GDPR changes: how will they impact SMEs?

A revised UK GDPR bill is moving through the Parliamentary legislative process and will become law. It proposes ways to reduce costs and burdens for British businesses, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.

An extract from the government’s draft bill outlines the rationale and the planned improvements. “The existing European version of GDPR takes a highly prescriptive, top-down approach to data protection regulation which can limit organisations’ flexibility to manage risks and places disproportionate burdens on small businesses.”

What is GDPR?

GDPR, General Data Protection Regulation is the EU rules on data protection and privacy. Approved in 2016 and passed as law in 2018, it creates a legal framework for rules on the collection of personal data and its use. The Data Protection Act 2018 covers the UK’s current GDPR laws.

GDPR gives individuals the right to find out what information the government and other organisations hold about them. Businesses must follow rules on how they collect, use and store personal data.

UK startups will be familiar with these general principles because GDPR affects any business that processes personal data.

What is the timeline?

When the UK voted for Brexit, it meant the UK had to create new, independent laws. This often means simply copying existing EU laws and enshrining them into the UK statute book.

In certain areas there have been amendments, additions or removal of laws to reflect the UK’s wants and needs. The GDPR bill was first introduced in the summer of 2022, but paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts.

“Ministers have worked with key industry and privacy partners on amendments which will give businesses and organisations greater flexibility over how they can comply,” says Dorothy Agnew, Partner at solicitors Moore Barlow.

In March 2023, the Data Protection and Digital Information Bill, the UK’s post-Brexit interpretation of EU GDPR rules, had its second reading in Parliament. The new bill is not yet law. “It is difficult to predict when the Bill will become law,” said Dan Lovett, Associate at Penningtons Manches Cooper Law. “It still needs to clear both the House of Commons and the House of Lords and could take several more months. The key date will be when the new Act comes into force – which is when organisations need to comply with the new obligations,” Lovett explains.

The Secretary of State will eventually decide on the date the bill becomes law. Businesses will receive a reasonable period to comply with any new obligations. You can track the progress of the bill here. It is currently at the report stage in the House of Commons.

What will change and why?

The Bill will amend the existing UK Data Protection Act 2018, but dramatic changes are not expected. However, the bill is still progressing through Parliament, “so further changes may occur before the Bill becomes law, but we expect these to be minimal,” says Lovett.

The overall rules around data protection compliance in the UK will not be radically overhauled. “Instead, the intent is to help clarify the law and make it less burdensome in lower-risk situations, which is good news for start-ups,” continues Lovett.

How will it affect UK startups?

Startups that already comply with existing UK data protection laws won’t need to take much further compliance action. Businesses don’t need to take any specific actions now apart from ensuring they comply with current GDPR rules but should be ready to act when the new bill comes into force.

Startups should look at the new requirements for complaint forms and update their privacy notices in line with this. Once the bill becomes law, there will be time to update policies and implement changes.

What are the main changes and legal issues?

The EU GDPR was incorporated into UK law as the UK GDPR. “The new bill does not substantially amend the UK GDPR, but there are some key changes,” points out Lovett. One of the main changes relates to the lawful basis of “legitimate interest.” This means under UK GDPR, just as before, under EU GDPR, organisations must have “a lawful basis” to process personal data. However, the UK Bill makes it easier for organisations to know if they can rely on “legitimate interest” as a safeguard by providing examples of what a legitimate interest might be, “which makes compliance easier,” says Lovett.

Examples of what may be a qualifying legitimate interest are set out in new Annex 1 of the Bill and can be added to or varied. They include processing necessary for direct marketing, intra-group transmission of personal data for internal administrative purposes and processing necessary for ensuring security of network and IT systems. “The change aims to simplify and clarify processing in relation to the recognised legitimate interests,” suggests Agnew. “It also removes the need for the controller to conduct a balancing test, which may prove beneficial for small businesses.” The rules on international transfers of personal data and record keeping requirements will be simplified, “reducing the burden for many businesses,” says Lovett.

Another amendment that will benefit most internet users not just businesses is changes to consent required for cookies. Currently consent is needed for all, except essential cookies. “The Bill widens this exemption so consent will not be needed for specific low risk cookies,” explains Lovett. This means those used solely for security and software updates if the user can opt out and optimising webpage display.

The final key change relates to data subject rights. The ban on automated decision making will be replaced with a rule that requires a controller to ensure safeguards exist for using personal data for automated decision making. Individuals will have the right to complain and contest any automated decision to data controllers. “This will require start-ups to facilitate complaints by providing a complaint form,” advises Lovett. Startups will need to include information about this in their privacy notices and ensure their systems are designed to allow for these safeguards.

Will there be extra costs for businesses?

In most cases extra costs will be minimal and the government’s aim is for less regulation, and, potentially, lower costs. If a startup is already compliant, they won’t have to spend much time or money.

The current UK GDPR requires certain organisations to appoint a Data Protection Officer (DPO). Under the new Bill, these will become ‘Senior Responsible Individuals,’ (SRI). This will potentially reduce costs for startups because all organisations that undertake high risk data processing will need to designate an SRI, but this post must be taken by a senior manager, who will be an existing staff member. This means they won’t need to appoint an independent DPO from outside the business.

Who will be most affected?

Startups that process and use high volumes of personal data will be affected. This could be from any sector but could particularly impact consumer facing organisations, technology companies which process personal data, marketing companies and companies working in AI, quantum computing, fraud reduction, healthcare services and most types of research.

There will be clarification on the definition of consent for the purposes of scientific research. “This will amend Article 4 UK GDPR and means a business processing this type of data has more clarity and certainty,” emphasies Agnew.

Benjamin Salisbury - business journalist

Benjamin Salisbury is an experienced writer, editor and journalist who has worked for national newspapers, leading consumer websites like This Is Money and MoneySavingExpert.com, business analysts including Environment Analyst, AIM Group and written articles for professional bodies and financial companies. He covers news, personal finance, business, startups and property.