Today, on 25 May 2018, the European Union’s (EU’s) General Data Protection Regulation (GDPR) takes effect across the EU.
Data protection laws had not been amended in more than 20 years, despite the vast expansion of the digital economy and changes in how personal data is used to provide insights and deliver new goods and services.
The law was agreed to over two years ago and there has been a lot of anticipation across organisations.
Anticipation has also been met with some scepticism. GDPR was a controversial piece of legislation as it passed through EU institutions.
Concerns have been raised about the burdens on small businesses, as well as the impact on the development of new technologies such as artificial intelligence (AI) and machine learning, through limitations on what organisations can do with the data they hold.
With the UK leaving the EU, there have been suggestions that we should amend GDPR to tackle its faults. However, the tech sector supports the government’s continued commitment to maintaining alignment with the EU on data protection issues, specifically to GDPR.
The key reasons for why this is important and the right thing to do are that it will increase trust, ensure good data flow after Brexit, and will allow the UK to maintain global influence.
Increasing confidence in digital economy
Strong data protection laws will help increase trust and confidence in the digital economy. The UK’s data economy is expected to be worth £241bn by 2020, creating hundreds of thousands of new jobs.
The potential use and value of data is vast. From improved customer insights, delivering more tailored goods and services, to improving business efficiency and understanding diagnosis and treatments in healthcare.
However, that will only be realised if people have trust and confidence in the way their personal information is being used. These are all elements that will be improved under the GDPR.
We know the impact of data breaches on a brands’ reputation. There are plenty of historical, and some more recent, episodes where a data breach has negatively affected user confidence. GDPR will give more control to consumers to determine who has their information and for what purpose. This should be seen as an opportunity for companies to build user trust.
Data flow alignment with EU
Alignment with the EU will help ensure data can keep flowing post-Brexit.
Since the EU referendum, techUK has been clear about a top priority of the tech sector in Brexit negotiations: data must continue to flow freely between the UK and the EU post-Brexit to allow the continued growth and dynamism of both our digital economies.
It is estimated that 70% of the UK’s trade is enabled by data flows, and the UK represents 11.5% of global data flows – 75 % of which are with the EU. This is a key issue for businesses of all sizes.
Once the UK becomes a third country, the provisions allowing the automatic free flow of personal data between EU member states will no longer apply to the UK.
EU data protection laws put restrictions on data being transferred out of the EU to third countries for the understandable reason of wanting to ensure that European data is sufficiently protected when it sits in a different country.
The only suitable and sustainable solution is to agree mutual adequacy agreements between the UK and the EU.
Adequacy is a determination by the European Commission that states a third country has a data protection framework which is “essentially equivalent” to the EU’s and therefore protects data to an appropriate degree. Once agreed, adequacy allows the free flow of data between the EU and that third country, with no additional burdens or obligations at company level.
UK must take part in conversation around data
If the UK is to be a global leader, it needs to maintain global influence.
Beyond the continued free flow of data, the government is seeking a bespoke arrangement whereby the UK Information Commissioner’s Office (ICO) would have a continued role on the European Data Protection Board.
The ICO brings several benefits to the EU’s data protection policy development, from resources to thought leadership. The industry, therefore, unequivocally supports that aim.
Further than that, the UK must be a part of the global conversation about privacy and being able to influence the EU’s approach, as it moves towards the likelihood of a “GDPR 2.0”, is an important element.
These are just three of the key reasons why we should be celebrating GDPR taking effect today. As I said at the outset, GDPR is not perfect but it is important. It gives consumers much greater control over their personal information; it allows data to continue flowing; and ensures the UK to continue to influence the EU – and the global – approach to data protection.
Read more about GDPR
- One month to GDPR compliance deadline.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.