In the wake of Brexit, the UK has undertaken the challenge of overhauling its data privacy rules, moving away from the European Union’s data protection regulations. This move paves the way for the UK’s ambitious investments in the tech sector, allowing the UK to take back control of its own rules and permissions. For some time, prescriptive stipulations within GDPR have held back organisations – such as AI start-ups – from reaching their full potential. But why is it important, and what are the predictions that come with this move?
UK’s Post GDPR plans
Since its controversial departure from the European Union, the UK has been able to take control of many policies and regulations, data and privacy rules being one of them. The UK can now determine its own GDPR, catering it to its specific industries and organisations, allowing for investment in AI, future tech and more.
The UK followed the EU GDPR for three years, but navigation of how to implement the policies was deemed too complex for business, and regulations considered too vague. This confusion affected everyone, from tech start-ups to small businesses and charities, who believed they were held back by a regime that refused them permission to use data as effectively as they would have preferred.
So, what are the possible advantages or potential problems that may arise from this shift in data policy?
- In the wake of Brexit, the UK’s freedom to chart its own course could result in the scrapping of cookie popups and consent requests online, according to former Secretary of State for the Department of Digital, Culture, Media, and Sport (DCMS), Oliver Dowden. Any such changes will be constrained by the need to offer a new regime in place that the EU may deem adequate, otherwise data transfers between the UK and EU risk being frozen.
- The move also allows UK GDPR to be tailored for individual businesses with room for flexibility, instead of the previous blanket regulations. This means that depending on the organisation’s size, sector and goals, there will be opportunity for it to determine its own standing.
- The UK must ensure its data rules meet ‘adequacy’ requirements in the EU and globally. Any change in UK GDPR will need to be approved by the EU, with any issues resulting in a possible freeze of data sharing. This could affect you if you are receiving personal data from a country, territory or sector covered by the European Commission adequacy decision. In this instance, the sender of the data will need to consider how to comply with its local laws on international transfers. It is recommended to check local legislation and guidance and seek legal advice if necessary.
- The new rules will also make it easier for the safe transfer of data between countries, thus aiding and enabling data sharing in the development of research for start-ups, research projects and other organisations alike. This transfer of data will speed up the process of research into crucial sectors such as tech, medicine, and many others.
Of course, all potential outcomes are subject to change as the UK navigates through its new data transfer rules, but the move displays the country’s eagerness to create space for growth and learning in the tech industry. With the recent announcement of the UK’s National AI Strategy detailing its plan to become a leading global AI superpower within the next decade, along with DCMS’s 10 Tech Priorities announced earlier this year, the UK has proven it is eager to invest further in tech and create an environment for tech to grow and flourish.
Data can still be transferred to the European Economic Area (EEA) as usual, and no new arrangements have been made. The UK includes England, Scotland, Wales, and Northern Ireland; it does not include Crown dependencies or UK overseas territories, including Gibraltar. However, the UK will allow transfers to Gibraltar to continue. If transferring personal data outside the EEA, you should have arrangements for making a restricted transfer under the UK GDPR in place. Detail is provided in the international transfers section of the Guide to GDPR.
While the adequacy decisions remain in place, the UK GDPR will apply until at least 27 June 2025. The EU Commission must monitor developments in the UK on an ongoing basis to ensure the UK continues to provide an equivalent level of data protection. The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved. In the absence of EU GDPR adequacy decisions, the Frozen GDPR would apply to personal data if:
- It was processed in the UK under EU GDPR before 01 January 2021; or
- It’s being processed in the UK on the basis of the Withdrawal Agreement (for example, in order to comply with legal obligations under the Withdrawal Agreement).
- The UK, in its desire to be seen as distinct from the EU, will overstep and separate itself too far from EU rules, bringing a formal complaint from the European Commission that its laws are no longer adequate or aligned with the GDPR. Businesses operating in the UK need to be prepared for this potential outcome and should engage with the government to minimize this risk.
- The UK will use trade agreements to include language around data transfers to build up the perception that its approach to data protection is internationally well-regarded. This creates an opportunity for organizations to advise the UK on how best to achieve this outcome.
- Investment into the UK technology sector will continue, attracted by the new data protection rules. While some businesses may prefer the certainty of the EU rules, the flexibility of the UK rules will win out.
- Big Tech will not get an easy ride. The desire to move away from the GDPR does not mean the UK will design a law in favour of big business. The current government is highly interventionist and will ensure that the rules are seen to be enforced, and fines handed out when rules are broken.
Subscribe to our news alerts here.