The UK’s Data Protection and Digital Information Bill marks its first meaningful departure from the EU’s General Data Protection Regulation (GDPR) since Brexit. For better or worse, GDPR has become the de facto standard for data privacy for organisations, leading to major governance and IT infrastructure transformations, including the rapid expansion of compliance departments.
Despite this, you would be forgiven for thinking that the UK’s modest proposals – including some exemptions for scientific research, public sector analysis and relief for SMEs – would not be all that controversial. Critics have already started expressing their concerns that the level of protection that it provides may be comprised in favour of convenience.
Playing with fire
As companies prepared for the impact of Brexit, fundamental questions had to be answered on what Britain’s legislative framework would look like outside the EU. But, alongside the treatment of goods, it was the UK’s ability to remain within the GDPR framework that topped most companies’ risk registers.
GDPR equivalence – granted to the UK at the eleventh hour of the Brexit negotiations – provides enormous benefits to British businesses. Without it, the levels of red tape and cost would dwarf the challenges that are often reported about the Northern Ireland protocol. And unlike countries like the US, UK businesses have no experience of working outside the convenient comfort zone of derogations and exemptions.
The EU reviews the UK data equivalence every year and are unlikely to be impressed by new rules that dilute precepts of GDPR to give UK businesses an edge over their European counterparts. Despite Ministerial assurances of the EU’s willingness to accept any divergence, any loss of equivalence could cost the UK economy as much as £1.5 billion over five years – with disruption to business models and IT infrastructure likely to exceed this figure many times over.
Source of the tension
Put simply, every Government is trying to find an impossible balance between protecting the privacy of its citizens and unlocking the immense value of personal data to their economy. And with good reason – in 2021, data breaches jumped by 68%, reaching its highest ever total and almost 2,000 breaches were reported in the first half of 2022 alone.
To make matters worse, these fraudsters often know who those most susceptible to data theft are – exploiting the trusting nature or desperation of our society’s most vulnerable.
In this context, the emotive desire to crackdown hard on data privacy is understandable. The sad fact is though, such crackdowns also hit the most vulnerable hardest. For example, the sharing of data to understand and potentially cure diseases is becoming an increasingly successful route to medical breakthroughs (including understanding and vaccinating against COVID-19).
And as the job of identifying and tackling inequality within our societies gets harder, data provides policy makers with the only route to target support for the geographic regions or demographics most in need.
No need for compromise
In the face of today’s economic, social and environmental challenges, there has yet to be a way to unlock the power of data while adequately protecting privacy.
So why bother to balance them at all?
This is a question that technologists who work with Privacy Enhancing Technologies (PET) have been asking for at least the last two years.
PET permits the sharing of information about individuals without having to share their individual personal records. The technology works to ensure that strict privacy regulations are enforced without reducing the usefulness of the data, eliminating the need for harsher laws and fines on those who abuse data privacy.
In short, PETs can help to aggregate data to draw conclusions about groups, demographics or customers that can provide invaluable insight while guaranteeing that raw data remains secure and available only to those with the right to view it. The level of protection provided goes so deep into IT infrastructure that a computer’s processor is verifying and guaranteeing privacy at the hardware level.
Such technology is already helping you log into your iPhone securely, as well as underpinning data transfers in sensitive financial and Government settings where data protection is paramount. Supporting organisations to harness this technology can unlock the true potential of data analytics while preserving privacy and fighting back against scammers.
There is still ongoing speculation around the Data Reform Bill and so businesses will have to wait for its implementation to confirm which practices they will need to execute, particularly if they also do business in the EU. Many may opt to stick to the EU’s GDPR rules simply for ease and clarification.
Perhaps, instead of introducing an entirely new regime, the UK Government should explore the use of PET to enable organisations to share and analyse personal data in a privacy-preserving manner, to create opportunities and unlock the power of data using innovative and trustworthy applications. It’s possible that PET could provide the true post-Brexit edge they are looking for.