The GDPR that the industry spent so much time preparing for a few years ago no longer applies in the UK. Currently, businesses operating within the UK must comply with the Data Protection Act 2018, and the provisions of the EU GDPR are now incorporated directly into UK law as the UK GDPR. Of course, if you want to do business in the EU, you still need to comply with the EU GDPR. The current government wants to replace GDPR with a new data reform bill, but it was shelved in October (as was the increasingly powerless and unpopular Internet Security Bill, whose status remains pending ), while the government looks at both bills again.
What should business expect from data legislation in the coming years and how can it prepare? This was a question that a panel at the last computing The Cyber Security Festival tried to answer.
Georgina Kon – Privacy, technology and resources partner at Linklaters said the Data Reform Bill is unlikely to change significantly from the mandates of the GDPR.
“In the last draft we saw it seems that the core structures of the GDPR will be preserved, but there are some areas where we can be more regulated, such as .”
Mariano Delli Santi – Legal Policy Officer at the Open Rights Group, had some serious concerns about the process of changing this legislation, further.
“The recently submitted draft does not clarify the meaning of the GDPR. The government wants to create delegated legislative powers in order to clarify it later.”
The powers that the government wants to use are known as Henry VIII Powers, and as Delli Santi pointed out, these powers are exercised by the executive without any need for primary legislation or parliamentary scrutiny.
“The human rights implication is that the government can ignore the law whenever it wants. The business impact is that the law will change a lot and the law will be contested a lot, so there will be challenges, court reviews etc. Businesses will need good lawyers to explain it all. It also means that the regulation is likely to be inconsistent. It is likely to change regularly because it will simply reflect the political priorities of the day.”
This will inevitably have implications for businesses that want to trade within and with the EU.
“Some of the changes are completely incompatible with the ECHR, which means that businesses will have to spend a lot of money on contract revisions, legal fees, etc. It will be easier for international businesses to find partners in EU countries rather than continuing to do business in the United Kingdom”.
Daniell Sudai – Head of Security Operations at Deliveroo, noted that businesses with an international presence like Deliveroo already deal with different sets of rules across different legal jurisdictions. Kon agreed, noting that in Asia, data laws tend to be heavily consent-based, while in the EU they are more anti-consent-based.
Changing the role of the Data Protection Officer
The role of the Data Protection Office (DPO) is also likely to change, as rules for smaller organizations in particular are loosened as the government tries to create some Brexit advantages for smaller businesses, which economic data suggests that they are somewhat thin on the ground now. .
The panel expressed all concerns about how DPOs will potentially be replaced with Senior Responsible Individuals (SRIs) who will have the seniority but not necessarily the depth of knowledge required for the role.
Patrick Burgess, co-founder and technical director of MSP Nutborne Ltd. commented:
“Already in the non-business world you often find people nominated as DPOs and they’re not necessarily trained. That person has to be supported at the highest level or it’s really just a box-ticking exercise. You have to give people the right powers, responsibilities and training, and don’t get cross when they tell you what you don’t want to hear.”
None of these issues will necessarily be resolved by swapping SRIs for OPAKs, although, as Kon pointed out, they are theoretically harder to fire if they sit at board level.
Both she and Sudai emphasized the importance of strong relationships between OPAK/SRI and the technical communities, because decisions about retention and processing are influenced by these communities, often at very high levels, and the law as it currently stands means that the CISO for example can’t be OPAK either. A separation is mandatory.
The panel acknowledged the full impact of politics on data-related legislation. Kon commented:
“There’s been a lot of consultation with the Data Reform Bill and it’s shown that most companies don’t want a very different regime. They don’t want the reorganization costs of a whole new set of regulations, but politically we WANT to show, post Brexit, that we’re doing something different. That’s why we’re seeing divergence on things that aren’t very controversial, like strengthening ICOs.”
Kon believed that the role of the ICO would continue to evolve.
“It is in a very strong position as one of the most responsible regulators. This is not always to the benefit of businesses, of course if they suffer a data breach. Having said that, the ICO has always taken an approach of regulation through voluntary compliance and It’s a pragmatic approach that I hope will remain. I think it’s right that they get more power, but I hope they balance human rights with pragmatism and how technology works in the new world.”