Will the Data Protection and Digital Information Bill actually cut red tape?

The government’s much-vaunted successor to the GDPR is still working its way through parliament. The Tories are hoping for obvious reasons that it shows how nimble the UK can be in post-Brexit regulation. But will the Data Protection and Digital Information Bill (DPDI) actually achieve the operational compliance benefits for UK PLC that the government is claiming?

Legal experts I spoke to for a new feature are sceptical.

To cut or not to cut?

Cutting red tape is one of the government’s biggest claims for the legislation, which it says will end up saving UK organisations billions over the coming decade. The government claims it will reduce “pointless paperwork” without impacting data adequacy with the EU, which is essential to seamless cross-border data flows.

Antonis Patrikios, global co-chair of global privacy and cybersecurity at Dentons, argues that it could make life easier for some firms.

“It could do so by significantly reducing the instances in which documented assessments or records of processing are required or replacing the requirement for the statutory role of the Data Protection Officer (DPO) with a requirement to appoint a Senior Responsible Individual, a member of senior management,” he tells me.

However, Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, says that these benefits will only be felt by organisations that are subject solely to the UK GDPR. In other words, those with operations in the EU must either choose to maintain two separate compliance regimes, or else make life easier by sticking to the EU GDPR regime—which they’re allowed to under the new DPDI. If they do the latter, they’ll miss out on those much-touted red tape-cutting benefits.

“Businesses that have an existing compliance programme in place which meets the requirements of the EU GDPR may choose to maintain the status quo in certain respects even where not legally required (e.g., DPOs), given the benefits that doing so could have both for their internal processes and the external trust which will be gained by maintaining what are seen to be higher data protection standards,” Machin tells me. 

“But UK companies that are also subject to the EU GDPR—or vice versa—will still have to comply with the more restrictive EU standard. Given that most of these organisations are unlikely to operate dual compliance programmes, particularly where they have spent significant time and money building an EU GDPR compliance framework, the benefits of being subject to a lighter-touch UK regime will probably be limited.”

Bad timing

What’s more, the new bill couldn’t come at a worse time for compliance teams already facing new GDPR-like legislation in several US states. The good news is that there will be some crossover, according to Machin.

“Compliance teams tend to be overwhelmed at the best of times, and the flurry of new data laws in the UK, EU and US isn’t going to lessen their workloads. That said, the good(ish) news is that many of these laws are underpinned by the same, or very similar, core principles and obligations—particularly those around transparency, accountability, security and individual rights,” he concludes. 

“This means that existing compliance programmes can be tweaked to meet the new or differing requirements of these laws, rather than starting from scratch each time.”