The UK data protection changes
UK data protection changes… how would they have affected VA and solo-run businesses? And where are we now?
The UK Government included various changes in its Data Protection and Digital Information Bill, which are summarised below. However, at the time of updating this article, the UK is looking forward(!) to a General Election and the Bill did not make the wash-up.
This means the DPDI Bill has fallen and will not now be brought into law. This doesn’t mean there won’t be changes further down the line but, as always, we won’t know what they may look like until they are put forward by the then Government.
It does mean data protection laws remain unchanged, including the UK GDPR, which still broadly mirrors the EU GDPR. How au fait are you with the existing regulations, bearing in mind they have been in effect since May 2018? If you feel a little shaky, contact me, connect with me on LinkedIn, or join my free Facebook group but more about that further down. 🙂
Would the UK data protection changes have radically altered what you should be aware of and doing?
No, they wouldn’t. The major legislation, such as the UK GDPR would have remained on the statute books.
What about if you’ve already applied the GDPR within your business?
You’re sitting pretty! That’s great news because not only is your business protected when dealing with your UK-based clients but also when working with clients within the EU.
What changes would have happened?
The proposed changes included several issues that caused a lot of concern amongst privacy professionals and human rights organisations as the focus was shifted away from protecting the rights of individuals and towards allowing businesses and other organisations to use personal data for their own commercial and other interests.
Another major concern was the risk of losing the UK’s Adequacy with the EU. The consequent economic costs of losing Adequacy would be enormous and were flagged up by various business organisations, industry leaders and politicians in the UK.
Could the changes have saved time and money as was touted by the politicians promoting the Bill?
The potential savings were somewhat exaggerated, especially in light of the fact that:
- Businesses (should) already have had the necessary systems and processes in place to meet the existing legislation
- Any businesses with clients or customers within the EU would continue to be required to meet the EU data protection requirement, which were indicated to be acceptable to the UK in any event. Meaning, they could either run 2 systems in parallel or stick to the EU systems
- If the UK loses its Adequacy with the EU, it will be necessary to comply with 3rd-country requirements for any business with EU organisations
What about the future of data protection in the UK?
Truthfully, I have no idea, especially following recent events, however, there continue to be moves towards matching the GDPR in various countries around the world. Even the USA is in the throes of bringing a federal data protection bill into law. This US bill won’t get an easy ride but it would make things easier for VAs and other solo businesses who use popular platforms that are US-based, as it will save time when undertaking the required due diligence checks.
My thoughts (yay!)…
Personally, I am delighted the DPDI has gone the way of the dodo. However, I will not be making any promises as to what may come up in the future. There were some very unpleasant clauses included in the Bill, which would have stripped some fundamental protections away from people. For example:
- Greater exemptions for the use and resuse of personal data, including sharing were included
- More automated decision-making with no human intervention would have been permissable
- It would have been made easier for organisations to refuse you access to your data
- The requirement to carry risk impact assessments would have no longer applied
- Access to view bank accounts and financial assets of those receiving benefits, including state pensions by authorities was slipped in at a very late stage
- The ICO was to have lost its independent status and would have become subject to government oversight (major conflict of interest!)
- Adequacy* – as I’ve mentioned above, it could have easily been lost.
* The estimate of the cost to UK business for the loss of this ruling is between £1 – 1.6 million. According to the New Economics Organisation, the resulting compliance costs to a micro business in this situation would be in the region of £3000!
And where are we now re Adequacy?
The UK is up for review of its Adequacy decision in June 2025. We’ll have to wait and see what happens between now and then.
For now…
Business as usual – follow the UK GDPR as is, continue to build in your GDPR-related systems, keep your policies and records up to date for your VA business. Make sure your clients keep you informed of their requirements from your business. So nothing you aren’t already doing.
As always, if you need help…
Free help
Ask questions here: You can free general help in my Jargon-free GDPR Facebook group.
Stay aware: My Small Business Update News & Tips are a short and sweet bi-weekly round-up emails to keep you current with useful and relevant items for your business.
Book a free 20-minute Introductory call with me to find out what would work best for your business that fits with how you run it.
Online training
Essential: My Basics of the UK GDPR is your solution. Understand or refresh your essential knowledge of the fundamentals of the legislation that applies to you, your team, and your business. It costs £99, comes with a certificate plus 12 months of access, and updates. Buy now!
My 1-2-1 services
If you need some 1-2-1 help, click here for details. You can choose the option that suits you best.