OneTelco. OneProvider. OneLegendaryExperience.


Need industry insights? Our blog covers all things telco - from the latest trends to expert advice.
The UK Government’s proposals to reform UK data protection laws are underway. Is there simplification and deregulation ahead?
Many will be hoping for a bonfire of red tape, to include the scrapping of data protection officers, records of processing and data protection impact assessments.
However, it looks likely that any changes that are brought in will be less radical and many of these obligations could be replace by a more flexible privacy risk programme. While some of the obligations under UK GDPR will change, its core principles will not. The Government’s proposals for reform raise often-asked questions about the cost and effectiveness of many aspects of UK GDPR and, as a result, the proposals suggest removing the obligation to:
- appoint a data protection officer, either in all cases or just for public authorities
- conduct data protection impact assessments
- consult with the Information Commissioner in relation to high-risk processing
- prepare records of processing activities
There are broader reforms to other aspects of UK data protection law, such as introducing a notional fee for subject access requests, imposing a cost-cap on the amount organisations have to spend responding to a subject access request and invalidating vexatious subject access requests, relaxing the rules on cookies so consent will not be needed for analytics cookies or where there is a legitimate purpose to the processing, broadening the similar products and services exemption for email marketing so that it also applies to non-commercial entities. The UK Government is also proposing significant changes to better allow the use of data for innovation, particular for AI projects. Another change includes increased fines under the Privacy of Electronics Communications Regulations to match fines under the UK GDPR, so it is important for communications and telephony businesses to stay up to date with these potential changes on the horizon.
The mooted privacy management programme will require organisations to:
- define roles and responsibilities within the organisation regarding data protection, including designating an individual to be responsible for that programme
- demonstrate evidence and support from senior management, including through appropriate reporting obligations
- implement measures to support the programme such as: personal data inventories, internal policies, risk assessment tools, procedures for communicating with data subjects, procedures for handling breaches, and implementing processes to monitor and update the programme and check its effectiveness.
The proposed changes point to incremental reform rather than radical reinvention, but after the tumult of recent years for UK firms the fact that these changes aren’t likely to create huge waves might be welcomed. But, they will have some impact upon almost all UK firms.