When the UK left the European Union in January 2021, many businesses wondered whether the EU’s General Data Protection Regulation (GDPR) would still apply post-Brexit.
The answer is both ‘yes’ and ‘no.’ Although the EU’s GDPR no longer applies to the UK, the Government retained its structure to create an almost identical UK GDPR. This was done through the UK-EU Withdrawal Agreement.
The differences between the UK and EU versions are mainly technicalities relating to UK law and the enforcement of the legislation in the UK, which remains entrusted to the Information Commissioner’s Office (ICO). In practice, these differences should not make a difference to businesses’ approach to GDPR or marketing activities, but it is wise for legal teams to familiarize themselves with the changes. Regarding transfers of data, on June 28 2021, the EU announced an adequacy decision for the UK had been approved. This means the UK has robust data protection laws, ensuring data from the EU can be safely transferred to the UK.
While the free flow of data across the EU and the UK has multiple benefits, including enhanced cooperation and trade, it is not perpetual. The decision is time-limited to four years, meaning the UK will have to continue to closely match EU data legislation to retain its ‘adequate’ status in 2025. The UK will need to be cautious and strategic about making changes to key regulations such as UK GDPR after Brexit, as any abrupt changes can jeopardize the UK’s adequacy decision renewal.
On the Horizon
The arrangement between the UK and the EU means that whenever the EU introduces new legislation relating to data and the digital industries, the UK Government will come under serious pressure to introduce similar measures. What is more, there are a couple of major pieces of EU legislation on the horizon that UK businesses should be aware of.
The first is the EU Digital Services Act, which will impact how companies supply and use data services across the EU. Based on the content of the draft regulation, the new law will set out specific responsibilities and accountabilities for everyone in the digital advertising ecosystem, from giants like Google and Facebook down to small agencies and brands.
The EU has also turned its attention to the governance of AI, with a draft regulation currently under consideration by the European Commission. This looks at the use of AI to generate content and predictions for users, including targeting specific audiences. If the EU adopts either of the two drafts mentioned, the UK will come under pressure to adopt something similar.
Staying Ahead of the Law
So how can UK businesses best prepare for incoming EU legislation relating to data (and its knock-on effect on UK law)?
The first step is to conduct regular internal assessments of owned data-related practices. Organizations should know what types of data they need to conduct business activities, how and where they are storing it, and how they are sharing it. That initial knowledge will give an overall perspective on how any incoming or proposed legislation might impact activities.
From there, businesses should go a step further and establish their own privacy framework. This is a formalized process and program to ensure your company keeps up-to-date with market changes and relevant data regulations and is proactive about implementing internal changes. A robust privacy framework normally entails creating privacy and information security policies, training, audits and frequent tests for gaps or vulnerabilities. Some organizations will go further by creating competitive roles specific to information and privacy, like chief information officers or chief privacy officers.
In addition, businesses need the right partners to provide support with incoming changes. Updates in regulation can affect multiple areas of a business. Having a partner who is aware of the impact of privacy changes in their service offering and providing solid support in this area will be a key ally for any business.
Businesses should embrace the incoming changes, react to them positively and be completely transparent with how they plan to collect, store and use data, and communicate their approach to their key audiences. The level of trust that consumers have in a brand will be crucial as we move beyond the use of third-party cookies.
The real trick to handling EU and UK data regulations changes is to keep up to date with changes and amend operations accordingly. In this case, the nature of the UK’s Withdrawal Agreement means data laws in the two blocs are likely to be closely aligned for years to come. However, businesses should stay ahead of EU and UK legislation changes and fully commit to a privacy-first approach to data.