The UK government published its proposals for reforming data protection and privacy law on 10 September, 2021. If even a significant fraction of these reforms are passed, the UK’s data protection and privacy regime could radically change.

These proposals are part of a consultation process concerning amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

I’ve identified 74 potential reforms that could result from this consultation process. Some of these potential reforms are framed as “proposals.” In other cases, the government is “considering” or “exploring” these reforms. The public is asked to contribute its views in each case.

There is a lot of additional context behind my summary of each of these points. Some of the accompanying legal analysis is very detailed. I have labelled each point with its corresponding paragraph number in the document. Please read the relevant sections of the proposals in full before jumping to conclusions. 

I strongly encourage any who understands data protection to contribute to the consultation. There are details on how to do this within the document containing the proposals.

Research purposes

  1. Consolidating the UK GDPR and DPA 2018’s research provisions so they exist in the same section of the law (40).

  2. Creating a definition of “scientific research” (42).

  3. Either:

    1. Clarifying when universities can rely on “public task” for conducting research (44a), or

    2. Creating a new legal basis for research (44b).

  4. Clarifying (in the articles) that data subjects can give “broad consent” for scientific research where the purpose of processing is unclear at the time of collection (48).

  5. Stating explicitly that further use of data for research purposes is always compatible with the original purpose and has a legal basis (48).

  6. Extending the exemption under Article 14(5)(b). This exemption allows controllers who have obtained personal data indirectly to forgo providing transparency information if it would involve “disproportionate effort” to do so. This provision would be replicated in Article 13, so as to extend the exemption to controllers conducting scientific research who have obtained personal data directly (50).

Further processing

  1. Clarifying that further processing for an incompatible purpose may be permitted when such further processing “safeguards an important public interest” (54a)

  2. Clarifying when further processing may be undertaken by a new controller (54b).

  3. Clarifying that incompatible further processing may be permitted when it “is based on a law that safeguards an important public interest” (54c).

Legitimate interests

  1. Creating a list of legitimate interests for which organisations can process personal data without conducting the “balancing test” (60).

Artificial intelligence

  1. Adding “bias monitoring, detection and correction in relation to AI systems” to the list of legitimate interests for which a balancing test is not required (90).

  2. Either:

    1. Clarifying that Paragraph 8, Schedule 1 of the DPA 2018—which permits the use of specific types of special category data for equalities monitoring—can be used for “bias monitoring, detection and correction in relation to AI systems” (91a), or

    2. Creating a new condition within Schedule 1 of the DPA 2018 which addresses the use of specific types of special category data for “bias monitoring, detection and correction in relation to AI systems” (91b).

  3. Removing Article 22 of the UK GDPR, which grants data subjects the right not to be subject to solely automated processing with legal or similarly significant effects (101).

Data minimisation and anonymisation

  1. Either:

    1. Transferring Recital 26—which describes the conditions under which previously personal data can be considered anonymous—into the articles of the UK GDPR (121a), or

    2. Creating a statutory test for data anonymity, based on the wording of the Explanatory Report that accompanies Convention 108+ (121b).

  2. Creating legislation that defines the anonymity of data relative to the means available to the controller to re-identify the data (123).

Innovative data sharing solutions

  1. Creating a code of conduct or accreditation scheme for data intermediaries (137).

Reform of the accountability framework

  1. Implementing a “more flexible and risk-based” accountability framework based on “privacy management programmes” (147). If the government pursues the “privacy management programme” proposal, the following proposals would also be considered:

    1. Introducing a “voluntary undertakings process” based on Singapore’s Active Enforcement regime (149 and 181).

    2. Removing the requirement to appoint a data protection officer, and replacing it with a requirement to designate an individual or group of individuals to oversee data protection compliance within an organisation (163).

    3. Removing the requirement to conduct a data protection impact assessment (167).

    4. Removing the requirement to contact the ICO before conducting processing that creates a high risk to data subjects that cannot be mitigated (172).

    5. Removing the “record of processing activities” requirements imposed by Article 30 of the UK GDPR (177).

    6. Changing the threshold for reporting a data breach, so that organisations do not need to report a breach to the ICO if the impact is “not material” (180).

  2. If the government does not pursue the “privacy management programme” proposal (147), it would also not pursue its proposals on data protection impact assessments (167), prior consultation (172), and voluntary undertakings (181) (184a). However, in such a case, the government would propose the following:

    1. Amending the data breach reporting threshold (per 180) (184b).

    2. Amending the “record of processing activities” requirements imposed by Article 30 of the UK GDPR—without removing them entirely—to ensure that there is no need for organisations to duplicate record-keeping requirements already imposed by Article 13 and 14 (184c).

    3. Removing the requirement for all public authorities to appoint a data protection officer, and instead either:

      1. Allowing organisations to take the same approach as other organisations to determine whether they need to appoint a data protection officer (184d. V. i.), or

      2. Specifying that only public authorities meeting certain criteria must appoint a data protection officer (184d. V. ii.).

  3. Introducing fees for subject access requests (188).

Privacy and electronic communications

  1. Either:

    1. Permitting organisations to use “analytics cookies and similar technologies” without consent (198), or

    2. Permitting organisations to store information on, or collect information from, a user’s device without consent for certain limited purposes, including detecting technical faults and enabling use of video (200).

  2. Extending the “soft opt-in” to organisations operating in certain non-commercial contexts (210).

  3. Increasing the maximum fines available under PECR to match those available under the UK GDPR (216-218).

Use of personal data for the purposes of democratic engagement 

  1. Either

    1. Exempting political communications from the PECR provisions on “direct marketing,” and recognising that Articles 6 and 9 of the UK GDPR provide a legal basis for political parties and representatives to process personal data under certain conditions (221), or

    2. Extending the “soft opt-in” to organisations sending political communications (223).


  1. Expanding the list of jurisdictions recognised as “adequate” (237).

  2. Ensuring that the list of “adequate” jurisdictions adopted under the current data protection regime remains valid under any future regime (238).

  3. Approaching adequacy assessments with a focus on “risk-based decision-making and outcomes” (242).

  4. Relaxing the requirement to review adequacy decisions every four years (250).

  5. Amending the UK GDPR to state that both effective administrative and judicial remedies can be acceptable redress mechanisms in adequate jurisdictions (254).

Alternative transfer mechanisms

  1. Amending the UK GDPR to facilitate “more detailed, practical support” for organisations assessing risk in the context of international transfers (257a).

  2. Exploring amendments to the international transfers regime to give organisations greater flexibility over their use of transfer mechanisms (257b).

  3. “Reinforcing” the importance of proportionality when using international transfer mechanisms (259).

  4. Exempting “reverse transfers” (where personal data imported from a third country is then exported back to the third country) from the scope of the UK GDPR’s international transfer regime (260).

  5. Empowering organisations to create or identify their own international transfer mechanisms (261).

  6. Creating a new power for the Secretary of State to formally recognise new transfer mechanisms (265).

Certification schemes

  1. Modifying the certification scheme framework to provide for a “more globally interoperable market-driven system” that “better supports the use of certifications” as an international transfer mechanism (266).

  2. Allowing certification to be provided for via the privacy management programme (267).

  3. Clarifying that non-UK based certification bodies can be accredited to run UK-approved international transfer schemes (268).


  1. Making explicit that the “repetitive use of derogations” is permitted (270).

Use of personal data in the COVID-19 pandemic

  1. Clarifying that private companies, organisations, and individuals who have been asked to process personal data on behalf of a public body may rely on the lawful basis of “public task” and do not need to identify a separate legal basis (282).

  2. Clarifying that that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies (286).

Building trust and transparency

  1. Introducing transparency requirements for public bodies and government contractors that use algorithms in decision-making (290).

  2. Amending Schedule of the DPA 2018 to provide for more situations in which organisations can process special category data (293).

  3. Either:

    1. Creating a definition of “substantial public interest (296), or

    2. Adding to the list of specific situations that constitute “substantial public interest” in Schedule 1 of the DPA 2018.

  4. “Streamlining and clarifying” rules on the collection, use and retention of data for biometrics by the police (301).

  5. Clarifying the legislation to support joint operational activity between law enforcement and national security partners (306).

Strategy, objectives and duties (ICO reform)

  1. Creating a new statutory framework setting out the ICO’s strategic objectives and duties (321).

  2. Empowering the Secrtary of State for DCMS to prepare a statement of strategic priorities for the ICO (322, 345).

  3. Introducing a new overarching objective for the ICO that includes “upholding data rights” and “encouraging trustworthy and responsible data use” (325).

  4. Requiring the ICO to “have regard for economic growth and innovation” (329).

  5. Requiring the ICO to “have regard for competition” (335).

  6. Requiring the ICO to cooperate and consult with other regulators (338).

  7. Establishing a new information sharing gateway for regulators (339).

  8. Requiring the ICO to “have regard for public safety” (343).

  9. Asking the ICO to “deliver a more transparent and structured international strategy” (348).

  10. Requiring the ICO to consider the government’s wider international priorities when conducting its own international activities (349). 

Governance model and leadership (ICO reform)

  1. Establishing an independent board and CEO of the ICO (353).

  2. Attaching the title of “Information Commissioner” to the chair of the ICO’s board (356).

  3. Appointing the chair of the ICO’s board by the same method as exists for appointing the Information Commissioner under the DPA 2018 (358).

  4. Appointing the non-executive members of the ICO’s board and its CEO via the same public appointments process as the Information Commissioner (359).

  5. Removing the requiring for parliamentary approval when setting the Information Commissioner’s salary. Allowing the Secretary of State for DCMS to set the Information Commissioner’s salary with approval from the Treasury (362).

Accountability and transparency (ICO reform)

  1. Requiring the ICO to publish key performance indicators (366).

  2. Requiring the ICO to publish the “key strategies and processes that guide its work” (371).

  3. Empowering the Secretary of State for DCMS to initiate an independent review of the ICO’s performance (373).

Codes of practice and guidance (ICO reform) 

  1. Requiring the ICO to undertake and publish impact assessments and conduct “enhanced consultation” when when developing codes of practice and complex or novel guidance (376).

  2. Empowering the Secretary of State for DCMS to require the ICO to set up a panel of people with relevant expertise when developing codes of practice and complex or novel guidance (379).

  3. Empowering the Secretary of State for DCMS to approve codes of practice and complex or novel guidance (380).

Complaints (ICO reform)

  1. Requiring any data subject to attempt to resolve their issue with an organisation before lodging a complaint with the ICO (384).

  2. Introducing criteria by which the ICO can decide not to investigate a complaint (387). 

Enforcement powers (ICO reform)

  1. Empower the ICO to “commission an independently-produced technical report” to inform its investigations (394).

  2. Empower the ICO to compel witnesses to interview in the course of an investigation (399).

  3. Increase the statutory deadline by which the ICO must issue a final penalty notice from 6 to 12 months (405).

  4. Introducing a “stop-the-clock” mechanism to enable the ICO to further increase the statutory deadline where necessary under certain conditions (406).

  5. Requiring the ICO to set out a timeline to the data controller at the beginning of an investigation (408).

Biometrics Commissioner and Surveillance Camera Commissioner (ICO reform)

  1. Absorbing the roles of  Biometrics Commissioner and Surveillance Camera Commissioner into the ICO (410).

Want to know more about the UK’s direction on data protection?

PrivSec New Normal is an upcoming in-person event on 16 November 2021. 

We’ll be exploring how data protection, privacy, and security have been affected by COVID-19—and considering how the UK will proceed with its post-Brexit data protection reforms.

Save your seat for PrivSec New Normal, 16 November 2021.