Proposed changes to the UK GDPR: what production needs to know

The UK GDPR is back in the spotlight, with the government proposing various changes in order to create an “ambitious, pro-growth and innovation friendly data protection regime that underpins the trustworthy use of data.”

The consultation paper is lengthy and covers a broad range of topics. Here, we break down some of the key changes for production.

A laptop and a cellphone displaying are secured with a VPN

Anonymous data

The government has acknowledged that there are economic and societal benefits to making data more available. It’s therefore proposing to introduce a clearer test for determining when data is considered “anonymous.”

As production companies are generally advised to use anonymised equality monitoring forms to capture data on the diversity of their productions, more clarity around what constitutes anonymous data will likely be welcome.

Data subject access requests

In recent years, there’s been an increase in the number of data subject access requests and responding to one can be time consuming and expensive. As such, the government is considering:

  • Introducing a fee regime for data subjects who wish to access their data.

  • Lowering the threshold for when companies can refuse to comply with a request.

Data protection officers

Another proposed change is the removal of the requirement to appoint a data protection officer and the strict requirements which apply once you’ve done so. However, companies aren’t really off the hook, as they’d have to designate a “suitable individual” to be responsible for their privacy management programme and oversee their data protection compliance.

Lawful basis

The government is considering revising the requirements and scope of certain “lawful bases” for processing personal data (which you have to have whenever you process personal data). The revisions include introducing a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test.


So that the Information Commissioner’s Office (ICO) can focus on “more serious threats to public trust and inappropriate barriers to responsible data use,” it’s proposed that data controllers be required to have a clear and transparent complaints process in place.

In turn, data subjects would have to try to resolve a complaint directly with the relevant data controller before going to the ICO.

Breach reporting

Under Article 33(1) of the UK GDPR, companies have to inform the ICO of a data breach “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” As part of the consultation, the government is proposing changing this requirement so that a breach must be reported “unless the risk to individuals is not material.”

What constitutes “not material” may still be unclear, so it will be important to keep up with ICO guidance if this change takes effect.

Data protection impact assessments

Under Article 35 of the UK GDPR, companies have to undertake a data protection impact assessment for any processing which is likely to result in a high risk to individuals. It’s now proposed that this requirement be removed so that companies can adopt different approaches to identify and minimise data protection risks that “better reflect their specific circumstances.”

Records of processing activities

Currently, companies have to maintain a record of processing activities unless an exemption applies. As this requirement creates large amounts of paperwork, largely duplicates information required under other data protection obligations and imposes the same record-keeping requirements on all organisations (regardless of the volume and sensitivity of personal data handled), the government is proposing giving organisations more flexibility about how to record what personal data they handle (taking into account the types and nature of data processing).

What’s next?

The consultation remains open until 19 November. It’s important to stay up to date with the consultation as the final outcome is unclear.

POP devices

Reduce your risk with our free webinar

Although the UK GDPR remains in the spotlight, compliance doesn’t have to be daunting. To mitigate your risk and learn best practices for handling data, attend our free webinar “UK GDPR for production: compliance Q&A with Sheridans.”

Hosted by POP and Sheridans, this session will cover:

  • The proposed changes to the UK GDPR and the implications for production.

  • The requirements for capturing special category data on your production (eg, health declarations, vaccine passports and diversity data).

  • How to simplify compliance and secure project data across your production with POP.

You can be confident in your GDPR compliance. Register now to learn how.

When: Thursday 28 October, 10–10.45am BST

Register your spot

Krishan Neelendra, Sheridans, contributed to this article.

Want to hear from us via our newsletter?

Sign up here