The opportunities and challenges posed by potential changes to the UK’s data protection regime were discussed by experts during the Westminster eforum conference, which looked at ways to improve the use of data across the UK economy.
The discussion was conducted in the context of the UK government’s recent public consultation on the UK’s data protection regime, which ended in November. This primarily focused on potential changes to UK GDPR following the UK’s departure from the EU in order to help better facilitate the flow of data.
Starting the session, Dr Mahlet Zimeta, head of public policy at the Open Data Institute, said there are “false assumptions and binaries about how we think about the regulation of data sharing and data protection.” One of these is data protection versus data governance. Zimeta noted that data protection is actually a subset of data governance, which is about much more than security. This includes ensuring the use of data is utilized to its full potential for maximal societal value. Therefore, any legislative changes to legislation need to reflect these different ways of governing data.
Another is data literacy versus data protection. She added that to fully maximize the potential of data, more data literacy skills are needed across society. This includes “thinking critically about the context [in which] data is used,” which can help mitigate bias in datasets and gaps in data collection. Zimeta noted: “if you bring in data reforms or change how organizations are expected to work with data, you’re not going to get the full impact of those reforms if you can’t take the public with you.”
The next presentation came from Jon Bartley, head, Data Advisory Group, RPC; and chair, City of London Law Society's Data Law Committee. He broadly welcomed the UK government’s proposed changes to the GDPR rules, noting that there is room for improvement regarding reducing compliance burdens and unlocking innovation.
Currently, he believes there is “a degree of inflexibility and prescription around the current regime,” leading to a tick-box culture among organizations. Therefore, Bartley would like to see an outcomes-focused, risk-based approach to data protection.
Nevertheless, while changes in many areas are welcome, the UK must be careful not to diverge too far from the GDPR and risk jeopardizing its adequacy status from the EU, which it was awarded earlier this year. “It is critical for UK businesses that we retain that adequacy decision,” commented Bartley. He also noted that many UK companies are subject to both UK GDPR and EU GDPR; for example, if they are a UK-based business that actively targets EU consumers. These businesses are likely to want to stick to one type of regulatory regime, and it is important they are not penalized for doing so, he added.
“It is critical for UK businesses that we retain that adequacy decision"Jon Bartley, Data Advisory Group, RPC
Bartley also addressed the UK government’s stated ambition to strike adequacy arrangements with a number of new countries, including India, Brazil, the US and Australia, to help facilitate the flow of data across borders. He said this approach can have significant benefits, “but again, we have to be careful about how we approach this so as not to jeopardize the adequacy decision we’ve had from the EU, which is very important to UK businesses.”
Daniel Wilson, policy and public affairs director, innovation and trade at BT, then offered the telecom provider’s views on the proposed changes to the UK’s data protection regime. He emphasized that “the critical thing for us is safeguarding our customer’s data.” However, facilitating the easy flow of data is also critical to drive innovation and improve decision-making.
Wilson confirmed that BT broadly welcomed the UK government’s proposals for reform. Like Bartley, he believes it is important that the changes do not detract from the original structure of the GDPR and the rights that it confers, but instead allow more flexibility in the rules. For example, to better enable “data-driven innovation and AI innovation.” Additionally, Wilson believes it is important there is more simplicity in cross-border data transfers that allow more SME businesses to operate by international data standards.
However, he noted that “regulation can only get you so far” and stressed the importance of developing greater data literacy among the broader population alongside any legislative changes. He cited research showing that that the majority of people are “anxious about how their personal data is used and don’t feel in control of how it is used.” As the data economy grows, the UK also needs more skilled data professionals with a knowledge of using data both innovatively and ethically.
The final speaker in the session was David Frank, government affairs manager at Microsoft. He began by highlighting Microsoft’s mission to empower people to achieve more, and “we believe data is key to that and should be leveraged to help address some of the most urgent problems that impact society.” This desire must be balanced with ensuring individual privacy is safeguarded.
As stated by other speakers in the session, Frank said addressing the data skills gap is key to reaching this balance. “How do you answer the question about building trust if there isn’t a general level of knowledge?” he asked.
In regard to rules governing this space, Frank said it is firstly important to recognize there are many different types of data. Microsoft categorizes these as personal data, machine-generated data, data from smart devices and data that organizations generate from running themselves.
Going forward, particularly with the growth of AI and machine learning, “it is clear that data will continue to be an ever more critical component of our daily lives, and we should continue to recognize how data should be used to support and drive responsible innovation.” As part of this, regulation should aim to build trust in how organizations are using data, as well as what they are not using it for. “We can have great regimes, but if there isn’t trust or understanding in them, it will be a problem,” commented Frank.
He also stated that Microsoft supports the free flow of data across borders, which “is a priority for thousands of our customers.” Therefore, Frank welcomes the UK government's proposed risk-based approach to data adequacy in third countries. As long as there is confidence that privacy rights are respected regardless of location, “this will go a long way to helping the UK deliver on its ambition to be a science and technology superpower.”
Finally, he outlined the importance of the UK retaining a strong and independent data regulator, as that “encourages confidence, builds trust and leads to innovations like the regulatory sandbox.”