What is the purpose of the UK's data protection consultation?

The consultation aims to reform the UK's data protection laws, addressing the burdens on organizations and exploring new directions for data use and individual rights.

What are the major changes proposed regarding accountability?

The proposals include removing the requirement for organizations to appoint data protection officers and undertake data protection impact assessments, which the government believes will reduce burdens on many organizations.

How will individual rights be affected by the proposed reforms?

The reforms suggest introducing a cost limit for subject access requests and require data controllers to implement complaints procedures, which may streamline processes for individuals.

What changes are proposed for cookie consent regulations?

The government plans to amend the Privacy and Electronic Communications Regulations, reflecting recent Ministerial comments on cookie consents and aiming to simplify compliance.

What is the significance of international data transfers in the consultation?

The consultation emphasizes increasing the number of countries deemed 'adequate' for data transfers, which is crucial for maintaining compatibility with the EU's GDPR standards.

Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Technology

Data Protection Reform: Is It Really ‘a New Direction’?

Published by Jessica Weisman-Pitts

Posted on September 16, 2021

5 min read

Last updated: February 9, 2026

Add as preferred source on Google

Abstract digital background representing data protection reform in technology - Global Banking & Finance Review — An abstract digital background symbolizing the ongoing reforms in data protection laws in the UK, highlighting the intersection of technology and legal frameworks. This image relates to the discussion of 'Data: a new direction' in the context of data privacy and government strategies.

Data protection reform: is it really ‘a new direction’?

By Jon Belcher, specialist data protection lawyer at Excello Law,

On 10 September, the UK government launched its widely anticipated consultation on reforms to the UK’s data pr.otection laws. The consultation paper, titled ‘Data: a new direction’, runs to 146 pages and includes some significant proposals.

The last few years have seen plenty of changes to data protection rules. Since the EU’s General Data Protection Regulation came into effect in May 2018, we’ve had the impact of Brexit and the move to a revised domestic GDPR, as well as anxieties about international transfers and adequacy decisions. Whilst a period of consolidation would surely have been welcomed, it’s been clear for some time that wasn’t going to happen. Ministers have been talking up changes as part of the government’s data strategy and delivering a ‘Brexit dividend’, which has caused alarm among campaigners and privacy activist who fear a weakening of individual rights.

In reality, the proposals contained in the consultation are not quite as radical as either the government or its most vociferous critics would like you to believe. If they were adopted in full they would certainly ‘soften’ the law, but there’s to be no great bonfire of data protection law, with most of the basics staying firmly in place. This includes the data protection principles, the lawful bases for processing, (most of) the individual rights and the enforcement regime. A summary of the changes is set out below.

Accountability

The most eye-catching changes are reserved for accountability. Proposals include removing the requirements for organisations to appoint data protection officers, undertake data protection impact assessments and maintain records of processing activities. These would be replaced by more flexible ‘privacy management programmes’.

The press release accompanying the consultation states that “the government recognises that the current regime places disproportionate burdens on many organisations. For example, a small hairdressing business should not have the same data protection processes as a multimillion-pound tech firm”. This is a classic straw man. If the small hairdressing business really does have the same processes as the multimillion-pound tech firm, then it’s been very badly advised. Nevertheless, organisations large and small are likely to broadly welcome the shift towards an even more flexible approach and, in the face of yet more legislative changes, the knowledge and skills of data protection officers are likely to remain in demand.

Innovation and individual rights

Under the heading ‘reducing barriers to responsible innovation’, there are some welcome technical changes proposed that would make it easier for personal data to be used (and reused) for research purposes, a proposal to create a list of ‘legitimate interests’ and detailed proposals on the use of artificial intelligence and automated processing. This may or may not include removing the Article 22 rights in relation to automated decision-making. As AI technology continues to develop, it is right that the government takes a cautious approach to reforms in this area.

On individual rights, there are proposals to introduce a cost limit for subject access requests and to require controllers to put in place complaints procedures. These appear to echo the current freedom of information regime that will be familiar to public bodies. Controllers will certainly welcome the proposed cost limit, given the disproportionate amount of time and effort spent on a small number of such requests.

Cookies and direct marketing

Given recent Ministerial comments on cookie consents, it’s no surprise that the government intends to make amendments to the often-overlooked Privacy and Electronic Communications Regulations. Proposals include allowing more types of cookies to be set without consent, including for analytical purposes, and allowing charities and political parties to take advantage of the ‘soft opt-in’ to send direct marketing to existing contacts (or exempting politicians entirely from these rules in the name of democratic engagement). Whilst there is certainly an appetite for reform to cookie compliance rules, the prospect of more direct marketing from politicians may be considerably less popular. The consultation also includes a long-overdue proposal to bring penalties under the Regulations into line with the UK GDPR.

International data transfers

The consultation contains a whole chapter on international transfers. There is plenty of ambitious talk about increasing the number of countries that the UK assesses as ‘adequate’, to allow more international data transfers without restriction. Perhaps more significantly, the government intends to explore additional alternative transfer methods, for use where there are no adequacy regulations in place. There is little detail on how these might work in practice, although the proposal to allow organisations to determine their own transfer method appears to be a throwback to the position under the Data Protection Act 1998.

This is the chapter that is potentially of most interest to the European Commission, which will be looking closely at whether any new international transfer rules are compatible with the EU’s GDPR and therefore whether there is anything that may undermine the UK’s current adequacy decision with the EU.

Changes at the regulator

Lastly, the consultation contains changes to how the Information Commissioner’s Office is run and managed. The cumulative effect of the proposals is to give the government increased control over the ICO, for instance by setting regular strategic priorities and imposing additional duties. Rather than being the office of the post holder, the proposals envisage that the ICO will be led by an independent board and a CEO. It would be interesting to know the thoughts of John Edwards on these proposals. He was only announced as the government’s preferred nominee as the next Information Commissioner in August, and already the role looks set for a significant make-over.

The consultation will run until 19 November 2021. If you have any comments or would like to discuss how the changes might affect you, please get in touch.

Data Protection Reform: Is It Really ‘a New Direction’?

Data protection reform: is it really ‘a new direction’?

Frequently Asked Questions about Data protection reform: is it really ‘a new direction’?