The UK’s new information commissioner, John Edwards, last week told Parliament during his interview for the job that the UK could take Fleetwood Mac’s advice and “go your own way” when deciding on its approach to the post-Brexit regulation of data protection.

The Government has now revealed what that way might look like. It comes in the form of a 150-page consultation document that makes the transition from Peter Green’s Fleetwood Mac (serious blues gods) to Stevie Nick’s Fleetwood Mac (a few great tracks, but ultimately lightweight pop) look mild indeed. Much like the latter day ‘Mac, the UK’s proposals are often more digestible than the previous, purist incarnation — for the purposes of this tortured analogy, that is the GDPR, which no one could accuse of hitting all of the right notes. 

Some of the key headlines from the consultation are as follows:

  • The obligations to maintain records of processing — those things you took ages to compile — and to conduct DPIAs for high-risk processing would be removed from the statute book.
  • A “limited, exhaustive” list of legitimate interests will be created on which organisations can rely without having to apply the balancing test required when using legitimate interests as a legal basis for processing.
  • The prohibition on being subject to a decision based solely on automated processing may be scrapped, so that such processing can occur on the basis of legitimate interests or where it is in the public interest. This one has already raised the ire of privacy interest groups, and were I a betting man — if my wife is reading this, I rarely do that regularly these days — my suspicion is that the Government may walk back on this proposal in the face of public pressure.   
  • The reintroduction of a fee regime for data subject access requests is being considered. Given that the permitted fee under the previous regime was GBP 10, a similar approach won’t do anything to address the time and cost that businesses often face when responding to DSARs. The Government’s talk of a cost ceiling looks like a creative way of dealing with this issue – although one can envision how that approach may disadvantage legitimate requesters rather than those weaponising DSARs for other purposes.  
  • The appointment of a data protection officer will no longer be required, and would be replaced by an individual who is responsible for the organisation’s compliance programme. Those roles may sound the same, but the consultation document appears to suggest that one of the key aspects of the DPO’s role — their independence — is less central to the remit of the responsible person. That will be welcomed by small businesses, for whom it can often be challenging to appoint an internal candidate with sufficient independence for the purposes of the GDPR, but is likely to be viewed less favourably across Europe.
  • Under a proposed change to the data breach reporting rules, organisations would only be required to notify the ICO of breaches that pose a “material” risk to individuals (i.e., rather than a “risk” under the current standard). This revision is designed to address what the Government says is a culture of over-reporting by organisations.

There's much more besides in the consultation document, which should be required reading for all responsible individuals. The proposals aren't final, but they do give the best insight yet into how the UK views the GDPR (hint: it's not a ringing endorsement). Also notable is just how soon after securing adequacy that the UK has revealed its hand. ("I can still hear you saying, you would never break the chain.") 

With Brussels reportedly close-ish to a new trans-Atlantic data pact (also a key British priority), will realpolitik influence the EU's decision not to revoke the UK's adequacy decision? As a non-betting man, I'd say yes — but there will be plenty of time for handwringing before then. Happy Monday!