UK Proposed Changes to GDPR: How They Could Affect You



Since the UK has left the EU, many laws have been changing, including the application of GDPR. The General Data Protection Regulation is an act that glorifies data privacy rights and regulates freedom of information. Recently, the UK Government has proposed some changes to GDPR that have caused pause for thought in the cybersecurity and data privacy communities. This article will teach you how proposed changes to GDPR could affect you.

GDPR: What the UK Government is Changing

In a report published September 9th, the UK Government outlined proposed changes to GDPR since leaving the EU. In their proposal, ministers set out several fundamental changes to how GDPR keeps people and their data safe.

One of the broadest changes is the legal ground for companies to use customers’ data. This new regulation gives companies a legal right to use data if it’s “aimed at improving services for customers.” The Government also plans similar relaxation of data privacy protection in the name of AI research.

Another of the most worrying changes is to freedom of information. Under current regulations, anyone can make a freedom of information request for free. However, the UK Government proposed a new nominal fee when performing a data request.

GDPR Changes Consultation
Despite these claims, many of the proposed changes outlined in this document are incredibly worrying for cybersecurity professionals. | Source: Gov UK

The UK government has also proposed taking more control over the Information Commissioner’s Office. The ICO is a non-government public body that deals with data protection and privacy matters. Under new proposals, the Government would also exercise tighter controls over this body, including setting the ICO’s agenda and controlling the ICO’s pay.

The Government is proposing removing accountability requirements for companies, meaning they can destroy evidence of wrongdoing. This requirement will instead be replaced with the need to provide “privacy training.”

Perhaps most worryingly, companies will no longer need to report data breaches unless they cause material damage. Effectively meaning, companies won’t need to report a breach unless it will cost the victim money or damage their assets somehow.

The Danger of These Changes to GDPR

It may be challenging to understand the danger that some of these changes pose.  The consultations document that outlines these changes is long and filled with jargon, making it harder for ordinary people to understand. Below, we’ve outlined some of the dangers these new changes could pose to everyday people.

Legal Ground to Use Data for Improvement of Services

GDPR - Improving Services
Hidden at the bottom of a section about general processing activities, free rein over data in the name of improving services is a worrying idea. | Source: Gov UK

While the proposal’s wording makes this sound like a good thing, relaxing data protection on the grounds of improving services is a hazardous idea. In general, a company should not be given more control over your private information than is necessary for any reason.

The main goal of any good company is to make money. At times, that goal can conflict with the best interests of their customers or users. The way that the Government has worded this proposed change is comprehensive. It could easily lead to companies having free reign for using your data to track you in the name of providing a better service.

AI Research

Another proposed change was related to AI research. According to the Government, they want to deregulate private data in AI Research to ensure the country remains at the forefront of the field. Once again, the writer of this consultation document has worded the proposal in a way that sounds reasonable.

The problem is that, once again, the wording of this section is far too broad. Giving free rein over private data to AI research companies could lead to AI that knows a dangerous amount about the UK public. Even worse, when combined with the general deregulation of accountability, these AI companies could use the data with minimal scrutiny from the Government or non-government bodies like the ICO.

Fees for Freedom of Information Requests

GDPR - Fee for FOI Requests
If the Government starts charging fees for FOI requests, low-income families could be at a considerable disadvantage. | Source: Gov UK

Freedom of information requests are an essential part of data security in the modern era. Anyone can submit a request to a company or government body to find out what information is being kept, either about them or about a particular subject.

The idea of charging a nominal fee for such requests is incredibly dangerous. This change could mean that low-income individuals are unable, or unwilling, to make such a request. If a family has to choose between eating, and requesting data that a company is keeping about them, they’re typically going to prioritize food.

In a world where you have to pay for information, the wealthy are at an advantage in terms of privacy.

More Control of ICO

Tighter governmental control over the ICO will have an indirect effect on the lives of many everyday people. Currently, the ICO is a significant body when it comes to data protection. You can submit complaints about companies or other bodies that have missed your data, and be sure the ICO takes care of them in an impartial manner.

With tighter control over the ICO, it becomes possible for the Government to put pressure on the body in specific directions. For example, the Government could prevent the ICO from acting on complaints against larger companies with government contracts. They could also fundamentally change how the ICO functions, reducing overall data protection for the public.

Accountability and Data Breach Reporting

GDPR - Breach Reporting
Reducing reporting of data breaches is incredibly dangerous as they become even more prevalent. | Source: Gov UK

This is one of the more easily explained dangers in the new proposed changes. Removing regulations surrounding a company’s accountability makes it much more likely for companies to get away with data privacy violations. If a company can get away with violations more often, they’re more likely to make these violations in the first place.

Even worse, the new data breach reporting proposal puts people in genuine danger. Data breaches are on the rise, as we’ve reported many times before. The most significant threat these breaches pose is when a company fails to report them to its customers. Under these new laws, companies would only have to report a breach if it cost customers money or damaged their assets.

This means that if hackers gain access to your address, phone number, or other non-banking private information, the company doesn’t even have to tell you it happened. This lack of open communication between a company and its customers could lead to mass distrust. Regular people wouldn’t know which companies are looking after their data correctly and which aren’t.

What you Can Do About these Changes

You can take some steps to protect yourself from the worst elements of these changes to GDPR. Firstly, you should give as little information as possible to companies from now on. If you’ve already handed out a lot of personal data, request that companies delete it before these measures come into place.

Secondly, consider writing to your MP. Currently, these changes are only proposals in a consultation document. With enough public outcry, these changes could be stopped before they happen. Use this form to find your local MP and email them about these proposals and why you’re not happy with them.

Finally, you should start to think more carefully about your data security. Invest in one of our comprehensive security audits and see how much of your data is out there and how safe it is. You may also want to consider a digital protection plan to keep you safe in the future.