Data Reform Bill

The key points behind the UK data reform bill. Do the changes affect you?

Data Reform Bill 2022

On May 10th 2022, the UK Government announced a new Data Reform Bill in the Queen’s Speech, intending to reform the UK’s Data Protection Act. If you are a UK business owner, you may be wondering:

  • How will these reforms affect my business?
  • What changes will I need to make?
  • What advantages will the Data Reform Bill offer my business?

Whatever concerns and questions you may have, we remain committed to providing you with the up-to-date information that you need to remain compliant and informed.

“depending on the circumstances of your business, you may be able to take advantage of the proposed changes in the Data Reform Bill for greater flexibility…”

Data Reform Bill Explained

The UK government has described the EU’s GDPR as “highly complex”, stating that it has held back businesses from using data effectively due to “red tape and pointless paperwork”. The new Data Reform Bill changes are intended to create more clarity around data protection and make it easier for businesses and researchers to use data within a “risk-based accountability framework”.

Changes to the UK’s Privacy and Electronic Communications Regulations (PECR) such as allowing charities and ‘not for profits’ to use analytics cookies without consent as well as permitting ‘soft opt-in’ – electronic marketing for existing customers. The government intends to allow cookies to be used without explicit consent for ‘non-intrusive purposes’. This will include cookies and technologies which allow businesses to measure web traffic and improve service to users. Political representatives will also be able to contact individuals who have expressed interest, for example by making a donation to the political party, as long as they have been provided the chance to refuse such contact when initially giving their details.

DCMS Data Reform Bill

The Department for Digital, Culture, Media and Sport (DCMS) published a response to the Data Reform Bill consultation indicating several changes expected in the GDPR landscape. The DCMS secretary Nadine Dorries stated: “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retain our global gold standard for data protection.”

Data Reform Bill Key Points

There is still some time to go before the intended Data Reform Bill changes will take effect, as the full details will be subject to the scrutiny of Parliament. The details revealed by the UK government in the Queen’s Speech, however, indicate an intention to take advantage of a post-Brexit UK to create less rigid and onerous data protection laws and allow more flexibility. Some key points include:

Fewer obstacles and burdens on UK businesses

Some compliance burdens could be removed, which could especially benefit small businesses whose operations are based solely in the UK. The new Data Reform Bill UK should give businesses more flexibility in how they manage data risks, removing the need for certain organisations to have a data protection officer (DPO) where the risks are low. Businesses will still be required to identify and manage risks across their organisation, but will not need to undertake Data Protection Impact Assessments (DPIAs) or report data breaches when individual risk is not material. Organisations will no longer need to adhere to the requirements of Article 30, UK GDPR.

Data Reform Bill Cookies

The new data reform bill may lead to the end of the ‘box-ticking exercise’ of seeking explicit consent for specific purposes. A new ‘opt-out’ model should allow users to set their online cookie preferences to automatically opt-out, thus reducing the need to deal with consent banners/cookie pop-ups on each website visited. This will mean internet users will be able to control how their data is used via their browser settings rather than having to click to ‘opt-in’ to cookie collection each time they visit a new website.

Greater clarity for scientists and researchers

The new Data Reform Bill should more clearly define the bounds of scientific research and inform researchers on when they do, and don’t, need to obtain explicit consent to collect and use data for research. This should help researchers to obtain consent for data to be used for broad purposes, for example general cancer research rather than studies of specific cancer types.

Data Reform Bill ICO

Under the proposed new reforms, The Information Commissioner’s Office (ICO) would have clearer objectives, taking into account business competition and innovation, with more accountability to Parliament, when making judgements. The UK data regulator will be reorganised to have a chair, chief executive, and a board. Considerations such as economic growth will factor into decisions, rather than going purely by the letter of the law. Parliament would be able to overrule judgements made by the ICO. The government press release on 17th June 2022 has more information regarding the Data Reform Bill

PECR fines

The maximum fine under the Privacy and Electronic Communications Regulations (PECR) is currently £500,000 – the government intends to increase PECR fines up to a cap of £17.5m or 4% of a business’s global turnover.

Data Reform Bill concerns

One of the main Data Reform Bill GDPR concerns is the question of adequacy. The European Commission granted the UK adequacy, which permits personal data to flow from the EEA to the UK, but the EC stated its intent to keep this decision under review. Any major changes caused by the Data Reform Bill could result in adequacy being revoked. This could cause significant problems for businesses which rely on trading with the EU and need to comply with the EU GDPR. The UK government has responded to these concerns by saying “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

AI automated decision making

Another major concern was the issue of automated profiling. The majority of consultation respondents opposed the proposal to amend Article 22 and it was confirmed that the right to human oversight was an essential safeguard. There will be an upcoming white paper on AI governance.

Data Reform Bill Summary

GDPR has long been recognised as the global standard, but the UK government has argued that the current rules place a disproportionate stress on smaller businesses. The new Data Reform Bill is intended to ease the burden on micro-businesses and allow innovation and growth through a more simple and clear system of data protection. Some key changes include:

  • Removed requirement to appoint a Data Protection Officer
  • DPIAs no longer required
  • Article 30 requirements no longer necessary
  • Greater clarity on when explicit data consent is or isn’t needed
  • Fewer annoying consent pop-ups for web users
  • Web users to be able to automatically opt-in via browser settings
  • Reorganised ICO with more responsibilities
  • Increased PECR fines up to 4% of turnover

The government has estimated that over £1 billion will be saved by businesses over the next ten years due to reduced GDPR burdens, based on an analysis by the Department for Digital, Culture, Media and Sport (DCMS).

Businesses that are already compliant with the current UK GDPR won’t necessarily need to make any major changes and can continue to use DPIAs but tailor them to their particular processing requirements.

Reducing some compliance burdens from small businesses could be beneficial, especially if you are a micro-business with operations limited to the UK. For larger operations that deal with the EU, you may not wish to significantly change the way you currently obtain and process data – the GDPR remains the global standard for data protection and recognised compliance. However, depending on the circumstances of your business, you may be able to take advantage of the proposed changes in the Data Reform Bill for greater flexibility that the new legislature will allow.

How can I utilise the new reform in my business?

We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.

What to do next:

  • Please contact us now and let us remove the stress of managing data compliance in your business.
  • We handle the complete scope of any data privacy requirement


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.