Americas, Asia Pacific, UK & Europe
Insurance 2023 - the year ahead
Many British businesses will need to comply with both UK and EU data privacy rules
Following Brexit, the UK government’s view is that the UK GDPR and DPA 2018 have created barriers for businesses and consumers. Following its consultation Data: a new direction, the new Data Protection and Digital Information Bill (the Bill) was introduced to Parliament on 18 July 2022. However, progress through Parliament has stalled with the change of Prime Ministers but the government confirmed in October 2022 the Bill will be developed ‘in due course’.
Limited information has been forthcoming as to how the Bill will now be developed, with the new Secretary of State for Digital, Culture, Media and Sport commenting that this will now be ‘our own business and consumer-friendly British data protection system’, observing that the GDPR is a ‘one-size fits-all’ approach. Looking to the current draft of the Bill, we may expect to see:
On 30 November 2022, the government also announced that it will be updating the Network and Information Systems (NIS) Regulations, which were originally derived from the EU’s NIS directive. Changes will aim to boost security standards and increase reporting of series cyber incidents, by bringing managed service providers into the scope of the regulations and improving incident reporting. The updates will be made ‘as soon as parliamentary time allows’.
With the proposed changes in legislation, we question the extent to which departing from the GDPR may lighten any existing burdens. There are many organisations in the UK which process personal data in the EU or of EU individuals, and in these circumstances will be required to comply with both the EU GDPR and the new UK legislation and regulations. Any divergence between the two is likely to increase, rather than decrease their data protection obligations.