UK Data reform: A new direction (or just a slightly different one?)

My answer to that question is this:

"if it looks like a duck, walks like a duck, and talks like a duck…well it’s probably a duck."

Firstly, I want to point out I’m not a lawyer or an accredited DPO, I’m just a privacy tech enthusiast and data practitioner who has dedicated the last 7 years to reinforcing trust, by rethinking personal data to help deliver positive outcomes for individuals, commerce, and society.

Graphical user interface, text, application

Description automatically generated

Figure 1. Final TIGRR Report (Taskforce on Innovation, Growth and Regulatory Reform in a post-Brexit UK) 

I read the government’s TIGRR report which first gave us a taste of what the consultation paper would deliver.  I also read all the comments on LinkedIn; the authors don’t know their a5$e form their elbowrepeat after me cookies are regulated under PECR not GDPRthe government wants to throw our data to the wolves, outsourced DPO firms should be worried… 

I therefore started to read the paper in trepidation as I expected much of the hard work that myself and the team at DataGuard had put in to protecting the people behind the data, to be ripped up.

In this article

A more pragmatic framework

In summary my opinion on the new proposals is positive. Anything that delivers a more pragmatic framework, that more businesses are likely to understand and adopt, that protects more people behind the data, will always get a thumbs up from me.

The consultation paper includes a detailed, intelligent, and thought-provoking set of suggested amendments and proposals to the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR). If just a few of the suggested amendments are implemented, we will potentially see a significant change to existing frameworks, but not enough for businesses who have embraced the UK GDPR to worry.

We have until the 19 November 2021 to feedback as part of the consultation process. This provides a great opportunity for organisations and individuals to influence the future direction of the UK data protection framework.

Why has this consultation paper been published? It is part of the UK’s so called ‘Brexit Dividend’, to take advantage of the UK’s new-found regulatory freedom, to support innovation and growth. The UK government believe that by allowing data to flow more freely huge societal and commercial benefits can be gained.

Will it deliver? In a nutshell, I think so. Paragraph 11 sets the scene and the context in which the paper should be read.

The reforms presented for consultation deliberately build on the key elements of the current UK General Data Protection Regulation (UK GDPR), such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement. These key elements remain sound, and they will continue to underpin a high level of protection for people's personal data and control for individuals over how their data is used. Organisations have invested in understanding, complying with and implementing this regime, and the ICO's toolkit for supervision is fundamentally fit for purpose. The reform proposals offer improvements within the current framework, while maintaining the UK's worldwide reputation for high data protection standards and securing public trust.

The UK government do appear to be committed to working with all stakeholders and the ICO to secure a pro-growth and an even better and trusted data regime.

The report’s highlights

I’m not going to focus on every chapter or section of the report, after all there are 5 chapters, 410 paragraphs over 146 pages. I’m going to highlight the sections and paragraphs that are of interest to me. I have purposefully not commented on certain sections, such as Adequacy as there are far better qualified people to do this than me.

Chapter 1 - Reducing barriers to responsible innovation

Chapter 1 focuses on clarifying the circumstances in which data can be used for further processing, when legitimate interests can be applied to give data controllers greater confidence and it seeks to give greater clarity of when AI and Machine Learning leading to automated decisions can be used.

Re-use of personal data

The Government heard from stakeholders that the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.

This reminds me of research published by Boston Consulting Group back in March 2018 which highlighted companies are being recklessly conservative about data usage. They are failing to use data for new purposes that are acceptable to consumers because of fear of breaching regulations because they are often not defined enough.

With a lack of case law or regulatory guidance which would likely take years to develop, it would make sense to provide greater clarity and certainty for organisations about when and how they can use personal data. The consultation paper even suggests that the laws should better reflect the people’s views about how they expect their data should be used and when they should actively give their consent. Amen to that!

I do however have some concerns with how far these legal clarifications will go, especially in paragraph 54.b which is about when personal data may be re-used by a different controller than the original controller who collected the data, and whether this constitutes further processing. I fear Google DeepMind and NHS data all over again.

Legitimate Interests

Providing a limited, exhaustive statutory list of specific low-risk purposes for when Legitimate Interests can be applied by default would help address the consent paradox we see today, which ultimately leads to less control of personal data. It will reduce the burden on organisations as the balance test will not be necessary. However, for all activities not on the list the balance test would still be required.

The consultation paper reinforces the requirements to deliver transparency and meaningful control to individuals on how their data is processed. My response to these proposed changes for Legitimate Interest is that the processing activity must be clear to the individual and not buried in lengthy privacy notices and they must be given the chance to object, at the point of data collection, or have a simple mechanism to handle the objection at a later date.

AI and Machine Learning

The paper outlines a number of potential reforms to regulate AI and automated decisioning systems. This area is crying out for public consultation and the Government recognises it doesn’t have all the answers. Recognising that organisations developing and deploying AI tools responsibly would benefit from the freedom to experiment where it does not cause harm. The Government is considering how to develop a safe regulatory space for the responsible development, testing and training of AI.

The paper addresses Article 22 of the UK GDPR which contains specific provisions on automated individual decision-making and profiling. On the basis not all AI systems automatically trigger the application of 22, there is often confusion leading to a lack of innovation.

My read of the paper is that whilst the TIGRR report has recommended scrapping Article 22 the Government wants to work with stakeholders to ensure the decision is informed and safeguards individuals. This consultation paper is the perfect opportunity to provide that feedback.

My view is that whilst Article 22 is likely to be replaced, the fundamentals will remain - protect individuals, give better clarity to organisations on what can and can’t be done and ensure innovation in this exciting field delivers societal benefit.

Innovative Data Sharing Solutions

As a founder of a consent management and compliant data sharing solution it was pleasing to see the Government is keen to encourage innovation in the way data can be shared, and the growth it can bring, both economically and for society. This section invites views on the Government’s work to support innovative data sharing solutions whilst maintaining protections for individuals.

The topics covered include the role data intermediaries can play ensuring individuals’ rights are observed and respected, whilst also helping with the data stewardship of managing data collection, sharing, access and responsible use, all in an efficient manner.

The paper also addresses what lawful basis other than consent may be applicable to data intermediary activities. This is an area of debate I’ve often found myself in with fellow MyData Global members. I’m a fan of enabling data to be shared transparently for fair and lawful purposes, and not always using consent. If a consent only model is adopted the data set will undoubtedly be heavily biased and lacking in volume, limiting innovation and growth. Ensuring data subjects are aware of the value or social dividend their data is generating is key, whilst also having meaningful control of that data, will deliver the best outcomes for all.

Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people

This chapter is probably the one grabbing all the headlines, as the government is proposing substantial changes to the current accountability standards, which may lead to revoking existing obligations to perform data protection impact assessments (DPIAs), maintain records of processing, and appoint a data protection officer.

Reform of the Accountability Framework

Whilst the Government remains committed to high standards of data protection, the paper concludes that the current model of prescribing a series of activities leads to a box-ticking compliance regime and therefore proposes to place a new duty on controllers to implement a risk-based ‘privacy management programme’ (PMP).

A PMP would essentially be a form of compliance governance framework, which is intended to introduce a more ‘holistic’ and less rigid approach to accountability.

And this where the, if it looks like a duck, walks like a duck and quacks like a duck, it probably is a duck comes in. If small business owners think they no longer need to bother with data protection, the consultation paper suggests that the PMP would need to include, clear roles and responsibilities including who is designated as the responsible individual(s) for the privacy management programme and overseeing the organisation's data protection compliance. It goes on to say the designated individual(s) will also be responsible for representing the organisation to the ICO and data subjects where necessary.

Looks like a duck!

The PMP would need to include measures that include personal data inventories, internal data protection policies, risk assessment tools, procedures for communicating with data subjects about their data protection rights and the organisation's policies and processes, as well as plans to monitor, assess, review and revise the PMP.

Walks like a duck.

Whilst the requirement for a ROPA is being removed (well not really), I found when organisations were implementing GDPR in 2017/2018, they found the ROPA process extremely valuable in delivering efficiency and generating greater value from their data. The new requirements under a PMP would still require certain records be kept and Articles 13 and 14 of the UK GDPR will still require much of the same information to be recorded in privacy notices.

Quacks like a duck.

If a PMP makes it easier for a business to understand what is required, and can be certified just like an ISMS (ISO 27001), then I’m all for this approach, as it will mean more businesses adopt it, leading to a higher level of protection for individuals.

Business benefits for having high standards of data protection too - Cisco’s benchmark study in 2020 showed that over 70% of organisations receive significant business benefits from privacy such as operational efficiency, agility, and innovation.

Subject Access Requests

The Government are proposing to introduce a fee regime for subject access requests, primarily to reduce the burden on organisations. I did find conflict here with the proposal to reduce the burden on the ICO from the number of complaints they receive, by getting the data subject to take their complaint up directly with the organisation.

Personally, I’m against both these proposals as SARs keep organisations accountable, and complaints keep them on their toes. Making the general public aware when a complaint will and won’t be followed up, just like the proposal to better define when a reportable breach is not a reportable breach, is likely to deliver the same result, whilst allowing ‘free’ SARs to continue.

Privacy and electronic communications (mainly Cookies)

Removing the obligation under PECR to obtain consent for analytics cookies makes a lot of sense. Organisations can get back to better understanding how their website is performing, how individuals interacted with the site so better experiences can be delivered, is all good, subject to the correct safeguards being place. Analytics cookies added to the statutory list of Legitimate Interests is likely to be a good thing.

However, the Government is also considering the collection of information for other purposes that is necessary for the legitimate interests of the data controller, but only where the impact on the privacy of the individual is likely to be minimal. The paper does state that these options would not permit privacy-intrusive technologies such as micro-targeting, real-time bidding, and invasive tracking. Analytics cookies are easy to explain, everything else is vague and shouldn’t be considered.

Aligning the maximum fines for infringements of PECR (which are currently set at £500,000) with those under the GDPR, will certainly help maintain accountability.

One final point on PECR, and one for my charity friends who have often complained about the unfairness of not allowing charities to use the soft opt-in for email. The consultation paper proposes to extend the soft opt-in to organisations other than businesses where they have previously formed a relationship with the person. This feels like a big, potential win for charities.


In summary, this paper details a sensible set of proposals with the overarching goal of improving the UK GDPR and the protection of data subjects. It focuses on building trust and transparency to deliver better outcomes for individuals and society. Its driving towards a more pragmatic accountability framework which is likely to be adopted by more organisations.

These are only my opinions and comments on the paper, and I’m sure many people will have different views - we all have until 19th November to submit our comments and get our views heard. Data: a new direction

                              Have 20 minutes? Get in touch with one of our GDPR experts today:Book an appointment

Back to the top

About the author

J Cromack J Cromack
J Cromack

J is the Co-Founder of MyLife Digital, a consent and preference management business acquired by DataGuard in 2021, as well as founding member of MyData Global and DataIQ Privacy & Trust Champion 2020. J is an advocate of rethinking personal data to reinforce trust and the opportunities emerging from GDPR. He speaks regularly on the subject thanks to his pragmatic approach to data ethics, privacy and data protection. He articulates clearly how organisations can embrace the new regulatory landscape to deliver greater value and build trust with their consumers. In 2020, J was awarded DataIQ’s Privacy and Trust Champion award and is recognised by DataIQ as one of the top 100 most influential people in data-driven businesses and the innovators who support them.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk