Brexit dividend? 'Newly independent' UK will be world's 'data hub', claims digital minister
Amid inevitable talk of 'red tape' cutting at ruling party conference, data protection experts are concerned
Updated Britain's digital minister says the General Data Protection Regulation (GDPR) is "limiting the potential of our businesses," and is vowing to cut data protection "red tape," for the "newly independent nation free of EU bureaucracy."
The recently appointed Michelle Donelan said the UK planned to "seize this post-Brexit opportunity fully, and unleash the full growth potential of British business," claiming: "We can be the bridge across the Atlantic and operate as the world's data hub."
It's a clear statement of intent about the direction of data protection policy with new political leadership in government, although the country's proposed replacement for the EU's GDPR – the Data Protection and Digital Information Bill (DPDIB) – is still progressing through Parliament.
The bill is being looked at by lawmakers, but UK tech companies are going to have to do legwork whichever changes are made, despite protestations by the government that the tweaks will amount to a simplification or removal of laws.
As for what it means for multinationals, things get trickier for them too. Those with a presence in the UK and Europe who perhaps deal with the territories using a single policy, as they were covered by a similar approach, will have to make some changes when the UK goes it alone.
Replacing the GDPR with national legislation has been trailed by the Conservative Party since before the so-called TIGRR report set out by pro-Brexit MPs last year. This was a kind of post-Brexit wish-list that included killing off metric measures in favor of imperial, because that went so well for NASA. The parts of it that alluded to the new data protection bill spoke of an "overemphasis on consent," which it said "led to people being bombarded with complex consent requests."
It's also important, however, that the law achieves data adequacy, something the ruling party appears to believe is within reach, citing the examples of Japan, South Korea, Canada, and New Zealand.
Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own wayREAD MORE
Adequacy means a state's legislation is considered compliant with the EU data protection text, meaning organizations in those countries can still trade with the EU and handle EU citizens' data.
DPDIB and your rights
There are also concerns around the watering down of data subjects' rights, with some critics of the new bill saying it relaxes the definition of "consent" in the context of scientific research (clause 3).
Legal eagle Chris Pounder at HawkTalk Training, for example, believes this might encourage unethical research. He says a proposed change in the DPDIB where people's data is collected for research, archives and statistics (RAS) purposes is likely to lead to a decrease of subject consent in "importance as the legitimate interests lawful basis becomes more attractive for private sector RAS."
Netskope's EMEA CISO, Neil Thacker, spoke of a coming burden for data processors: "Having to process data differently for any region adds to the costs of businesses, so for any organization working internationally, adding yet another international regulation will bring cost and further resource burden.
"In addition, gaining adequacy confirmation with the GDPR is a process that takes time, which risks causing yet more uncertainty for British businesses and those looking to trade with the UK.
"Lawyers will get work from this, infosecurity and data professionals will get headaches from this, and data subjects can only be more confused." ®
Updated to add on 7 October:
We've confirmed that the bill has been placed on hold to give the new ministers time to look at the legislation.