The U.K. plans to create a “privacy management program”…

that will replace some GDPR requirements

The U.K. Ministry of Data Protection plans to remove the requirement to conduct Data Protection Impact Assessments (DPIAs), give companies more freedom on how to keep records of data processing activities (RoPA), remove the requirement to appoint a Data Protection Officer (DPO) – his obligations can be performed by a senior manager.

The approach to regulating cookies will also change. At first, cookies will be allowed to be used on websites and mobile devices without explicit consent for a small number of purposes (consent is always required now).

Then, the plan is to change the opt-in model to opt-out (instead of requiring the user to consent to the collection of cookies, they will have the right to refuse the collection of cookies), and to eliminate the requirement for banners about the collection of cookies on websites (except for websites that can be visited by children).

At a later stage, the DOI may eliminate the current cookie-collection regulation altogether and rely on browser-based and other automated technologies that allow users to control their online preferences.