The UK government recently unveiled proposals to replace the General Data Protection Regulation (GDPR) with more flexible and less stringent laws.
It claims the introduction of the Data Reform Bill will reduce compliance burdens and foster better innovation. The bill also includes proposals for improved data sharing practices to support the delivery of public services and commits to maintaining the robust standards of data protection vital to protecting the public.
At present, however, much of the specifics of the legislation and how it will work in practice have been left unanswered.
So, what could the reform bill mean for business in the UK? Below, we consider four implications.
The consequences of more relaxed data protection rules
Rules like GDPR are in place to avoid the misuse of data – when legitimately collected information is applied in a way beyond its original purpose.
Relaxed data protection laws may cut red tape for businesses to encourage innovation, but the laws are also there to protect the individual and ensure their data is used properly and fairly.
The Durham Police and Experian artificial intelligence incident is an example of how the improper use of personal data can lead to severe privacy abuse.
Durham police were criticized by privacy campaigners over the the way they used data, augmented with an Experian dataset, to help process offenders and predict those most likely to reoffend.
While innovative – and despite Durham Police saying the purpose of the tool was to help it identify which offenders to offer more help to – this Minority Report-esque use of data was unethical and in breach of protections laws.
Many hold the view that GDPR legislation has created a culture of risk aversion within businesses due to enforcement fears. Clearly, by relaxing data protection rules, the government is hoping to remedy what it believes to be an overly cautious approach to harnessing personal data that can be legally used – be it for research and development or other avenues that can benefit the public and society.
At the same time, that comes with a risk of business gains eroding individual rights. As such, the Data Reform Bill will need to find a balance between spurring innovation and incorporating data ethics.
A compliance burden for businesses
For organizations operating in several geographical locations and dealing with regulated data, the bill will make life harder.
With the UK creating its own privacy structure, multinationals will need at least two different privacy processes to remain compliant.
Considering the complications arising from the pandemic, Brexit, labour shortages and the early signs that a recession may be on the cards, the timing is bad for many businesses. In the current climate, organizations are already keen to rein in costs, making this an additional expense they can do without.
Organizations will need to manage data subject to different regulations – and infrastructures, be it multiple public clouds, on-premise or at the edge. Intimate knowledge of where the data resides and what it can be legally used for will also be needed.
What will be key here, is that organizations have a single consistent approach to data security and governance across all infrastructures. Those businesses that can adopt proactive governance to handle every single asset in line with the correct regulation will benefit from better insight and value.
Could this mean goodbye to data adequacy?
Being further removed from GDPR could see the UK lose its data adequacy status – granted by the European Commission to countries outside the European Economic Area (EEA) that provide a level of personal data protection comparable to European law.
Let’s take the proposed UK reform that would lift the prohibition on automated decision-making and add specific safeguards where AI-powered systems are used without human oversight. Article 22 of GDPR, which considers how data and automated systems should operate together to protect data privacy, now becomes problematic – jeopardizing the UK’s status.
That’s just one example, the takeaway is that loss of data adequacy would mean UK businesses and organizations can no longer receive personal data from the European Union (EU) and the EEA without having additional arrangements with individual states.
It would also mean the UK can no longer protect consumer data up to the standard of the EU, resulting in the flow of data between the two being subject to restrictions.
For businesses looking to set up or expand operations in the UK, managing that data means contending with a completely different regulation.
The dynamism and evolution of data protection
GDPR, Schrems II and over 200 additional pending cases – with the Data Reform Bill adding more legislation – all have the potential to change the rules for data management, making it imperative businesses have the architecture in place to evolve with the dynamism of data protection.
For example, if dealing with the UK and Germany, organizations may have to maintain different standards for each region. Depending on the workload, one may not recognize US-based cloud processing, and another might mandate on-premise or 'behind the firewall' processing.
In today’s competitive business world, it is essential to manage for these options, and anticipate change in the future.
To meet these business and regulatory demands, enterprises are leveraging distributed data management components but treating them as one – running on platforms that integrate security, governance, metadata and automation.
Here, businesses are increasingly adopting hybrid and multi-cloud data strategies to unify disparate data sources, so the business and its analysts have a comprehensive and consistent view of all data across the organization – or ‘data fabric’ as it’s also known.
And while not necessarily a silver bullet for dealing with the disruption that comes with adopting new reform, it does set up a business for success.
It’s in the detail
For now, the government must tread carefully. Following Brexit, it wants to reform UK data protection rules but needs to maintain a relationship with the EU – and data adequacy.
At the same time, there is the opportunity for the Data Reform Bill to include changes accounting for the technologies that have emerged since GDPR was introduced eight years ago.
Until more details emerge, businesses hope any new measures will deliver a net advantage and avoid complicating the relationship between the UK and EU.