Following today’s announcement regarding the new data reform bill intended to allow the UK to deviate from EU privacy legislation, please see commentary below from Information Security Experts.
• \”Those concerned that high data protection standards pose an impediment to innovation should consider that data adequacy offers huge efficiencies in terms of both resource and planning certainty for UK-based companies doing business in Europe. What will the innovation opportunity cost be if UK compliance teams are forced to spend years reworking data and data transfer policies as a result of losing adequacy with the EU? Just ask the US legal teams picking up the pieces in the aftermath of 2020’s Schrems II ruling – the uncertainty has been a significant drag on trans-Atlantic data-driven businesses.
• \”Jeopardizing adequacy status could backfire for groups who see higher data protection standards as an impediment to innovation. In order to preserve data flows and promote collaboration, different jurisdictions need to be able to bridge their requirements for data processing.
• \”It would be shortsighted to base a consequential shift in data protection standards on the high cost of compliance. Government and business must approach privacy and innovation as partners, not opponents. These tensions are not an indicator that the standards are at issue; rather, they are a signal that our means for achieving those standards should be revisited and improved.\”
Given the current stalemate between the US and Europe over Schrems (ii), the UK would be unwise to deviate too far from the GDPR and risk losing its adequacy status.
It’s fair to say that while some white smoke has risen between Presidents Biden and Von der Leyen, an adequacy agreement between the two countries is likely a ways away.
Large Tech currently find themselves in the unenviable position of having to duplicate infrastructures already present in the US into Europe in order to process EU citizens\’ data in line with GDPR, a fate that UK organisations are keen to avoid.
The proposed reforms to the UK’s data protection legislation, as announced today by Prince Charles in the Queen’s speech, represent a desire to break away from some of the more rigid obligations of the EU’s GDPR. But as other parts of the world increasingly implement GDPR-type frameworks, UK businesses need to ensure they maintain the means to comply with international laws, while benefiting from the ‘Brexit dividend’ the new UK reforms promise.
One way for businesses to successfully achieve a Brexit dividend from the reforms, while maintaining an international customer base, will be to have airtight data segmentation policies that enable them to compliantly manage data from divergent markets differently. This means being able to quickly identify where each customer is based, and implementing the relevant data controls in accordance with their local data protection laws.
The alternative is to decline international customers access to their products and services, which would likely have a significant impact on their bottom line, or continue to follow the GDPR rules to the letter for all customers and potentially lose out on the Brexit dividend altogether.
If the government does power ahead to relax UK data protection regulations, then without the right assurance in place, UK businesses may face an uphill struggle to manage international customer expectations, particularly when such customers are increasingly wary of the consequences of non-compliance in terms of legal, financial and reputational damage.
Data-driven innovation has the potential to transform the way we live and work. For it to succeed, it is essential that innovators develop their products and services within a framework that allows individuals to trust that their personal data will be used in their best interests and that they will be protected from harm. If the UK can create a flexible data protection environment that supports innovators, it could be hugely beneficial for UK PLC.
However there are many challenges to overcome in order to achieve this goal and it will be some time before any changes start to take effect. Until then, organisations must continue to meet their GDPR obligations – and those that take data privacy seriously today are likely to be best placed to realise the benefits of future reform.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics