On leaving the European Union (EU), the UK government integrated core pieces of legislation, including the General Data Protection Regulation (GDPR), into British law. Significant changes to the data protection regime, however, are on the cards, with the newly announced Data Reform Bill set to begin its journey through parliament as the government sets its sights on replacing GDPR.
This cements the government’s long standing intent to move away from the EU’s data protection regime, now the UK has left the EU. Instead, the UK will embrace a framework which Downing Street says will ‘promote innovation’ and slash the reams of red tape often associated with implementing the regulations.
Do claims around GDPR being too overbearing, inflexible and discouraging to research stand up to scrutiny, though? If the government’s to be believed, the Data Reform Bill will usher in a new age of data-powered innovation, with regulatory costs and bureaucracy involved with GDPR compliance slashed for businesses up and down the country.
The Data Reform Bill might mitigate risk aversion
“The Data Reform Bill demonstrates that the UK government recognises the power of the data in the digital economy, for which an appropriately clear and effective regulatory regime is required to enable innovation for new technologies,” Gita Shivarattan, UK head of data protection law services at Ernst & Young, tells IT Pro.
Shivarattan continues: “At present, there is a view that the current GDPR legislation has created a culture of ‘risk aversion’ within businesses due to uncertainty around enforcement risk, leading to an overly cautious approach to leveraging personal data (whether through data collection or reuse) where they might legally be able to, such as in research and development (R&D).”
How data flows across borders is protected as a component of GDPR, but the EU has been slow to sign data transfer agreements with states across central Europe. This has led to most businesses erring on the side of caution and applying GDPR with little flexibility. In turn, it often led to issues in terms of commercial data exchange between large and small enterprises, impeding their growth and abilities to deliver digital services to their customers.
The government’s plans with regards to GDPR also coincide with its newly announced digital strategy, which aims to set the UK on the path to becoming a global tech superpower. Taken hand-in-hand, the government seems adamant on redrawing the digital legislative fabric that powers UK businesses, erring more towards deregulation and cutting bureaucracy that the EU, for many, embodied. This appetite for change notwithstanding, the government must also reckon with the inevitable friction with the EU that such moves will cause.
Ditching GDPR might risk data adequacy
The risk with the forthcoming Data Reform Bill is it’ll water down standards too far. The challenge for the Department for Digital, Culture, Media and Sport (DCMS) is devising reforms that maintain the high standards in safeguarding personal data, yet imbues confidence in businesses to use data to innovate. There’s also the question of whether any reforms could jeopardise the UK’s current data adequacy status with the EU; the last thing businesses want is a halt to the flow of data across borders.
Can the stated drive to enhance the development of artificial intelligence (AI), the UK's general compute capability, and the need to protect digital privacy ever be satisfactorily reconciled into legislation that drives business and supports privacy for everyone's personal data? Amending, or removing, Article 22 of GDPR could be problematic for the UK’s data adequacy, for example, as it considers how data and automated systems should operate together to protect data privacy. The UK’s proposed reforms would lift the prohibition on ‘soley’ automated decision making, and instead clarify a right to specific safeguards where AI-powered systems are used without human oversight.
With the UK’s data adequacy status expiring in 2025, any significant divergence from Article 22 may mean, by the time the time for renewal comes along, the EU feels the UK has moved too far away from the track and more towards an Americanised view on data protection and data-powered innovation.
Speaking to IT Pro, Elizabeth Schweyen, senior manager of global privacy and compliance at Druva, wonders what a future data exchange between the UK and EU could look like: "It will be interesting to see the long-term implications in the event the UK is no longer seen as ‘adequate’ by the EU, thus gaining restrictions with the flow of data between the EU-UK that aren’t currently there.”
GDPR is already at risk of becoming out-of-date
The incoming Information Commissioner John Edwards has the task of realising much of the government's plans to overhaul the regulations that govern digital services and how data is collected, stored, manipulated, and exchanged.
“GDPR is often cited as the strongest and most comprehensive data protection law in the world and in history, yet four years on there are still massive question marks over how successful it’s been,” James Walker, CEO of Rightly, consumer data action service, tells IT Pro.
“We’re still seeing businesses exploiting loopholes in GDPR,” Walker continues, “and when companies are found to be in breach of these laws, the industry regulator – the Information Commissioner’s Office (ICO) – has been largely toothless in taking any action.”
Nevertheless, the government has instead taken issue with the perceived overbearing nature of the ICO in its approach to enforcement action, which has fuelled major organisational reforms. Ministers will also have oversight over the statutory codes the ICO devises to enforce policies across the industry.
Since GDPR came into force, at times it’s felt as if the EU’s rules were in danger of becoming antiquated. Those officiating GDPR have also had to contend with a rapidly changing technology space. AI, the Internet of Things (IoT), 5G uptake and quantum computing are all expanding.
It's too early to assess whether the reforms will achieve what the government has set out to do, largely because its diagnosis of GDPR may not hold up. Nevertheless, should the reforms work, UK businesses could find themselves enjoying a landscape in which costs will come down and there’ll be fewer hoops to jump through, all while the same standard of data protection is maintained.
As Druva’s Elizabeth Schweyen concludes, reform of regulations needs to tread carefully: “Given the pace that technology is advancing, it doesn’t hurt to take a look at GDPR to understand the areas that may not have been considered when the law was passed in 2016 and add in provisions to protect and account for emerging technologies. However, I do not think the time is right to loosen data protection requirements.”
Deliver a modernised end-user experience that pays for itself
Start modernising PC lifecycle management today
The flexibility the government refers to when discussing GDPR reforms has yet to be fully defined. Indeed, some aspects of GDPR in its current form could be described as restrictive to business innovation. Any reforms must tread carefully to ensure consumer confidence is maintained in how the data they provide is a fair exchange for the products or services they want to buy or access.
The UK wants to reform its data protection regime post-Brexit, but it still needs to maintain a relationship – and data adequacy – with the EU. Businesses will hope that any new measures introduced with the Data Reform Bill will pose a net benefit, and refrain from setting the UK on a direct collision course with EU lawmakers.
