The words data protection and excitement may rarely be seen in the same sentence, but, like it or not, it is a crucial part of the data business. With this in mind, Data Protection Day, which commemorates the signing of the first legally-binding international privacy treaty, has been a key date in the diary for over a decade.
Falling on January 28, this year's event focuses on respecting privacy, securing data and enabling trust. And who better to ask about the current state of the market than two leading data protection lawyers?
Adam Rose, a partner and data protection lead at Mishcon de Reya LLP, and Robert Bond, a partner and notary public at Charles Russell Speechlys LLP, test the temperature of data protection worldwide and discuss how recent political upheavels on both sides of the Atlantic will shape future policy.
So, is data protection being seen as a hindrance to business or a chance for them to prove to customers that their data is safe with them? Bond reckons that this year's three tenets - respecting privacy, securing data and enabling trust - are critical actions for businesses that wish to succeed in the forthcoming years because regulators are focusing more on businesses that make no attempt to comply or have little information security in place, and customers are expecting more of businesses and governments in relation to their personal data and its appropriate use.
He adds: "Businesses that comply with international data protection laws will use their compliance as a market differentiator. Those that market their data privacy compliance will win and those that do not will lose."
Rose agrees: "Many businesses see data protection as red tape, but well-run businesses do appreciate that they have to maintain customer trust - and those that lose data, or misuse it, can see their share price or goodwill heavily discounted when they fail to comply with data protection law.”
He adds: ”We can all name those companies who have got things wrong, often after suffering big data hacks, and you just need to look at the Information Commissioner's website to see the fines meted out to serious transgressors, running into tens or hundreds of thousands of pounds.
Further afield, with more and more business being done in Asia Pacific, how rigorous is data protection regulation in that market?”
Bond points out that the Asia Pacific region has embraced European-style data protection laws and South Korea has one of the toughest regimes. Countries like Singapore, Malaysia and Japan are actively enforcing data protection laws and mirroring the EU style of data protection regulation.
Rose adds: "Most countries recognise that, in a global market, they need to work towards having the EU standard for data protection in place. Lots of countries which don't have specific data protection laws will often have constitutional provisions that protect citizens and consumers in ways which are very similar to data protection laws. China, for example, doesn't have a data protection law as we know it in the UK, but there are certain rights that citizens can enforce."
Closer to home, do our experts believe Brexit will lead to a relaxation of the UK's data protection laws? Rose says: "The UK has indicated that it will adopt the EU General Data Protection Regulation post-Brexit. In fact, as it will be a member of the EU when the GDPR comes into force, it has no option, but I think the UK means that the Great Repeal Bill will not be used to repeal the GDPR.”
"In any event,,” he continues, “the UK will want to be recognised as a safe place for EU companies to transfer personal data - the easiest way to achieve that will be to keep the GDPR in place and, possibly, even to rely on European Court judgments in this area to make sure UK law keeps in line with EU law and practice."
Bond adds: "Although the UK will be subject to GDPR before Brexit has happened, afterwards the UK will still need to have a data protection regime that is acceptable to not only the EU, but other countries that have EU-style legislation."
But with newly-crowned US President Donald Trump claiming he will slash the red tape for US businesses, is this likely to include a relaxation of data protection laws? Bond is confident that current practices will prevail. He says: "Even though Donald Trump has stated he will reduce laws that they are perceived to be restrictive on US business, the fact that so many US states already have strong data breach notification laws and detailed laws on health data and children’s data, for example, means that it is unlikely the US will unravel their current regime. Indeed the regulators in the US will continue to strictly enforce compliance, notwithstanding what the President says.”
Rose is not quite so sure. He says: "Nothing can be ruled out. I think businesses recognise the value to them in giving their consumers higher levels of data protection and, even if President Trump removes various levels of data protection in the US, I would expect companies to seek to gain competitive advantage from offering higher levels of protection.”
"Equally, EU data controllers will be unwilling to send data to US companies that offer reduced rights, irrespective of international data transfer rules - EU citizens have developed an expectation of privacy and protection for their data, and will move their accounts to businesses they feel they can trust,” Rose adds.
To conclude, we asked our experts, if they had one piece of data protection advice for British business right now, what would it be? Bond says: "My advice would be do not put data protection compliance in the ‘too hard’ tray. Doing nothing to comply with the law and consumer expectations is not an option. Even if you cannot be 100% compliant, be seen to be moving in the right direction is the way to go.”
Rose agrees: "British businesses need to be starting to prepare for GDPR. We have moved from the stage of recognising that we need to do something to actually doing something. My concern is that businesses are still thinking about thinking about doing something.
"Data protection is really important,” says Rose. “The value of many businesses, especially online businesses, rests almost entirely with its customer base - losing that, or losing consumer goodwill, will destroy value. Compliance is relatively easy and a very small price to pay."