The UK’s Data Protection Reform Consultation – Good News for Employers?

10 November 2021

On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”.  The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018). 

The Consultation is open until 19 November 2021, after which the UK Government will consider the responses submitted and respond, probably in the form of legislation implementing changes.

The following proposals are of particular interest to employer organisations:

  • Permitting data controllers to charge a nominal fee for dealing with data subject access requests (DSARs) (i.e. requests by individuals to see a copy of their personal data processed by a company). This was previously permitted, until implementation of the GDPR.  The proposals also include introducing a costs ceiling whereby organisations would not need to respond to a DSAR to the extent that the cost exceeds a certain limit.  It may also be permissible for data controllers to refuse a DSAR on the grounds that it is a “vexatious request” that is likely to “cause a disproportionate or unjustifiable level of distress, disruption or irritation” when its context and history are taken into account.  These principles reflect the regime currently in place regarding access to information held by public bodies (under the Freedom of Information Act 2000) but the Consultation does not expressly state that the same cost ceilings and principles would be adopted under the new data protection rules.  The proposals aim to address the significant burden often faced by businesses in this area (responding to DSARs can be a very time-consuming exercise, taking up significant levels of resource) and, in particular, situations where a DSAR may be used by a potential claimant (a current or former employee, for example) for early disclosure in the context of a dispute.  We regularly see DSARs being used in this way.  Implementation of these proposals is therefore likely to be welcomed by most organisations.
  • Changing the UK’s approach to cross-border data transfers so that the focus, when considering the data protection rules of other jurisdictions (for the purposes of UK adequacy decisions) is a “risk-based” approach “focused on outcomes”, rather than on rigid comparisons of the text of respective legislation.  This will be of particular interest to US companies with a presence in the UK given the ruling of the European Court of Justice in 2020 invalidating the EU-US Privacy Shield adequacy arrangement.  The Government had listed the US as one of its priority destinations for adequacy arrangements and this is a first step towards it taking a more flexible approach on this matter.  Also with regard to cross-border transfers, the proposals include introducing an exemption in respect of “reverse transfers” (i.e. when personal data sent to the UK is being sent back to the country of origin).
  • Introducing a requirement for complainants to try to resolve their complaints with the data controller before making a complaint to the Information Commissioner’s Office (ICO) (the regulatory body responsible for monitoring and enforcing compliance with the UK’s data protection laws).  The aim of this is to reduce the burden on the ICO of dealing with complaints and the number of vexatious complaints.  To sit alongside this, a new requirement would be introduced on data controllers to have a simple and transparent complaints handling process to deal with data subject complaints.  The ICO would also be given the ability to decide not to investigate a given complaint based on certain criteria.  These proposals are likely to be welcomed by employers and would bring data privacy complaints in line with employment complaints, which must be raised as an internal grievance and also with ACAS before an employment tribunal claim can be filed.
  • Removing the requirement to carry out data protection impact assessments (DPIA).  Article 35 of the UK GDPR requires organisations to undertake a data protection impact assessment for processing likely to result in a high risk to individuals (for example, where special category personal data (such as information about an individual’s health) is processed).  Breach of this obligation can result in enforcement action, including substantial fines.  The Consultation notes that organisations may identify other risk management practices which achieve the intended outcomes and therefore proposes to remove this requirement.  The removal of the requirement to carry out a DPIA should reduce the formalities and “red tape” organisations are currently faced with.

Separately, but also of interest to employers, is the recently closed consultation by the ICO on proposed changes to its employment practices code, supplementary guidance and quick guide, which were produced pre-GDPR.  User-friendly and up to date materials from the ICO would be very welcome. 

The consequences of non-compliance

The ICO has the power, among other things, to investigate complaints of data protection law breaches and to issue significant fines for infringements of the UK GDPR.  Depending on the infringements in question, fines can amount to the higher of £17.5 million or 4% of an undertaking’s total worldwide annual turnover. Further, data privacy breaches can result in claims directly from workers.  The Consultation does not contain proposals to alter these penalties, which highlights that even if the UK’s data privacy regime for employers is streamlined, compliance will remain a high priority.  

What now?

The UK is preparing to set off on a new path in data protection and, although it is being driven by a desire for flexibility, it will also wish to retain its data adequacy agreement with the EU.  It will therefore be interesting to see how far any changes go in departing from the fundamental principles currently in force. 

In the meantime, employers should review their practices and procedures to ensure they are compliant with the rules currently in force.  The consultation indicates that organisations which are compliant with the current UK data protection can expect to be compliant under the new regime and we have seen a notable increase in data privacy claims and challenges against employers since GDPR came into force. Employers should also ensure that their privacy notice accurately reflects the personal data collected on employees and the way in which that data is processed and stored, including in relation to health data as employers continue to address the challenges of the pandemic. 


If you would like any further information or advice about the issues explored in this blog, please contact Andreas White or a member of our Employment team.



Andreas White is a partner in our employment team. He has substantial litigation experience, with a particular focus on complex and high-value employment and partnership disputes. Andreas has a particular interest in international and cross border employment law. He is a former president of the labour law commission of AIJA.


Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility