Earlier this year, the culture secretary, Oliver Dowden wrote in the Financial Times that while the UK government intends to maintain its ‘world-class standards’ in the field of data protection, ‘we do not need to copy and paste the EU’s rulebook, the General Data Protection Regulation, word-for-word’.
Some commentators perceived this as a first signal of the UK government’s intention to depart from the EU’s GDPR, particularly as the culture secretary also indicated that the new information commissioner, to be appointed in the autumn, will be asked not just to focus on privacy but will also ‘be empowered to ensure people can use data to achieve economic and social goals’.
It is a myth that data protection law stops all organisations and businesses from sharing personal data
The concern from government appears to be that ‘too many businesses and organisations are reluctant to use data – either because they don’t understand the rules or are afraid of inadvertently breaking them’.
It is clear from the way the concern is articulated that the issue to be tackled is really one of messaging and communication rather than actual legal or practical difficulties with the principles, rights and obligations contained in the GDPR itself. It follows that any perception that the UK is going to radically depart from the GDPR is misconceived.
Understanding the GDPR
At its heart, the GDPR is an enabling rather than destructive prospect for business. As the information commissioner has indicated in her recently published data-sharing code of practice, it is a myth that data protection law stops all organisations and businesses from sharing personal data.
In reality, data protection law enables organisations and businesses to share personal data securely, fairly and proportionately. It ensures that businesses manage personal data in ways that can lead to more effective business practices by reducing the costs associated with storage of too much personal data and ensuring that organisations keep marketing and other mailing lists up to date, which can only result in an economic benefit.
The pandemic has highlighted the helpful ways in which personal data may be shared and used in various contexts. For example, it has forced local authorities to act to keep residents safe, support local businesses and find new ways of delivering services at a distance.
The plain reality is that business relies on the ability to transfer personal data to and from the EU
In this regard, the Centre for Data Ethics and Innovation has reported how local authorities have successfully used data-sharing and other data-driven instruments to do things such as identify the most clinically and economically vulnerable to the effects of Covid-19, predict demand and pressures on local services, and collaborate with the NHS on Test and Trace.
This is but one example of how our existing laws do not stand in the way of public or private bodies but do in fact provide a structured framework within which to innovate and share personal data.
Smooth transfer is vital
In any event, regardless of the perceived difficulties that the GDPR may pose, the plain reality is that business relies on the ability to transfer personal data to and from the EU. It is for this reason that after 30 June 2021 (the post-Brexit bridge period), it is important for UK business that the EU adopts an adequacy decision.
A draft adequacy decision has already been published by the European Commission, approving the UK as an adequate third country. This has now been considered further by the European Data Protection Board as part of the adequacy decision process.
Against this backdrop, it is very difficult to see the UK departing in any substantial way from the requirements of the GDPR, particularly from the fundamental aspects of the legislation relating to individual rights, processing obligations and principles. To do otherwise would seriously risk achieving and maintaining an adequacy decision and undermine the claim that the UK’s data protection regime remains ‘world class’.
In reality, while there may be some blustering rhetoric about doing things differently now that we have left the EU, any changes that are introduced are likely to be minor, such as in relation to how data protection law is enforced or the nature of the guidance that is published by the information commissioner.
The practical reality for business over the coming years is likely to be broadly more of the same, but hopefully with added emphasis and clarity from the information commissioner and the government dispelling myths about data protection law being disabling rather than enabling for business interests.