Jakub Lewandowski at Commvault explores the future of data protection laws in the UK
In a data driven world, hundreds, and probably thousands, of organisations have access to personal information about us. Every time you shop online, change employment or sign a petition, you share your details with a third party.
Sharing data often makes life easier and keeps us all connected, but information as simple as your name and email address can be dangerous in the wrong hands. Such data can be misused by third parties for fraud, phishing or identity theft.
Data protection laws are in place to protect your data and prevent this from occurring. They control how your personal information is used by organisations throughout the public and private sectors.
GDPR and the UK data protection law also give data subjects, i.e. the general public, the right to request information about what data these organisations have stored about them and how it is being used.
As awareness around the importance of data regulation increases, more and more countries are reaching the conclusion that data protection laws in some form are needed. In 2021, nearly 130 countries have adopted some form of data privacy legislation versus around 80 in 2018.
Goodbye GDPR, hello UK Data Protection Law
As a result of Brexit, the United Kingdom is now considered a third country under the European Union’s General Data Protection Regulation (GDPR). This means that personal data from the EU to the UK is only permitted for as long as the UK’s level of data protection is regarded as equivalent to that of the EU. Otherwise, burdensome mechanisms to allow data transfers across the borders will need to be put in place.
In June 2021, the European Commission confirmed that the UK’s data protection policies were ‘adequate’. This subsequently re-enabled the free transfer of personal data, allowing organisations to operate and transfer data as they could when the UK was a part of the EU.
However, it does not mean that the UK still has to adhere to GDPR regulations, so what is next for data protection laws in the UK?
In the past few years since its implementation, we have all heard the term GDPR in the media and when it comes to ticking boxes about whether we want to receive marketing emails or have our data shared with third parties. It aimed to strike a balance between protecting the fundamental rights of data subjects and providing flexibility for the operation of processing personal data for businesses.
However, no longer tied to the EU, the UK now has the possibility to introduce new legislation to define data protection in its own way. It is likely to occur gradually, but over the next few years, we could see increasing disparity between the UK and EU’s data protection regimes as they establish themselves as separate parties.
It is important to note, however, that certain limitations remain. The adequacy decision is only based upon the current UK data policies and can be revoked at any time. The EU will periodically reassess whether the UK conforms with its requirements – the next such assessment is scheduled for 2025, meaning that any changes that are made to UK policies in the next few years may push it out of alignment with the EU.
In the coming months as government discussions surrounding UK data protection laws develop, it is important that businesses are prepared for the changes it may impose on them. The National Data Strategy details how best to ‘unlock the power of data for the UK,’ and it gives us some indication at this stage of what the future might look like.
For example, the government is working to maintain a pro-growth data regime that ‘promotes growth and innovation for businesses of every size’. This hints that the UK might be leaning towards a more business-focused approach, where data can be increasingly used to drive future growth and support greater competition and innovation.
In order to avoid being shocked by any new legislation which forces changes to be made to in-house data policies, organisations should regularly monitor legislative activities, such as strategies, policies and framework acts, in various areas including AI, face recognition and automated decision making.
By keeping on top of decision-making, organisations can ensure that they’re not taken by surprise when any new laws are implemented.
The tech industry is amongst the top priorities for regulators to manage due to the sheer volumes of data it handles, and as such it is becoming an increasingly monitored space. That is why it is absolutely crucial to identify and understand any new requirements as early as possible and prepare for the upcoming changes in the legal environment around data.
Businesses need to start thinking now, because data processes need to be watertight and ready for any eventuality.
Jakub Lewandowski is Global Data Governance Officer at Commvault
Main image courtesy of iStockPhoto.com