On 26th August 2021, Culture Secretary Oliver Dowden announced that the Government plans to diverge from key parts of the General Data Protection Regulation (GDPR), three years after it was enacted in the UK as the Data Protection Act 2018.
Dowden’s justifications for the break include cutting costs for businesses, doing away with “red-tape” associated with the regulation, and seeking international data partnerships with countries including the US, Australia and South Korea. Particular aim was taken at cookies notices and the belief that they get in the way of customers and their interactions with brands.
The controversial decision has sparked broad discussions around the UK’s increasingly fraught relationship with the EU, while heightening scrutiny of GDP/DPA, just as the UK appoints a new Information Commissioner who will be responsible for explaining and enforcing any new rules.
Data leaders meanwhile are watching the situation closely as they assess how any regulatory changes could impact their workload, as well as their business’ relationship with an increasingly data-cautious customer base.
The implementation of GDPR was a monumental task for businesses and data governance practitioners. DataIQ research conducted in 2019 revealed that four out of ten companies had not yet reached a full state of compliance with the regulation. Meanwhile, 27.7% of organisations said that the impact of GDPR had been very significant, compared to 8.4% who said it had had little impact.
There will be fears that the introduction of a UK variant regulation will result in businesses having to repeat the mountain of work undertaken in the first place.
“Many US organisations complain that the lack of a federal data protection law costs them money in repeat work,” said compliance expert and Bristows Partner Robert Bond. “There may well be UK organisations worrying that this is going to cost them money, but at the moment the Government is simply posturing.”
What’s more, instead of removing red tape, any divergence from GDPR could result in more red tape for EU-facing UK businesses. When the EU formally recognised the adequacy of the UK’s data protection standards in June, allowing for the continued flow of personal data between the EU and the UK, British businesses expressed relief.
Julian David, CEO of trade organisation techUK said at the time that: “The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.”
Divergence from EU standards jeopardises this adequacy agreement, meaning that UK firms could lose seamless European data flows. That could jeopardise the digital innovation which Dowden is keen to fuel, while also having implications for the already fragile sharing of criminal and security data between the EU and UK. “The Government can’t do a great deal of divergence, because if it does we will eventually lose the adequacy agreement granted by the European Commission,” said Bond.
Privacy continues to matter to consumers - DataIQ research conducted after the implementation of GDPR revealed that a third of consumers still did not believe that their personal information was safe online. This is likely a result of general cautiousness around personal data than doubt in the security outlined within GDPR itself.
Bond pointed out that rather than been an obstacle to innovation and good customer experiences, many international data privacy laws are now being modelled on the GDPR, often with an enthusiastic view of how it protects individual rights and privacy.
Regulation such as the California Consumer Privacy Act (CCPA) are increasingly including GDPR-like provisions around issues like the rights of data subjects, the need for transparent privacy notices and tight data transfer restrictions. Robert Bond said: “There’s a sense of direction now, and we can’t simply go against that tide.”
One thing that GDPR does have going for it is awareness. In 2019, 45% of consumers reported that they knew all about the regulation, with a further 22.7% indicating a reasonable awareness.
Businesses have had to balance their ambition to deliver personalised customer experiences with a growing customer awareness of GDPR and scepticism around the use of data in general.
If British businesses are to support and implement a UK variant legislation, they would do well to ensure that the changes continue do not disturb that already delicate balance and that safeguards to data privacy are upheld. Dowden’s announcement made specific reference to upholding those, promising to: “Set world-leading, gold standard regulation which protects privacy, but does so in as light touch a way as possible.”
A lot of this is likely to be political posturing framed by Brexit at this stage, with the new Information Commissioner unlikely to want to be faced with any seismic changes early in their tenure.
For those data professionals watching intently in the meantime, the priority will be ensuring that that “light-touch” does not mean a divergence from the standards that underpin the already fragile relationship between customers, business and the way data flows between the two.