The renewed threat of a ‘bonfire’ of EU rules in the UK should not distract businesses from the importance of maintaining compliance with European data protection requirements.
Any organisation that processes personal data will be familiar with the General Data Protection Regulation or GDPR, which regulates how businesses share information such as names, email and home addresses, identification numbers and IP addresses.
The cost of non-compliance with the regulation can be considerable. In 2021 the EU and UK levied fines worth a total of almost €1.1bn.
According to Bruce Penson, Managing Director of cyber security and IT support company Pro Drive IT, companies that were satisfied with their compliance with GDPR when it came into effect in 2018 could fall foul of the regulation as the UK diverges from the EU.
The Data Protection Act (DPA) 2018 incorporated EU GDPR and was passed before Brexit legislation came into effect. As the DPA 2018 was constructed and intended to be read alongside the EU GDPR, it has since been adjusted to reflect post-Brexit changes to domestic data privacy laws.
“The fundamental principles, rights and obligations associated with GDPR haven’t changed,” says Penson. “However, some differences between the UK and EU GDPR have already impacted businesses – or are likely to soon. For example, the government’s 2021 data strategy consultation suggested changes to data protection recommendations.”
In the EU, the Privacy and Electronic Communications Regulations (PECR) directive was due to be replaced by the ePrivacy Regulation (ePR) in 2018 to clarify how website operators should handle the use of cookies and complement GDPR. However, the implementation of this regulation has been delayed and isn’t expected to come into force before 2023.
Penson says it is not yet known whether the UK will fully implement the ePR’s requirements. Both the contenders to replace Boris Johnson as Prime Minister have said they will review all EU regulations before the end of this parliament.
One of the concerns for UK businesses that exchange data with counterparts in the EU is that if the UK diverges too far from the ePR, the European Commission could review the adequacy framework permitting free transfer of personal data between the EU and the UK. The current adequacy agreement is due to be reviewed every four years with the next review scheduled for 2025.
Sam De Silva, Chair of the law specialist group at the BCS (the chartered institute for IT) and a technology and data partner at international law firm CMS, says the contents of the Queen’s Speech in May were in line with the principles outlined in the government’s consultation paper on reforms to the UK data protection regime – ‘Data: A New Direction’.
“However, the devil will be in the detail,” he says. “If that detail reveals that the web cookie consent banners are to be removed, for example, whilst that appears radical, organisations would still be required to comply with the UK GDPR principles on lawfulness, fairness and transparency when using cookies or similar technologies.”
In a speech to delegates at an International Association of Privacy Professionals in May, UK Information Commissioner, John Edwards, said the Department for Digital, Culture, Media and Sport (DCMS) had committed to maintaining high standards of protection.
He added that based on conversations with DCMS officials, he was confident the proposals wouldn’t erode privacy in the way that was first feared or jeopardise the UK’s adequacy agreement with the EU.
But De Silva still has concerns. “Of course, any material deviation the UK adopts in relation to data protection does risk its adequacy status so I hope there will be a detailed and objective analysis undertaken to assess whether the benefits from UK’s data reform outweigh the risks of not continuing to have adequacy status,” he concludes.