Organisations across the world are increasingly implementing data protection laws as the digitalised world that we live in becomes more data-driven. Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, there has been a 62% increase in the number of countries adopting data protection laws in some shape or form.
Managing and protecting rising volumes of data is already fundamental to business compliance and data security. In addition, data protection is closely linked to a company’s reputation; failure to comply with regulations will likely have some negative impact on credibility. So it is an ongoing challenge – and a necessity – for business leaders to keep abreast of the latest regulations.
Changes ahead for the UK’s data laws?
Following Brexit, the UK is now having to assess what its data protection legislation will look like moving forwards. Since leaving the EU, the UK no longer has to adhere to GDPR regulations, yet a balance must be achieved with the EU as a key trading partner. But what does this mean for business leaders?
Being obliged to comply with GDPR standards as a member of the EU provided a degree of clarity and direction in terms of data protection. However, cutting ties with the EU enables the UK to draft its own data protection legislation. Although this will not happen overnight, we could see a growing disparity between the two parties’ data protection legislation as the UK establishes itself as a separate entity over the coming months and years. This interlude between GDPR and a new UK data protection law has created uncertainty; the criteria for compliance has returned to being a grey area for business leaders who require clarification on how their organisations should keep their data protected.
For many, data protection is part of a wider security strategy. Whilst businesses of all sizes and in all sectors should have strong data protection strategies in place to protect the data they store, it is particularly prevalent for the technology industry. These businesses hold huge amounts of data, which must be used responsibly and stored securely. Data protection legislation is, therefore, vital in ensuring businesses achieve this successfully because, even on the most basic level, such laws ensure that those who hold data protect it to a necessary standard.
More sophisticated data protection laws, including GDPR, give individuals the right to be informed on how their data is used and stored. In the current climate of rising phishing attacks – which have grown 22% since last year – even the most simple information, such as names and email addresses, can be misused for fraudulent activities. Such data must be stored securely to avoid it falling into the wrong hands.
The topic of trade will also be an issue for international business leaders or those who buy or sell to the European Union. Fortunately the UK’s data protection policies were deemed ‘adequate’ by the European Commission in June 2021. This allows organisations to operate and transfer data as they could when the UK was a part of the EU. However, the decision included a sunset clause, meaning that the adequacy status runs out after four years and will have to be renewed. Consequently, if the UK implements a new data protection law within these four years, the commission will reevaluate and could revoke the free transfer of data.
Stay alert, be ready
Change is on the horizon with the recent appointment of the new Information Commissioner. It is important that businesses prepare for potential changes in the coming months, and there are a number of steps that can help get ready for these.
Firstly, in order to avoid being left behind or shocked by the implementation of new legislation, it is important that organisations regularly monitor for any updates. This is as easy as checking for any legislative changes to strategies, policies, and framework acts, in a variety of areas including automated decision making, facial recognition, and AI. By keeping well-informed on the rumblings of decision-making within the government, organisations will not be caught unaware and will be well-prepared to comply when they need to implement new legislation.
Other steps to remain compliant and put your organisation in good stead for the introduction of new laws is to simply ensure that all customer data is up to date. This will remove a step when the time comes to align data with the new regulations. Similarly, although no longer a requirement, having GDPR paperwork up to date and easily accessible will mean your organisation is poised to swiftly adapt.
Looking forward
In his capacity as the new Information Commissioner, John Edwards recently told the Digital, Culture, Media and Sport (DCMS) Committee that, although the United Kingdom is now entitled to go its own way, he would “make data protection easy – easy for industry to implement at low cost, easy for consumers to exercise privacy-friendly choices in their marketplace, and easy for people to access remedies when things go wrong.”
If Edwards succeeds in this, organisations and consumers could hugely benefit. In the meantime, the picture remains far from simple. Anything is possible as the government navigates what a UK data protection law looks like, and how this would tie in effectively with EU trade. Until this is certain, the shrewdest action a business can take is to ensure the data it holds is up to date and secure so that it is well-prepared for change and can minimise hurdles further down the line.
Jakub Lewandowski is a lawyer, global data governance officer, and data privacy and security counsel, currently representing Commvault as its Global Data Governance Officer. He has also previously represented a range of leading technology companies, including Huawei, Microsoft, and Hewlett-Packard. This extensive experience has led Jakub to become an expert in global data protection law, cross-border data transfer strategies and cyber security.
Pingback: Special: Data Privacy Day - Cyber Protection Magazine