Speaking at the Conservative Party conference the Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, announced that she is intending to replace GDPR regulations with a new 'British friendly' data protection system.
The intention is that proposed new system would be simpler and clearer for businesses to navigate whilst also protecting consumer privacy. They are looking at replicating data protection systems in countries who have achieved data adequacy without GDPR like Israel, Japan, South Korea, Canada and New Zealand.
Of course, all these countries have had to ensure that there is a level of protection to personal data which is comparable to that provided by the GDPR. This has been easier for some than others, for example, Japan’s adequacy decision took years of negotiations and it had to ensure enhanced protection for data transferred from the EU.
Therefore, we must hope that if we do go down the route of simplification we avoid going too far. In my view, the government’s suggestion that it wants the UK to be a world class data hub whilst moving away from UK GDPR and attempting to avoid the pitfalls of “one-size-fits-all system” is short sighted. If it waters down the protections within the GDPR; it risks the UK’s adequacy decision and could bring about a two tier data rights system – with the UK being on the second tier and falling behind standardised data protections. This risks the UK’s trade in data, and also risks increasing rather decreasing the compliance burden and associated costs. Businesses would still be required to comply with GDPR for transfers of personal data within the EU.
In the case of no adequacy decision, businesses would have to shoulder the administrative burdens of completing Standard Contractual Clauses and the new international transfer agreements and the technical and practical burdens of ensuring data received from the EU is given the enhanced protection required.
It would seem to me that the premise that the GDPR limits the potential of businesses is unfounded. The GDPR provides a moral and ethical approach to data protection so as to standardise the responsibilities of those who process personal data. The UK GDPR and Data Protection Act 2018 build on these standards. The idea of the legislation was to harmonise, bring trust and transparency to the processing of personal data across the board. I would agree with the arguments that the increased transparency which has arisen from implementing and adhering to GDPR and subsequent legislation has increased consumers’ trust, improved business and further increased the amount of data consumers are willing to share.
For the time being, we must wait and see what the government will do, as the Draft Data Reform Bill is on hold. So, for now it is business as usual and data controllers and data processors should continue to focus on ensuring compliance with the UK GDPR and Data Protection Act 2018.
If you or your organisation have any queries around your current or future data protection responsibilities, please contact Eleanore Beard or a member of our Commercial Team.
