New data protection legislation published to fundamentally alter UK GDPR

UK Parliament and British flag
The UK government has published its response to the data protection consultation

Response to the UK GDPR consultation published

The government have published the draft legislation to amend the data protection regime in the UK. The Data Protection and Digital Information Bill (DPDIB), which was introduced to Parliament just before the summer recess and before the appointment of the new government in September, would modify the existing UK version of GDPR and cause some significant areas of diversion with EU GDPR. Earlier this year, VinciWorks outlined the key changes that were expected to be made. The aim of the new UK data protection legislation is to ease GDPR requirements for companies and make them less burdensome.

What are the key changes the UK data protection bill seeks to introduce?

Among other things, the changes will:

  • amend the definition of personal data
  • use AI to process sensitive data and other information
  • add new legitimate interests
  • remove the requirement for cookie consent
  • amend accountability requirements
  • remove the need to appoint a data protection officer
  • charge fees to access your own data
  • remove record-keeping requirements
  • reform of the Information Commissioner’s Office (ICO)
  • raise fines for PECR breaches

Even though the bill proposes widespread changes, it actually preserves the existing UK GDPR and the PECR, as it was drafted as an amending act rather than a completely new legislative instrument.

In addition, there is a chance that political factors could stymie the bill. If an election is called prior to the bill receiving royal assent, it won’t become law. The UK’s adequacy status with the EU remains a question, even though the government has expressed the opinion it is entirely possible to retain it.

New courses and resources coming soon

VinciWorks is closely following the legislation and will, in the coming weeks and months, be releasing new updated resources, guides and a completely revised UK GDPR course that will reflect the changes and keep you and your organisation aware of everything you need to know about the updated bill. 

Stay updated 

You can keep up with the latest via our blog and through the Regulatory Agenda that we publish, which documents new and important compliance regulations.

GDPR compliance – why should you still care?

Laptop

The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. GDPR’s reach is global, and in the four years that it’s been in force, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner. 

Any company that offers goods or services to anyone in the EU is required to comply with GDPR, and any employee who collects, processes or stores data as part of their responsibilities, needs to be trained in data protection rules and regulations, including business owners, directors, managers, supervisors, staff and contractors.

But now it’s been over four years since GDPR came into force and some might be asking if it’s still relevant, and why they should still care.

Continue reading

GDPR four years on

GDPR four years on

Your GDPR Questions and Answers

Thank you to everyone who came along to last week’s GDPR webinar. We had a number of questions during the webinar and we’ve answered them all here in this blog. Please contact us if you would like a personalised discussion on your data protection compliance needs.

Top 12 GDRP questions and answers

How can I legally transfer data to the USA?

Right now the way to legally transfer data to the USA is using the standard contractual clauses, or the British equivalent mechanism. This means going through a risk assessment process, filling out all the paperwork of who the data is going to, who processes it etc. 

Think of it like exporting physical goods. Paperwork needs to be filled out at the port of exit and properly done so, and data is unfortunately no different. But do the paperwork correctly and there shouldn’t be too many problems. 

Continue reading

On-demand webinar: GDPR – Four years on

Birthday candles for GDPR

Wednesday 25 May, 12pm (UK)

The EU’s General Data Protection Regulation (GDPR) has now been in force for four years. During that time, fines have reached a total of over €1.6 billion, with the majority of fines having been levied in the past 12 months. Also during that time, the UK left the EU, data protection regulation reforms were announced in the UK and the ICO appointed a new commissioner.

On the fourth anniversary of GDPR coming into force, we took a look at the last four years of GDPR, the effect the regulation has had on the way we collect and process data and what we can expect going forward.

The webinar covered:

  • A review of where businesses are falling short in GDPR compliance
  • What can we learn from recent GDPR fines?
  • How the UK’s data protection reforms affect UK GDPR
  • Best-practice guidance
  • How to implement an effective GDPR compliance programme

Watch now

Continue reading

CCPA vs GDPR: Similarities and Differences Explained

CCPA vs GDPR: Similarities and Differences Explained

Intro to CCPA vs. GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR), a law regulating how businesses must handle personal data, came into effect. The impact on how online user data had to be handled was massive. Shortly thereafter, on 28 June that year, the California Consumer Privacy Act (CCPA) was passed, going into force on 1 January 2020. On August 14, 2020, the final regulations were approved and it immediately went into effect. To the relief of those companies that were already GDPR compliant, CCPA is, in many ways, a more lenient version of GDPR. However, there are important differences.

GDPR recap

GDPR legislates how companies in the EU must handle personal data. This includes names, email addresses, location data, browser data, etc. This legislation places a responsibility upon companies to be transparent in their handling of personal data and maintain records of how they process that information. The law is meant to ensure that individuals always retain control over their information. Most importantly, consent to use personal information must be explicitly given before being collected and can be revoked whenever it is requested. There is no such thing as implicit consent. For example, browsing or scrolling through a website cannot be considered consent to collect and make use of personal information. 

Try VinciWorks’ GDPR training here

Continue reading

What marketers need to know about GDPR in 2022

What marketers need to know about GDPR in 2022

Trends in data protection for direct marketing

Have data protection authorities begun the great fightback against business? Perhaps they have been tasked with bringing in some much-needed cash to national coffers, because fines have become the next big trend in data protection and should seriously concern marketers in all sizes of business.

Some recent marketing-related fines have included:

  • Amazon – €746m for compiling data on customers
  • WhatsApp – €225m for failing to provide information in clear and plain language
  • Austria Post – €9.5m for failing to allow subject access requests by email
  • Grindr – €6.3m for sharing location services without consent because it was special category data on sexual orientation
  • Sky Italia – €3.3m for unwanted phone calls

Overall, there’s been a 113% increase in GDPR fines between July 2020 to July 2021, with 709 in total compared to 332 in the year before. Penalties for violations have more than doubled as well, from €130.69 million up to July 2020 to €293.96 million up to July 2021. 

Continue reading

GDPR changes in the UK: reform of the ICO

GDPR changes in the UK: reform of the ICO

The UK government is planning significant changes to the UK’s data protection regime. From re-orientating the Information Commissioner’s Office (ICO) to new ways for businesses to process data, these far-reaching GDPR reforms are set to have a significant impact on business. We covered these changes in depth in a previous article and webinar

High on the government’s agenda as outlined in their consultation is reform of the ICO – the Information Commissioner’s Office. This has been on the cards for sometime, with the government keen to align the ICO towards delivering the National Data Strategy. The Department for Digital, Culture, Media and Sport (DCMS) has outlined their proposed changes to the regulator.

Continue reading

On-demand webinar: Data Protection — What the UK wants to change

The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

In this short video, our Director of Learning and Content takes us through what the potential changes are and how they might affect the way we process data.

Watch now

Significant changes planned for UK data protection law

Here’s what you need to know about the UK’s plans to radically alter GDPR

The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

“The government wants to remove unnecessary barriers to responsible data use. A small hairdressing business should not have the same data protection processes as a multimillion-pound tech firm. Our reforms would move away from the “one-size-fits-all” approach and allow organisations to demonstrate compliance in ways more appropriate to their circumstances, while still protecting citizens’ personal data to a high standard.” Department for Culture, Media and Sport.

Continue reading

On-demand webinar: GDPR — Back to the Office

Webinar invitation banner

As COVID-19 restrictions are lifted and businesses begin to return to the office, companies are taking a variety of approaches to managing the transition. While some are staying at home for now and others have gone back full time, most are opting for a hybrid working policy. While this might be a sensible and fair solution for the time being, having staff work both at home as well as the office raises several data security and GDPR compliance concerns.

In this webinar, we were joined by Dechert LLP’s Director of Risk and Compliance Mohbub Rahman to explore the key things you need to remember to keep data safe during the latest transition.

The webinar covered:

  • How companies are transitioning back to the office
  • How hybrid working works
  • Data protection risks in a hybrid working environment
  • How hackers and scammers took advantage during the pandemic
  • Best practice for data security with hybrid working

Watch now

Continue reading