UK regulators recently signaled that they would take a more pro-business approach to individual data privacy, and GDPR regulators aren’t happy about it, stating that the adequacy decision granted to the UK will be severed if the UK government’s proposed data protection reforms pose a threat to EU citizens’ privacy. What happens next could change the way data is transferred between the UK and EU, and further complicate data privacy compliance requirements for organizations collecting personal information from citizens in either jurisdiction.
What’s this all about?
At the end of the Brexit transition period, the European Commission granted an “adequacy decision” to the UK which allowed for the unrestricted transfer of personal data from the EU to the UK, a crucial for many UK businesses. However, since then the UK announced that their view is that GDPR isn’t the proper approach to data privacy concerns. Instead, they aim to create a series of “data adequacy partnerships” with countries around the world, including the United States, Australia, South Korea, Singapore, Dubai and Colombia, to facilitate trade by minimizing data protection compliance barriers, making it easier for businesses to transfer personal data outside the UK. However, the EU remains the UK’s most important trading partner, and any restrictions in data transfer between the jurisdictions could cause significant disruption to UK organizations.
Why is the UK taking this position?
The UK’s position is that “Data has become a driving force of the modern economy, at the forefront of technological and scientific progress, driving scientific discovery and new goods and services. The UK direct data market – consisting of value added from the generation, storage, processing and analysis of digitized data – has been estimated to be worth over £15 billion annually.” Given the size of this market, the UK should want to achieve “a pro-growth and trusted regulatory regime for data protection.”
What could change if the UK moves forward?
Some of the suggested measures set out in the consultation document include:
- Removing the requirements to appoint a dedicated Data Protection Officer
- Removing the requirements to undertake data protection impact assessments,
- Changing the data breach reporting requirement to only apply when there is a “material risk” to individuals, instead of a “risk”, as is now the case.
- Allow charges for data subject access requests.
What are the key takeaways?
If the UK moves forward, the EU may consider data transfers to the UK to be high-risk, and subject them to restrictions and requirements as conceived in last year’s Schrems II decision. How multinational businesses respond is an open question, however in any case organizations must continue to adapt to an ever-evolving landscape, which requires a flexible approach to maintain compliance across jurisdictions.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.