At the same time as the country is being asked to decide whether to stay in or out of the European Union, a parallel discussion is taking place in the data industry. At the DMA Data Protection Day on 26th February, a steady current of conversation could be heard considering what an out vote might do for data – a “dexit”, if you will.
The assumption among those pressing to get out is that innovation, commercial benefit and customer engagement are all in some way harmed by the need to comply with European data laws, such as the upcoming GDPR or the ePrivacy Directive. Without them, the UK might be to personal information what Silicon Valley is to technology. Here are four reasons why this view is misguided.
1 – It’s time to accept data belongs to the individual
Frustration at the strictures of the GDPR is a mistake – at its heart, the existing principles of the Data Protection Act remain in place and they continue to be valid whatever data is being used and wherever it is applied. If your brand does not want to be transparent, is unable to explain what it does with data, and does not want to yield at least some control over its usage and management to the individual whose person that information describes, your business model is probably not sustainable.
Consumer control is growing and irresistible as a trend. For many, it will be enough just to know what data is being kept and under what rules and controls. This is where the icon-based system proposed by GDPR could be a valuable tool in consumer education. Standardisation across the industry – even around three or four competing standards – will enhance the customer experience and speed the customer journey through the data capture stages. Your business does not lose by putting the individual in control, it gains by having informed and engaged customers.
2 – The UK will still have to agree to Privacy Shield
If your business uses cloud services or has outsourced any element of its data management or processing needs, chances are personal information is being stored on a data centre in the United States. That is not a problem given the recent EU-US accord on a new Privacy Shield to replace the struck-down Safe Harbour.
Outside of the EU does not mean the UK will no longer need to obey these rules. Instead, it will have to negotiate its own UK-US agreement which would need to be almost identical. So there is no gain to be had by leaving the existing arrangement, only the pain of a potential delay in agreeing, which could stop data flows across the Atlantic until it is in place.
3 – The UK will have to obey GDPR even if it leaves the EU
If your business captures personal information on even a single EU citizen, it has to offer the same rights as are available in their country of residence. Leaving the EU would not change this, but would require negotiation of a specific EU-UK data treaty, much like Privacy Shield, in order to allow cross-border data transfers.
There is unlikely to be any softening of those requirements in such a process – perhaps even the opposite. Spotting a moment of political vulnerability (the UK government will almost certainly fall if there is a vote in favour of Brexit), German interests might seek to restore the tougher requirements that currently exist in their laws and which they believe have been watered down in GDPR. Why leave a system only to find yourself still governed by it?
4 – Don’t get out of step with the rest of the world
Focus might have fallen on the EU over recent years because of the much-argued progress of GDPR. But elsewhere, the march of data protection legislation has been towards firmer controls and greater consumer rights, often in excess of what the Regulation is about to usher in.
If your business trades with consumers in Asia Pacific, or uses data management and processing services that operate there, it will be necessary to respect the legal rights which countries in that region have put in place for their citizens. A standalone UK might have to negotiate treaties with every single one of them, potentially losing ground each time. Whereas GDPR offers a common standard which is readily acknowledged as sufficient by those territories.
The UK operates in a global digital economy and is a genuine global leader around data and analytics for commercial benefit. It got there by setting out the first data protection laws and influencing the shape of the new ones. Leaving that framework would be a step in the wrong direction.