“British Businesses to Save Billions Under New UK Version of GDPR” is the UK Government’s headline announcement ahead of the publication of a new post-Brexit data protection law. Will they, however, and what are the implications for businesses with a global mindset?
About the Bill
The Data Protection and Digital Information (DPDI) Bill is a complicated and multifaceted bill. It brings together post-Brexit reform of the UK version of the GDPR and changes to cookie rules, with a reset of the governance framework of the Information Commissioner’s Office (ICO) and a whole range of changes, including around digital identity and nuisance calls.
What does GDPR reform mean for business?
The direction of travel for the changes to GDPR is a focus on achieving outcomes rather than on putting in place complex processes and documentation. This should provide businesses with greater flexibility in how they protect data and lower their costs of compliance. Businesses will also have more flexibility around international data transfers and, crucially, gain a potentially significant expansion in how they can use data for research purposes or AI applications.
All good then?
To what degree this will actually unlock those billions in savings depends on one’s perspective. Essentially, the more global your viewpoint, the less you might gain.
Businesses that just operate “at home”, in the UK, have the most to gain, while UK businesses with international ambitions simply cannot escape the requirements that have been set elsewhere. Global businesses operating in the UK will probably just continue sticking to EU rules, given that the original GDPR has been pretty successful at setting a new global standard.
A potential outlier is the greater flexibility around research and AI. This could allow start-ups and established global operators alike to develop and grow their businesses in more creative ways in the UK, thus attracting investment into the country. This, however, is tempered by concerns that those UK rules could risk data adequacy with the EU which, in turn, would make data transfers to the UK very difficult. This conundrum highlights yet again that global standards for tech tend to be determined by those who set a high bar – in this case, the EU, no matter how innovative the UK proposals might be.
What happens next?
The Bill will now go through parliament. We can expect opposition from privacy groups who are concerned that greater flexibility for business equals less protection for consumers. There are additional concerns about the ‘non-GDPR’ parts of the Bill, particularly in relation to the independence of the regulator, the ICO. And finally, we will also need to keep an eye on the reaction from Brussels: any indication that the proposed UK reforms do threaten data adequacy could reduce the interest from businesses in the UK in going it alone.
Clarity is following the passage of the Bill closely. Get in touch if you’d like to know more about the Bill and how it might impact your organisation and how.