Monday, August 30, 2021

The Post-Brexit Future of UK Digital Data Standards and GDPR

I spend a lot of time researching and writing about cybersecurity and the digital landscape. It's become increasingly apparent that, in the aftermath of Brexit, the UK is embarking upon interesting and challenging times regarding data security. 


Compliance, in particular, will be a key issue in the months to come. In June 2021 the UK was awarded two adequacy decisions - one under the
General Data Protection Regulation (GDPR) and the other with reference to the EU Law Enforcement Directive. These decisions allow for the free flow of personal data to and from the European Union and the UK. Further, the UK currently benefits from an (essentially) equivalent level of protection to that which is guaranteed under EU law. In light of this, the UK must be cautious regarding any changes to its current data regime in order to avoid disrupting the EU-UK adequacy decision (if it wishes to maintain the benefits of this status in the future). The EU’s official approval of the UK’s data standards is vital for many businesses that operate across borders (notably in Ireland/Northern Ireland) and around the world, where the frictionless movement of personal data is critical to international trade and operations.

In a recent announcement regarding the UK government’s plans to reform its data laws, Oliver Dowden CBE (currently serving as Secretary of State for my old employer the Dept. of Digital, Culture, Media, and Sport) stated, “It means reforming our own data laws so that they’re based on common sense, not box-ticking”, and that the UK will aim to reduce “unnecessary barriers and burdens” to sharing data with non-EU countries, including the United States and South Korea. As a part of its digital renovation, the UK has further confirmed plans to boost the legal status of digital identities - to make them as widely recognized as driver’s licenses and bank statements.

In reply, EU Commission spokesperson for Rule of Law, Christian Wigand, commented that the EU will be closely monitoring any changes in UK data law, adding that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”

The UK government has further made it known that it is conducting a public consultation on its new, post-Brexit, data protection practices. Whether this will mean that England, Scotland, Wales, and Northern Ireland might move away from the UK General Data Protection Regulation is currently unclear, though many other countries appear keen to follow the basic principles of EU GDPR as a framework for data standards in order to facilitate the flow of international business data. Oliver Dowden, on behalf of the UK government, has further announced that their preferred candidate for future Information Commissioner, head of the UK data protection regulator, will be John Edwards, who is currently Privacy Commissioner (OPC) for New Zealand, a country that also holds a working adequacy decision with the EU - possibly implying a wary approach to ongoing adequacy compliance.

There will certainly be a balance to be achieved if the UK wishes to maintain business and consumer trust, on which the growth of their post-Brexit digital economy will depend, and if they also wish to be seen to cater to some of the more flexible and emerging digital markets. For now, things will remain as they are, but it's part of my job to keep a very close eye on developments and I'll report and react accordingly. Watch this space.