The future of privacy legislation in the UK

Jolyon Stone at OpenText explores what the UK’s Data Reform Bill means for the future of GDPR

 

As we recently marked the fourth anniversary of the introduction of GDPR in Europe, organisations are facing a more knowledgeable, confident, and powerful world community.

 

People are demanding greater transparency in terms of how their personal data is used and holding organisations accountable. 77% of global consumers surveyed by GDMA state that transparency around how their data is collected and used is important to them when sharing their personal information.  

 

Last year, not only did we see a significant increase in the number of GDPR fines, but we witnessed the biggest one to date with Amazon being handed a $847 million fine from the Luxembourg’s data protection authority. These fines focused on punishing organisations that present ambiguity or lack transparency in processing and communicating decisions with their customers.  

 

In light of this, the UK government are taking steps to better protect individual’s data, starting with the Data Reform Bill, which will have an impact on all organisations operating in the UK.  

 

What is the Data Reform Bill? 

In early May, the Prince of Wales - as part of the Queen’s speech - announced the Data Reform Bill that will overhaul the GDPR with a UK Data Protections Framework. This announcement came following the UK Government’s public consultation in 2021.

 

The bill is part of the UK government delivering on its Data Strategy, intended to support recovery from the Covid-19 pandemic, introduce SMART data initiatives, ease data sharing barriers and tackle online threats to individuals and the state.  

 

Governments and organisations are delivering on their digital strategies at pace. This was always on the cards; however, the Covid-19 pandemic has added urgency to this mandate. Businesses, understandably, feel the need to operate digitally. For the majority this requires a reliance on cloud-based solutions and the inevitable international flow of data.  

 

Leaving the EU has granted the UK new-found regulatory freedom. But is, ‘shedding unnecessary EU-derived legislation’ such as the GDPR going to support innovation and growth for businesses whilst ensuring individuals rights and freedoms are protected? And what does it mean to the UK’s current data protection adequacy decision that allows for the free flow of personal data between the EU and the UK?  

 

Whilst the Data Reform Bill has been announced in principle, no actual text is available. At this stage, we can surmise the plan is to deviate from a GDPR-based UK privacy regime. This may suggest a threat to the UK’s data protection adequacy decision. 

 

Time will tell how safeguards will be maintained and what level of control data subjects will actually have on how and where their personal data is being processed. 

 

What does it mean for UK businesses?  

Post Brexit, the UK is having to reshape its relationships with the EU and wider global economy. The Data Reform Bill may well remove some of the uncertainty left behind from the UK parting from the EU, putting the UK on the front foot and not just keeping pace but setting the agenda for data regulatory reform.  

 

Whilst the announcement of the Data Reform Bill did not come as a surprise, the devil will be in the detail, so we can’t fully assess the impact to UK businesses yet. 

 

However, one particular call out is that the Information Commissioner’s Office (ICO) will take appropriate action against organisations who breach data rights and that citizens will have greater clarity on their rights.

 

Does this mean we could see the ICO taking more severe enforcement action against organisations that breach privacy rights? If this is the case, how does this support business friendly regulation?  

 

How can businesses prepare for data reform? 

Whilst we wait to see whether the Data Reform Bill will actually make it to parliament this session, given the largest ever number of bills announced in a Queen’s speech to date, 38 in total, businesses would be well advised to focus on streamlining and digitising their internal processes proactively. They should and prove to their customers that privacy is important to them, rather than waiting to be reactive.  

 

For example, for many organisations, fulfilling data subject access requests is very time consuming and is often still a manual process due to lots of internal silos. With a focus on brand reputation and retaining customer loyalty, organisations should look to automation to manage these challenges and as a source of competitive advantage. 

 

Gaining trust is dependent on delivering a consistently great customer experience. For this to happen, effective communication of personal data policies, practices and any breaches, as well as a streamlined Subject Rights Requests (SRR) management process, must be top of mind. 

 

Organisations that foster an integrated, data-centric approach to privacy management will need to leverage data discovery and classification tools, risk mapping and data management platforms with strong retention capabilities.

 

This will put them in the best position to execute on these priorities. It will earn individual trust and retain the right of custodianship of customers’ personal data as well as differentiate themselves in the marketplace, enabling them to stay ahead of data reform.

 

The UK Data Reform Bill is likely to have a significant impact on doing business in the UK and when handling UK citizens’ information. Organisations will need appropriate tools to navigate the future data regulatory landscape compliantly and efficiently. OpenText will be ready for this impact.

 

---

 

Jolyon Stone is Director, Privacy & Compliance at OpenText 

 

Main image courtesy of iStockPhoto.com