UK To Shift Away From GDPR: Government Consultation Confirms Plans To Change UK Data Privacy Regime

• Published date: 01 July 2022
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Littler Mendelson
• Author: Mr Darren Isaacs and Deborah Margolis

The UK government is proposing to amend its data privacy regime to make it easier for employers to comply with its requirements.

The main points that would impact employers (if implemented) are that it would be easier to reject or charge a fee for vexatious subject access requests, as well as some of the compliance and paperwork hurdles being removed and replaced with a more "flexible" mechanism.

It is possible that, if the EU determines that this lessens the UK's data privacy protections, it could revoke the UK adequacy decision, which would mean that businesses would need to put in place documentation when transferring EU data to the UK on the basis that the UK was a non-compliant third country (like the United States).

Background

The European General Data Protection Regulation (GDPR) was implemented in 2018, when the UK was still part of the European Union.

Following Brexit, UK employers are required to comply with the UK version of GDPR (with some minor variations). However, now that the UK has left the EU, the UK government is looking to "reshape" the UK's approach to data privacy now that it has its new "regulatory freedoms."

You may remember that back in September 2021 the government launched a consultation on its proposed reforms. The government has now published the outcome to that consultation and has outlined the areas that it seeks to reform. The government's objectives include "reducing the burdens on businesses" and giving "individuals greater clarity over their rights and a clearer sense of how to access" their data. The proposals build upon the foundations of GDPR with some variations.

Data: a new direction - but what direction is that and what does it mean for employers?

We've outlined below the main changes that would impact employers.

• Data Subject Access Requests (DSARs) - DSARs are one of the main rights individuals have under GDPR and the one that causes HR professionals the biggest headache. The right enables employees to obtain access to copies of personal data which their employers process (which can be voluminous), as well as other specific information. DSARs are commonly used by disgruntled employees as a pre-litigation tactic and can be time-consuming and expensive for employers to comply with.

The government proposes to make it easier for businesses to refuse to comply with DSARs or to charge a fee. The government intends to lower the threshold for refusing to comply with a DSAR or to charge a reasonable fee from "manifestly...