How can business prepare for changes in data legislation?
Expert panel at last week's Cybersecurity Festival discusses the data legislation landscape and consider how business can prepare for change.
The GDPR that industry spent so much time readying itself for several years ago no longer applies in the UK. Currently, businesses which operate inside the UK have to comply with the Data Protection Act 2018, and the provisions of the EU GDPR are now incorporated directly into UK law as the UK GDPR. Of course, if you want to do business in the EU you still have to comply with the EU GDPR anyway. The present government wants to replace the GDPR with a new Data Reform Bill, but that was put on hold in October (as was the increasingly unwieldy and unpopular Online Safety Bill, the status of which remains on hold,) while the government looks again at both bills.
What should business expect from data legislation in the years ahead and how can it prepare? This was a question that a panel at the recent Computing Cybersecurity Festival attempted to answer.
Georgina Kon, Privacy, Technology and Sourcing Partner at law firm Linklaters, said that the Data Reform Bill isn't likely to diverge meaningfully from GDPR mandates.
"In the last draft we saw it seems that the core structures of GDPR will be maintained, but there are some areas where we may be more regulated such as by giving the Information Commissioner's Office (ICO) more powers to insist on external audits for example."
Mariano delli Santi, Legal Policy Officer at Open Rights Group, had some serious concerns about the process for amending this legislation, further down the line.
"The draft last presented does not clarify the meaning of the GDPR. The government wants to establish delegated legislative powers so they can clarify it later."
The powers the government wishes to use are known as Henry VIII Powers, and as delli Santi pointed out, these powers are exercised by the executive without any need for primary legislation or the scrutiny of Parliament.
"The human rights implication is that the government can just disregard the law when it wants to. The impact on business is that the law will change a lot and the law will be contested a lot, so there will be challenges, judicial reviews, etc. Businesses will need good lawyers to explain it all. It will also mean that regulation is likely to be incoherent. It is likely to change regularly because it will simply reflect the political priorities of the day."
This will inevitably have implications for businesses who want to trade in and with the EU.
"Some of the changes are outright incompatible with ECHR, which means that businesses are going to have to spend a lot of money on contract revisions, legal fees etc. It will be easier for international businesses to find partners in EU countries rather than continue to deal with UK businesses."
Danielle Sudai, Security Operation Lead at Deliveroo, pointed out that businesses with an international presence such as Deliveroo already dealt with different sets of regulations across different legal jurisdictions. Kon agreed, emphasising that in Asia, data laws tend to be very consent based whereas in the EU they are more anti-consent based.
Changing role of the Data Protection Officer
The role of the Data Protection Office (DPO) is also likely to change, as rules for smaller organisations in particular are loosened as the government tries to create some advantages of Brexit for smaller business which economic data suggests are somewhat thin on the ground right now.
The panel all expressed concerns about how DPOs will potentially be replaced with Senior Responsible Individuals (SRIs) who will have the seniority but not necessarily the in depth knowledge necessary for the role.
Patrick Burgess, Co-Founder & technical Director of MSP Nutborne Ltd. commented:
"Already in the non-enterprise world you often find people are nominated as DPO and they aren't necessarily trained. That person needs to be supported at the highest level or it really is just a box ticking exercise. You have to give people the right powers, responsibilities and training and not get cross when they tell you what you don't want to hear."
None of these issues are necessarily going to be resolved by swapping out SRI's for DPOs, although they are, as Kon pointed out, theoretically harder to fire if they sit at board level.
Both Kon and Sudai emphasised the importance of strong relationships between DPOs/SRIs and technical communities, because decisions about storage and processing are influenced by these communities, often at very high levels, and the law as it currently stands means that CISOs for example cannot be DPOs as well. A separation is mandated.
The panel all acknowledged the influence of politics on data related legislation. Kon commented:
"There has been a great deal of consultation with the Data Reform Bill, and that has indicated that most companies don't want a vastly different regime. They don't want the costs of retooling for a whole new set of regulations, but politically we want to show, post Brexit, that we're doing something different. That's why we're seeing divergence in things that aren't too contentious such as strengthening the ICO."
Kon believed that the role of the ICO would continue to evolve.
"It's in a very strong position as one of the most responsive regulators. That isn't always to businesses benefit of course if they do suffer a data breach. Having said that, the ICO have always taken an approach of regulating via voluntary compliance and it's a pragmatic approach that I hope will remain. I think it's right they get more power but I hope that they balance human rights with pragmatism and way technology works in the new world."