The implementation of GDPR was a monumental task for businesses and data governance practitioners. DataIQ research conducted in 2019 revealed that four out of ten companies had not yet reached a full state of compliance. Meanwhile, 27.7% of organisations said that the impact of GDPR had been very significant, compared to 8.4% who said it had had little impact.
There are fears that the introduction of a UK variant regulation will result in businesses having to repeat the mountain of work undertaken in the first place.
“Many US organisations complain that the lack of a federal data protection law costs them money in repeat work,” said compliance expert and Bristows Partner Robert Bond. “There may well be UK organisations worrying that this is going to cost them money, but at the moment the Government is simply posturing.”
What’s more, any divergence from GDPR could result in more red tape for EU-facing UK businesses. British businesses expressed relief in June when the EU formally recognised the adequacy of the UK’s data protection standards, allowing for the continued flow of personal data between the two jurisdictions.
Julian David, CEO of trade organisation techUK said at the time that: “The decision that the UK’s data protection regime offers an equivalent level of protection to the EU GDPR is a vote of confidence in the UK’s high data protection standards and is of vital importance to UK-EU trade as the free flow of data is essential to all business sectors.”
Divergence from EU standards jeopardises this adequacy agreement, meaning that UK firms could lose seamless European data flows. This would stifle the digital innovation that Dowden is keen to fuel and have implications for the already fragile sharing of criminal and security data between the EU and UK. “The Government can’t do a great deal of divergence, because if it does we will eventually lose the adequacy agreement granted by the European Commission,” said Bond.
Privacy continues to matter to consumers – DataIQ research conducted after the implementation of GDPR revealed that a third of consumers still did not believe that their personal information was safe online. This is likely a result of general cautiousness around personal data than doubt in the security outlined within GDPR itself.
Bond pointed out that rather than been an obstacle to innovation and good customer experiences, many international data privacy laws are now being modelled on the GDPR, often with an enthusiastic view of how it protects individual rights and privacy.
Regulation such as the California Consumer Privacy Act (CCPA) are increasingly including GDPR-like provisions around issues like the rights of data subjects, the need for transparent privacy notices and tight data transfer restrictions. Robert Bond said: “There’s a sense of direction now, and we can’t simply go against that tide.”
One thing that GDPR does have going for it is awareness. In 2019, 45% of consumers reported that they knew all about the regulation, with a further 22.7% indicating a reasonable awareness.
Businesses have had to balance their ambition to deliver personalised customer experiences with a growing customer awareness of GDPR and scepticism around the use of data in general. If British businesses are to support and implement a UK variant legislation, they would do well to ensure that the changes maintain this balance and uphold safeguards to data privacy. Dowden’s announcement made specific reference to upholding those, promising to: “Set world-leading, gold standard regulation which protects privacy, but does so in as light touch a way as possible.”
A lot of this is political posturing framed by Brexit at this stage, with the new Information Commissioner unlikely to want to be faced with any seismic changes early in their tenure. For those data professionals watching intently in the meantime, the priority will be ensuring that that “light-touch” does not mean a divergence from the standards that underpin the already fragile relationship between customers, business and the way data flows between the two.