*Reassuringly dull cyber security

National Data Strategy: Blueprint for a new UK data protection regime?

Back

A GDPR & Data Protection Advisory Note.

Published: 09/11/2020 Last updated: 09/11/2020

Executive Summary

Recently the government published an updated National Data Strategy. Described by the Digital Secretary as a central part of the government’s wider ambition for a thriving, fast-growing digital sector in the U.K., underpinned by public trust, its professed aim is to “drive the collective vision that will support the UK to build a world-leading data economy”.

The strategy sets out the following five priority areas of action:

  1. Unlocking the value of data across the economy
  2. Securing a pro-growth regime
  3. Transforming government’s use of data to drive efficiency and improve public services
  4. Ensuring the security and resilience of the infrastructure on which data relies
  5. Championing the international flow of data

Significantly, the strategy says, “Having left the European Union, we will take advantage of being an independent, sovereign nation to … position ourselves internationally to influence the global approach to data sharing and use”.

This appears to be a strong signal that the government intends to take a different approach, post Brexit, to data protection, especially regarding international data transfers, an area which has become particularly challenging.

However, this approach is likely to adversely affect the continued flow of data between the UK and EU Member States from the end of the Brexit transition period on 31st December 2020.

Introduction

The strategy identifies five priority areas for action, (referred to as ‘missions’):

1. Unlocking the value of data across the economy.

The strategy says that data is an incredibly valuable resource for businesses and other organisations, but that there is increasing evidence to suggest its full value is not being realised because vital information is not getting to where it needs to be. Accordingly, this mission will be to set the correct conditions to make data usable, accessible and available across the economy, while protecting people’s data rights and private enterprises’ intellectual property.

2. Securing a pro-growth and trusted data regime

The strategy says itwants a data regime in the UK that is not too burdensome for the average company – one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, as well as one that the public has confidence and trust in. (See below for more about this).

3. Transforming government’s use of data to drive efficency and improve public services

The strategy says the coronavirus pandemic has showed that there is massive untapped potential in the way government and public services use and share data to help and protect people. The government will undertake an ambitious and radical transformation of its own approach, driving major improvements in the way information is efficiently managed, used and shared across government. Interestingly, the strategy says; “To succeed… we need the right skills and leadership within the public sector to understand and unlock the potential of data”.

4. Ensuring the security and resilience of the infrastructure aon which data relies

The strategy says the infrastructure on which data relies is a vital national asset that needs to be protected from security risks and that “the government has a responsibility to ensure that data and its supporting infrastructure is resilient in the face of established, new and emerging risks, protecting the economy as it grows”.

5. Championing the international flow of data

The strategy says that the flow of information across borders fuels global business operations, supply chains and trade, powering growth across the world and “having left the European Union, the UK will champion the benefits that data can deliver. We will promote domestic best practice and work with international partners to ensure data is not inappropriately constrained by national borders and fragmented regulatory regimes so that it can be used to its full potential”. (See below for more about this).

Securing a pro-growth and trusted data regime

The strategy describes the UK as a world leader in technological innovation and robust data protection standards and “We will build on these strengths to maintain a data regime that supports the future objectives of the UK outside of the EU. A pro-growth legal regime must include consideration of both regulation in the wider digital and technology landscape … as well as our data protection laws”.

It goes on; “As with all policy areas, the UK will control its own data protection laws and regulations in line with its interests after the end of the transition period. We want our data protection laws to remain fit for purpose amid rapid technological change. Far from being a barrier to innovation or trade, we know that regulatory certainty and high data protection standards allow businesses and consumers to thrive”.

As if that were not a clear enough message; “… we also need a data regime that is neither unnecessarily complex nor vague. Businesses need certainty to thrive, and the government will work with regulators to prioritise timely, simple and practical guidance”.

Championing the international flow of data

The strategy points out that the ability to exchange data securely across borders is essential – it drives global business, supply chains, trade and development and says the government will “take a holistic approach to enabling global data, through the removal of unjustified barriers, the development of frameworks for the transfer of personal data, and, where appropriate, by helping our international partners to increase data availability in their own countries”.

The government says it will:

  • Build trust in the use of data by creating the regimes, approaches and tools to ensure personal data is appropriately safeguarded as it moves across borders;
  • Facilitate cross-border data flows by working to remove unnecessary barriers to international data flows “including by developing a new UK capability that delivers new and innovative mechanisms for international data transfers”. (It remains to be seen what this means);
  • Drive data standards and interoperability internationally by cooperating with nations to develop shared standards that align with the UK’s national interests and objectives;
  • Seek to reach agreement with trading partners including the EU, US, Japan, Australia and New Zealand to remove “unnecessary barriers to cross border data flows, with specific commitments to prevent the use of unjustified data localisation measures”;
  • Advocate for the importance of global data flows in the World Trade Organisation (WTO), G7, G20 and Organisation for Economic Co-operation and Development (OECD);
  • Establish an independent capability to conduct the UK’s own data adequacy assessments for transfers of personal data from the UK; and
  • Review the transitional arrangements for international data transfers and the use of alternative transfer mechanisms.

Conclusion:

The strategy saysthere is a lack of clarity about “certain aspects of data protection rules and regulations” which cause particular difficulty for SMEs and that “businesses should not be driven to costly over-compliance or high-risk aversion with respect to data sharing by unnecessary complexity or vagueness in the regulatory environment”.

To tackle this, the government says it will work in partnership with the ICO to clarify aspects of the UK’s existing data regime that “generate confusion or inertia”, including by fast-tracking guidance and the use of co-regulatory tools to lift compliance burdens on businesses.

Although the National Data Strategy is about all data (not just personal data), there can

be no doubt that it effectively promises profound changes for the data protection regime in the UK after the Brexit transition period. Of course, whether those promises are (can be) kept we shall have to wait and see. Let’s not get carried away – this is a paper, not a policy, let alone any form of legislation.

Whilst, no doubt, most business will welcome a data regime in the UK that is not “too burdensome”, one of the reasons the GDPR was introduced was because many businesses failed to voluntarily use personal data responsibly and securely.

Let’s see what happens with all this.

DISCLAIMER

This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group