5 minute read

Is GDPR going away?

The simple answer is no. With data now being worth more than oil and gold and cyber criminals seeing data theft as an easy way to make money, we will continue to need some sort of regulation governing its use.

GDPR and other data protection regulations affect every type of organisation from small charities to big corporates and it can be difficult wading your way through what is required. Particularly as things seem to keep changing and it has been an interesting time for Data Protection legislation over the last couple of years. With the introduction into UK law of EU GDPR in 2018 and the reconfirming of it at the beginning of last year when it became UK GDPR. Then at the end of last year, Boris’s Government announced it was going to change things again and put together the new Data Reform Bill. This got to the second reading stage in parliament when we got a new Prime Minister and was promptly thrown out…it seems that the uncertainty will continue for a while yet.

Advertisement

On Monday 5th October 2022, the Culture Secretary announced at the Conservative Party Conference that they were “replacing GDPR”. The previous conservative Government had already proposed the Data Protection Bill which detailed a number of changes to the GDPR which had been through the consultation period and was awaiting its second reading in parliament.

This was halted when Truss entered No.10 as part of her commitment to ‘cut through the EU red tape’ which puts any Data Protection reforms back to square one. It may be on their intended list of measures to bring in during this Parliament, but we are likely to be at least 18 months – 2 years from any alternative legislation.

Indeed, if the EU doesn’t agree with the changes, we risk losing our adequacy which bans the free flowing of personal data between the UK and the EU (and vice-versa). Furthermore, if you have any clients, suppliers or employees who are EU nationals, then you will still need to uphold the principles of the GDPR, irrespective of what the UK laws say.

Natalie Cramp, CEO of data science company Profusion, reacted to Government proposals to introduce new legislation to replace GDPR, saying: “The announcement that the Government will pause its reform of GDPR in favour of introducing a new data bill adds more unwelcome uncertainty for UK businesses.

“On a practical level it’s difficult to see how a new bill could be written and passed with adequate consultation ahead of the next General Election. As Labour has a very different take on GDPR, it’s very hard to say what the final outcome will be.

“We could see the Conservatives passing this legislation in 2024, a Labour Government confirming that GDPR will remain, or an entirely different approach which may not be finalised until 2025 or beyond.

“Without any clarity it makes it very difficult for companies, especially in the tech industry, to make concrete plans on how they expand. Creating a large customer base in Europe could prove a costly risk if the UK’s new data regime is significantly at odds with GDPR.

“The EU may revoke the UK’s ‘adequacy’ status which will mean UK businesses that deal with EU citizen’s data will face large costs and compliance hurdles. Similarly, it will make the UK a less attractive location for foreign companies because they will have to deal with legal and operational costs complying with two different data regimes.

“GDPR is not a perfect piece of legislation but it is a huge improvement on what came before. It puts consumers in control of their own data and online privacy and this principle needs to be protected.”

And Data Protection is not just about wading through red tape, with 6 out of 10 businesses being subject to cyber attacks in one form or another it is essential that you look after any data you hold, dealing with a data breach can not only be costly to you in terms of resources and potential fines (up to 4% of your yearly turnover) but it can also lead to a PR nightmare. Good data protection and cyber security practices give you peace of mind and gives your customers greater confidence in your business.

So, for now, it is business as usual as far as Data Protection regulations goes, you still need to comply with UK GDPR. Which means having the right policies and procedures in place including a Privacy Policy, a Record of Processing Activities and registration with the ICO and if you use any software like Mailchimp or Hubspot you will need a Data Processing Addendum. You will also need to ensure that any staff you employ have regular training (at least yearly) on how to handle personal data and embed good practice within the organisation.

This article is from: