Earlier this year, the UK Government announced it will be introducing a Data Reform Bill – a new set of laws aimed at replacing the EU’s General Data Protection Regulation (GDPR). The bill seeks to replace unnecessary paperwork and implement tougher fines for companies hounding people with nuisance calls, updating the UK’s data laws for the digital age.
Experts and government ministers have optimistically described the reform as “a new direction” for data and claimed the proposal could influence the evolution of data rules around the world. However, there is a multitude of potential risks to the global data privacy landscape. What hurdles will the government have to contend with? And will it truly be successful at streamlining data privacy compliance for businesses around the world?
The global impact of moving away from GDPR
The government’s desire to move away from the protections offered in GDPR is, at face value, odd. Its impact across the world has largely been considered positive, having served as a foundation for what is now the California Privacy Rights Act and representing a broader legislative push to bring data privacy rights to the public in Chile, Argentina, Brazil, and beyond.
That’s why the introduction of the UK’s reforms could cause significant confusion for global companies seeking to do business in the EU and UK. In plain fact, complying with two sets of rules is harder than complying with one. It’s why data breach notification laws in the United States are so troublesome: there’s a law for every single state, and sometimes, those laws don’t overlap. Why throw a spanner into something now?
As it stands today, many companies are using GDPR as a convenient North Star for data privacy compliance, implementing new policies that would benefit all their customers even if they are not in the EU, simply because they see data privacy as a lasting trend and a safe investment, with data-driven trade generating three-quarters of the UK’s total service exports. It’s clear that if businesses comply today, it will be much easier to comply tomorrow when other regions pass laws like GDPR. So, while the reforms are intended to remove unnecessary paperwork, they may end up adding more red tape to an already complex way to do business.
The UK’s Data Reform Bill risks stifling positive progress made in other nations, where GDPR served as a crucial foundation. It’s suggested that the reforms will fuel the responsible use of data for innovation by providing clear definitions and will empower the UK to strike new data partnerships. However, chipping away at confidence in the current regulation may leave other countries feeling insecure, which can have ramifications on data privacy globally.
If you liked this content…
The need for concerted planning
As GDPR itself took over 10 years of planning before being passed, a long road of refinement likely lies ahead if the new bill is to improve on the existing system. For instance, providing consumers with their data requires a lot of work, including locating the data, gathering it, and usually deleting it after a certain date. This work also needs to be supplemented with customer support employees who can respond to data requests that cannot be automated.
If the UK government believes GDPR has been cumbersome to companies, it’s likely the introduction of a new set of data privacy regulations will add to that heft. And this isn’t a mere hypothesis. When California approved and placed its data privacy law on January 1, 2020, many companies did not comply with the law’s requirements to give Californians their data when asking for it – at least not in a timely manner, as defined by the law.
While the government is focusing more on business requirements and less so on consumer rights, it’s key that they move beyond the idea of consent-approved data collection, too. Though novel at the time, allowing data collection when specifically green-lighted by the consumer has created a landscape in which the consumer has even more responsibility to manage their data. For instance, just think of how many times websites will ask if you consent to their use of cookies. When interacting with hundreds of platforms, websites, and services, this management is no easy task.
The danger of compromising the data adequacy agreement
If it’s deemed the new legislation does not protect citizens’ data sufficiently, the agreement allowing the free flow of data between the UK and the EU could be revoked, causing significant legal headaches for businesses in the process. As an example, the US currently does not have an adequate agreement with the EU because of its expansive surveillance laws and it’s something that creates issues every single day for companies.
It’s true: “no nation is an island,” and the Data Reform Bill poses more questions than it answers. It fails to outline how it is going to mitigate diverse global risks. From undermining GDPR, overstepping other countries’ data protection progress, and potentially causing confusion on how businesses will operate, it is unclear if the reforms will manage to clear the hurdles with a clean sheet. The big question is whether it will ultimately be counterproductive to data protection – a dangerous reality in an increasingly data-hungry world. The government must quickly provide answers if it’s to be successful at streamlining data privacy compliance for businesses around the world.
