Reading into the fine print – what does the new Data Protection Bill mean for SMEs?

In the latest chapter of the post-Brexit policy reality, the government has introduced the Data Protection and Digital Information bill. The changes aim to recreate a UK equivalent of the European Union’s GDPR law.

The government has presented the bill as a common sense policy that will reduce costs and burdens for British businesses and charities.

It’s claimed that the proposed data regime can save the UK economy more than £4 billion over the next 10 years, and remove barriers to international trade.

In theory, this should help accelerate data-driven trade, which generated 85% of the UK’s total service exports according to government figures, and contributed an estimated £259 billion for the economy in 2021.

The bill, which was co-designed with key industry and privacy partners, gives organisations greater flexibility over how they can comply with the regime while maintaining high data protection standards.

The bill is outlined in an over 200-page long document, with some of the main changes being:

• Any controller or processor is exempt from the duty to keep records of processing unless they are carrying out high risk processing activities
• Removing the need for a Data Processing Officer
• Profiling to determine if AI has been used for data processing purposes
• Introduces new obligations on providers of electronic communications networks, including notifying the Information Commissioner’s Office if anyone has contravened the direct marketing rules

Michelle Donelan, Secretary of State for Science, Innovation and Technology, said of the bill, “Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

Some changes welcomed by SMEs

The Data Protection and Digital Information Bill seemingly is claimed by the government to position the UK as a pioneer in data protection regulations. The big sell is this will be a simple, business-friendly framework that will be cost-effective to implement whilst promising to retain a status of adequacy with the EU.

Certain aspects of the policy are welcome changes by SMEs. Alan Jones, CEO and co-founder of encrypted messaging app YEO Messaging, applauds the permission to use anonymous data for R&D purposes. “The move away from restrictive cross border data restrictions is positive, providing data is anonymised – this can only benefit us all.”

The ‘Britishisation’ of the GDPR law will also bring tactical changes to marketing strategies for some SMEs who rely on intense marketing and data gathering practices of many consumer focused applications. This is because there will now be stricter penalties on the use of unauthorised personalised data with the aim of inhibiting nuisance calls and targeted pop-ups.

Jones believes the restriction is warranted. “The use of identifiable personal data harvested through interaction on a specific application is frivolous, an invasion of privacy and to date, has been uncontrolled.”

“SMEs adopting data harvesting for resale or targeting will undoubtedly have to change tactics and enhance the declaration of their use of data to the user. This may be more restrictive, but we see this as a ‘cleaning up’ exercise where the user wins.”

In practice, this means there will be more penalties enforced for the use of unauthorised personalised data. This will inhibit things like targeted pop-ups, and instead, create a stronger sense of transparency and trust amongst users.

The real risk of the Bill

Although the “common-sense led” data policy sounds welcome, some red flags emerge when looking further into the details of the bill.

“Frankly, I am a little concerned with the self-policing approach. The removal of the requirement for a business to have a Data Processing Officer may see a more relaxed attitude within small businesses,” confesses Jones.

This policy relaxation is accompanied by what Open Rights Group preemptively identifies as a regulatory race to the bottom. The group argues the bill could encourage irresponsible business practice, harming Britain’s global reputation.

Abigail Burke, policy manager at Open Rights Group says, “The bill weakens data subjects’ rights and corporate accountability mechanisms, politicises the Information Commissioner’s Office, and expands the Secretary of State’s powers in numerous, undemocratic ways.”

The relaxation of policy is designed to entice organisations to bring their business to the UK under less restrictive data protection regulations. However, there is an asterisk written next to this proposition that cannot be overlooked.

If the proposals are considered to diverge too far from the EU’s data protection regime, the UK’s adequacy status could be at risk. This decision ultimately rests in the policy circles of the European Commission, and while there isn’t much appetite from Brussels to go against the UK’s policy, a risk remains.

According to the Open Rights Group, conservative estimates found that the loss of the adequacy agreement could cost £1-1.6 billion pounds in legal fees, alongside the cost resulting from disruption of digital trade, investments, and the relocation of UK businesses to the EU.

Business as usual

The concerns flagged by the Open Rights Group, however, don’t seem to be shared by SMEs. In practice, not a lot is changing for them.

Charles Brecque, Founder of Legislate, says “From our perspective, we’ll continue to follow the rules and do what they’re supposed to do. So, in our case, there’s not a big impact from that perspective.”

To entrepreneurs, the real positive or negative impact of the bill remains to be seen. Brecque explains, “It’s natural for there to be updates to the bill, now that the UK has more autonomy on these sorts of laws and rules.”

“I think with the bill, [the government] obviously tried to be a bit more pragmatic on certain aspects. But, I guess only time will tell if it has a positive or negative impact.”

Although Jones does have some concerns on specific parts of the bill, he also says that in practice, and because of YEO Messaging’s business model, not a lot is changing.

“Fortunately, as a company focused on privacy we will see little change to our approach,” he reveals. “All data including messages whilst in transport and at rest are encrypted. So, again no data is identifiable to an individual.”

Not all businesses will tread the same path, maintaining GDPR-level data standards. Diverging from a European model of data protection carries risks that could, at scale, put a question mark on the UK’s adequacy status.

While scrutiny and some cautionary optimism is certainly warranted, the tangible effects of the policy on different types of businesses and industries remains to be seen.