UK's GDPR replacement is an "unworkable headline-grabber"

Data Reform Bill only “tweaks edges” of the GDPR and will increase costs for any firm dealing with Europe

IT leaders feel the Data Reform Bill will add cost and complexity for only minimal benefit

Image:
IT leaders feel the Data Reform Bill will add cost and complexity for only minimal benefit

The UK’s proposed domestic answer to the EU’s GDPR, the Data Reform Bill, is an expensive, cumbersome red herring in its current form, and unlikely to differ from the EU regulation in any significant way.

"Whoever's come up with the idea of doing this, they probably haven't thought about the overhead associated with the management of two regulations," said Michelle Moody, MD of Technical Consulting - Data & Analytics at consultancy Protiviti.

"The larger organisations that are already working in the international arena are going to stick with the main GDPR because of the adequacy decisions... [and] for organisations that are middle to small - if they are transferring data, as an example, that they're going to have to manage two regimes and that can be quite expensive."

The Data Reform Bill (DRB), also known as the Data Protection and Digital Information Bill, is an attempt to simplify the GDPR, but merely "tweaks the edges" rather than making any drastic changes.

Many IT leaders would agree that the GDPR could benefit from reform - when it comes to requirements on SMEs, for example - but trying to fix it with additional domestic legislation is not the way forward, says Moody.

"For organisations that are middle to small - I just think that if they are transferring data, as an example, that they're going to have to manage two regimes and really, that can be quite expensive."

She added, "I think it's more for headlines, and to show that they [the Government] are doing something, more than actually thinking through... To be quite frank, it's all very expensive and potentially not that workable."

Making it work

The DRB is still in the consultation phase, and "probably has at least 18 months of people kicking the tyres on it" and asking questions. That means, with the next general election only around two years away (at the time of writing...), there's a very real chance we won't even see the Bill become law before it has to be handed over to a new government.

In its current form - and bearing in mind much could change in those 18 months - there are only a few "quite minor" benefits to be seen from the Data Reform Bill in its current state. Even then, most of those only apply to small companies, and are likely to be swallowed up by the extra cost of having to comply with two sets of regulations.

Moody pointed to two proposals that could be beneficial: one around scrapping the requirement to have a local representative in the UK for data processing (ironically, this would benefit EU companies rather than those in the UK); and another around the definition of personal data.

However, she stressed, "it's a marginal advantage... It's not necessarily your legal moment for change." There are even some areas, specifically around safeguarding and processing data for research purposes, that seem to have become more complex.

"It's not a significant set of changes that are actually beneficial, and I think when you take the changes and then you look at what most organisations will need to manage in terms of double sets of regulations, processes, etc, I think it really cancels itself out. So, it feels unlikely to do what it says on the tin."

The Brexit vote in 2016 was defined by hype, and it was easy to get caught up. There was even some cautious optimism from business leaders in the immediate aftermath. But, "the reality is, you're in a global economy, you're in a global environment. We're very close to Europe, we're working with them, we've got businesses that do a significant set of work across Europe and other areas, and we need to have a consistent way of processing."

We can only hope that the DRB's weaknesses will "flush out" over the next 12 months as it works its way toward a third reading in the House of Commons. Whatever the Bill's final form looks like, Moody says businesses should focus on three priorities to get ready for its final implementation:

First, "focus on reviewing your data policies" and everything else you have in place around data, so you have a clear idea of your starting point. In addition, "try to align to the GDPR as we know it today," ensuring any changes you will have to make are minimal.

Finally, every IT leader should "stay up to date with the way that this particular Bill evolves over time." The DRB only looks unworkable for now - it will change in consultation, and remaining aware of how it does so will minimise your workload when (or if) it comes into force.

"There's no need to panic," Moody concludes. "It's all around just making sure you're continuing to do the right things as an organisation...and we'll see where this lands in another 18 months-to-two-years. It could get shelved. Who knows? It's a volatile market out there."