A year after the publication of the UK’s National Data Strategy, the Department for Digital, Culture, Media, and Sport (DCMS) is embarking on a significant new consultation centering on proposed changes to the UK’s data protection regime in a post-Brexit environment, alongside reforms to the Information Commissioner’s Office (ICO).
The wide-ranging set of proposals supposedly build on the provisions of the General Data Protection Regulation (GDPR) and 2018 Data Protection Act (DPA) and are intended to address a lack of clarity as to how the GDPR is applied and reduce the burden on organizations that are trying to do the right thing.
Among the reforms on the docket are changes to requirements for data protection officers (DPOs), an end to mandatory data protection impact assessments (DPIAs), and changes to rules on breach reporting.
The government sought to ease fears embarking on a bonfire of GDPR, describing its planned data regime as “based on common sense, not box-ticking,” and insisted that its proposals are not a “watering down” of the GDPR legislation.
“Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society,” said digital secretary Oliver Dowden.
“These reforms will keep people’s data safe and secure while ushering in a new golden age of growth and innovation right across the UK, as we build back better from the pandemic.”
DCMS insisted the government maintain world-leading data protection standards, building on the current GDPR and DPA-based set-ups, such as principles around data processing, data rights, and supervision and enforcement mechanisms.
However, it said, it was aware that the current regime “places disproportionate burdens” on some organizations, such as small businesses that face the same data protection processes as multi-billion-pound enterprises. Therefore, it wants to move away from a one-size-fits-all approach to let different types of organizations demonstrate data protection compliance in more appropriate ways to their circumstances.
Dowden said that far from being a barrier to innovation or trade, renewed regulatory certainty and high data protection standards would let British businesses and consumers thrive online and added that protecting personal data would remain at the heart of the future regime.
As part of this, the proposed overhaul of the Information Commissioner’s Office (ICO) – alongside the recently announced appointment of New Zealand’s John Edwards as the following information commissioner – will help to “drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats”.
The ICO reforms will include a new overall structure, including an independent board and chief executive that more closely mirrors the governance structures of related regulatory bodies, such as the Competition and Markets Authority (CMA), Financial Conduct Authority (FCA), and Ofcom.
This structural reform aims to reduce the burden of complaints the ICO receives every year by placing more onus on complainants to resolve data disputes with organizations before involving the ICO, just as one would complain about one’s broadband to one’s ISP before complaining to Ofcom. It hopes this will also have the effect of enabling the ICO to broaden its remit to champion sectors and businesses that are using personal data in new, innovative, and responsible ways to benefit people’s lives.
The government believes this will ultimately help deliver more agile, effective, and efficient public services and strength the UK’s position as a “science and technology superpower”.
Information Commissioner Elizabeth Denham said: “People’s data is used in ever more novel ways; it is right that government looks to ensure a legislative framework that is fit for the future. A framework that continues to be independently regulated to maintain high standards of protection for people while delivering social and economic benefits.
“My office will provide constructive input and feedback as the work progresses, including through our public response to the consultation, ensuring that the ICO can effectively regulate this legislation. We will be considering the detail of the proposals and intend to publish our response as soon as possible.”
Bojana Bellamy, president of the Centre for Information Policy Leadership (CIPL), said the overall plan was bold, much needed, and could be a win-win.
“It enables organizations to leverage data responsibly, for economic and societal benefits, and to build their brand as trusted data stewards. It gives individuals assurances and more effective protection from genuine harms,” she said.
“Accountability, risk- and outcome-based approach will be welcomed by all – these are the founding blocks of current regulation and a modern regulator. I hope other countries follow the UK’s lead.”
Sue Daley, director of tech and innovation at techUK and co-chair of the National Data Strategy Forum, added: “The data reform consultation is the start of a meaningful conversation that must include a wide range of stakeholders to explore how we could make the UK’s data protection framework work better for citizens and businesses.
“The National Data Strategy Forum has a key role to play to make this happen as well as supporting the other activities announced today to deliver the missions of the National Data Strategy.”
Ethics in AI data usage
Recognizing that algorithmic and automated decision-making is on the rise and shows no signs of abating, the reform package also contains a strong emphasis on building confidence that AI-powered services are a force for good and won’t inadvertently harm people.
As such, some of the proposals set out in today’s consultation document are designed to help organizations get to grips with the risk of bias in their algorithmic systems by identifying factors that drive preference and enabling them to take steps to ensure their services do not replicate societal or historical discrimination or make unfair inferences, such as health insurers monitoring people’s purchasing habits to predict their fitness levels. The problem of AI assurance forms a vital plank of the Centre for Data Ethics and Innovation’s (CDEI’s) 2021-22 program of work. To this end, the government has also today named several world-leading experts to the CDEI’s refreshed advisory board, including Jack Clark, co-founder of Anthropic AI and former policy director at Open AI; Rumman Chowdhury, director of machine learning, transparency, and accountability at Twitter; Jessica Lennard, senior director of global data privacy and AI initiatives at Visa; and James Plunkett, executive director of advice and advocacy at Citizen’s Advice.