Why Business Leaders Need to Keep a Close Eye on GDPR and UK Data Protection Laws

These days, it seems we’ve granted endless organisations legitimate access to our personal information

Just doing your weekly food shop online or grabbing a seasonal bargain involves sharing private data with a third party. Of course, in many respects, sharing data makes life easier and keeps us all connected — just think of all those long-distance friends you can stay in touch with over social media, video calls, and even simply email.

We’re all naturally on our guard when sharing medical data or credit card details openly online. But even offering up seemingly innocuous information like your name and email address can be dangerous if it falls into the wrong hands. Malicious third parties can misuse such data for fraud, phishing, or identity theft. Even innocent lapses can result in an endless stream of unwanted spam that’s distracting and stress-inducing.

For these reasons, as awareness of the importance of data regulation increases, more and more countries conclude they need some form of data protection laws. In 2018 just 80 countries had such rules, but this has increased to 130 countries in 2021.

Data protection laws control how public and private sector organisations can use your personal information. GDPR and the UK data protection laws also give data subjects – i.e. the general public – the right to request information about the personal data they store and how they use it.

GDPR vs UK Data Protection Law

Following Brexit, the European Union considers the United Kingdom a third country within its General Data Protection Regulation (GDPR). This means the movement of personal data from the EU to the UK is only permitted while the EU regards the UK’s level of data protection as equivalent to its own. In June 2021, the European Commission confirmed the UK’s data protection policies were “adequate”, enabling the free transfer of personal data just like it occurred pre-Brexit.

If the situation changes and the UK’s and the EU’s data protection laws diverge, Brussels could insist that mechanisms are put in place to enable cross-border data transfers. These mechanisms would likely make cross-border data transfer much harder and caught up in far more bureaucracy. This, in turn, could impact the ability of UK companies to succeed in mainland Europe. The EU intends to keep a close eye on the situation and periodically reassess UK adherence to its data privacy regulations.

The EU’s next assessment is scheduled for 2025, so changes to UK data privacy policies in the next few years could potentially push the country out of alignment with Brussels. Equally, policy changes within the block could change the situation, even if the UK’s data privacy rules remained static. It’s a situation that’s far from stable and remains in perpetual flux.

In the years since its implementation, we have all heard the term GDPR in the media. Plenty of column inches have been devoted to explaining marketing opt-out options, the right to be forgotten, and onward sharing of information by companies with other third parties. It’s all part of the GDPR strategy to balance two potentially conflicting objectives: protecting fundamental individual privacy rights, and delivering sufficient flexibility for businesses to process personal data during regular operations.

Now that the UK is independent of the EU, the government can introduce its own new data privacy legislation. Changes are unlikely to happen overnight. But we’re likely to see a growing disparity between the UK’s and the EU’s data protection regimes over the next few years — once the dust settles on Brexit, and both sides get down to the serious business of working as neighbours but distinctly separate entities.

Keep An Active Watching Brief

Businesses should be prepared for change as the UK government’s new post-Brexit data protection laws develop in the coming months. The National Data Strategy suggests practical ways to unlock the power of data for the UK and indicate what the future could hold.

In one example, the UK government could seek to maintain a pro-growth data regime that promotes growth and innovation for businesses of every size. This suggests future policies might be leaning towards a more commercially focused approach — one where we can use data to drive future growth while supporting greater competition and innovation.

With so much at stake, organisations should regularly monitor legislative activities to avoid being caught off-guard by any new legislation. This could cover strategies, policies, and framework acts in various areas, including face recognition, AI, and automated decision making.

In some respects, this is not a new situation for UK organisations. Historically, many UK firms have had to keep a close eye on US data protection laws, including Safe Harbour. In some instances, they’ve had to have a very granular understanding of how storing or processing their (and their customers’) data in the US or with US companies can open them up to conflicts between the data protection laws of distinct sovereign nations.

At a national, European, and global level, regulators see enforcing tech industry adherence to data protection laws as a top priority. This is because of the incredible volumes of information that the biggest tech companies like Apple, Google, and Microsoft handle. No wonder that it’s becoming an increasingly monitored space.

It also explains why businesses must identify and act on any new requirements at the earliest opportunity. Companies need to start thinking about this now because data processes need to be watertight and ready for any eventuality. Only in this way businesses can prepare for the upcoming legal and organisational changes concerning data use, individual privacy, and commercial success.

About the Author

Jakub Lewandowski is Global Data Governance Officer at Commvault. Commvault’s data protection and information management solutions provide mid- and enterprise-level organizations worldwide with a significantly better way to get value from their data Commvault can help companies protect, access and use all of their data, anywhere and anytime, turning data into a powerful strategic asset.

Featured image: ©Twenty20