. The government is also considering lowering the threshold at which businesses can refuse to comply with DSARs which may, for example, enable employers to refuse to comply with a request where the main purpose of the request is litigation, rather than genuine concerns about the processing of their data.
- Legitimate interests – making it easier for employers to rely on legitimate interests as a legal basis, by publishing a list of circumstances in which employers can rely on without needing to balance these against individuals' rights.
- AI – specifically including the use of AI within the list of legitimate interests, to process personal data for the purposes of ensuring bias monitoring, detection and correction.
But what does this mean for international data transfer?
Any potential reform of UK data privacy law could have a knock-on effect for international data transfers from Europe to the UK. In June 2021, the European Commission granted the UK an adequacy decision (according to which, the UK is assessed as applying a high level of protection to individuals' data) which allows the free flow of data from Europe. As a result, European businesses that transfer data to the UK don't need to put in place data transfer documents.
However, when the EU granted the UK this status it warned that this was subject to close monitoring and would need to be reviewed if the UK moved away from GDPR. If the European Commission decides to revoke this decision (which it warned it might do if it considered that the UK's standards of data protection dropped) this would mean data transfer documents would be required by businesses for transfers of data from Europe to the UK.
What should employers do now?
The consultation is open for views until 19 November 2021 and any change in the law will take some time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.