UK employers have just about got used to the idea of GDPR, but the government has launched a consultation on reforms to the data protection regime.
The GDPR (a.k.a. the EU’s General Data Protection Regulation), was implemented in the UK pre-Brexit in 2018. After Brexit, GDPR was cemented into UK law (with some small UK specific tweaks) and UK employers are required to ensure that their contracts, policies and practices comply with it.
Now that the UK is no longer part of the European Union, the UK is consulting on whether it can “reshape its approach” to data privacy legislation (in the words of the government).
Some of the key proposals which may be of interest to employers are as follows:
Any potential reform of UK data privacy law could have a knock-on effect for international data transfers from Europe to the UK. In June 2021, the European Commission granted the UK an adequacy decision (according to which, the UK is assessed as applying a high level of protection to individuals’ data) which allows the free flow of data from Europe. As a result, European businesses that transfer data to the UK don’t need to put in place data transfer documents.
However, when the EU granted the UK this status it warned that this was subject to close monitoring and would need to be reviewed if the UK moved away from GDPR. If the European Commission decides to revoke this decision (which it warned it might do if it considered that the UK’s standards of data protection dropped) this would mean data transfer documents would be required by businesses for transfers of data from Europe to the UK.
The consultation is open for views until 19 November 2021 and any change in the law will take some time.
In the meantime, employers should continue to comply with the requirements of GDPR. Please get in touch with Deborah Margolis if you would like a copy of our handy one-page GDPR checklist setting out what employers really need to do.