The new data protection chief – or to give her a proper title and name, information commissioner Elizabeth Denham – has made her first speech in the role and inevitably part of it was about Brexit. People value their privacy and it’s essential that everyone from big business to government to sole traders continues to be responsible about how they handle people’s information.
The drawback is that the current data protection legislation in the UK is based on European law, and the forthcoming General Data Protection Requirement, which will update the law for most of Europe, is even more so. “Countries who are part of the EU are now preparing to adopt the new law in 2018. The Referendum result has thrown our data protection plans into a state of flux,” said Denham at an event in London last night. “What hasn’t changed are the strong data protection rules the UK already has. We need those rules to ensure cross-border commerce, not to mention the privacy protections citizens and consumers expect.”
Data protection post 2018
Denham’s job has been made more complex by the referendum result, she freely confesses. However, she pointed out in her speech, it’s worth remembering that Britain had data protection in place ten years before aligning its laws with those from Europe. It isn’t yet clear what effect Brexit will have on the detail of the law but she hinted positive that there will be common ground between us and the EU. “It is extremely likely that GDPR will be live before the UK leaves the European Union,” she commented. “Remember that the GDPR is actually already in force, it is just that member states are not obligated to apply it until 25 May 2018.”
Many of the new requirements are updates for which there has been plenty of clamour already. Only last week after the Yahoo! data breach, New Statesman Tech was among the sources demanding mandatory reporting of substantial security breaches. That’s in GDPR, as are higher fines when something goes wrong and higher standards of consent – if a customer signed up for a newsletter in 2001 to try and win a box of chocolates, that will presumably no longer offer a business carte blanche to sell their details on for profit.
The UK will be under no obligation to adopt GDPR post-2018, assuming Article 50 has been enacted, but Denham believes it would be in our interests to do so, or to do something remarkably similar. “In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent,” she said. “For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.” And without that there would be little or no trade.
Brexit means Brexit
The issue facing Denham and others is that for the moment the UK government is not declaring its hand as far as Brexit is concerned. Whatever one’s political leanings, whether a remainer or a committed hard Brexiter, the vagueness makes even the most basic contingency planning all but impossible. There may be good strategic reasons for not declaring the British hand too early in negotiations (although the courts have told the government it may be a little overzealous about some of its disclosures, according to this report in the Independent) but it leads to some concerns from people who need detail to make sensible plans for the future.
Denham remained positive: “Legislative change does bring nervousness, but it also brings opportunity,” she said. “These changes – stronger data protection law and enforcement – are aimed at inspiring public trust and confidence. GDPR is an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh.”