GDPR had a huge impact when it was introduced back in 2018. But with Brexit done and the UK’s new Information Commissioner promising a “shake-up”, are we at the start of a new chapter in the GDPR saga?
For the past three years, GDPR has governed how companies access and use personal information. The law brought sweeping changes to data and privacy, with many businesses struggling to adapt to the new rules – and others falling foul of its steep penalties.
Now, things look set to change yet again, as the UK government gears up to tweak its post-Brexit data protection laws. The question is, what’s changing? And what does it mean for your data?
Here, we’ll take a closer look at the future of GDPR, outlining the prospective policy changes and how they might affect businesses and individuals alike.
Why is GDPR changing?
Since it was introduced, GDPR has rarely been out of the press. And now, as the UK government appoints John Edwards as its new Information Commissioner, the legislation is once again back in the spotlight.
GDPR is an EU law that came into effect during the Brexit transition period. Now that the UK is no longer part of the EU, the British government is seeking to introduce changes that will affect how the legislation works for UK businesses and citizens.
To set such changes in motion, John Edwards, the former Privacy Commissioner for New Zealand, will take the reins as the chief regulator of the ICO (Information Commissioner’s Office). Working closely with Oliver Dowden, the UK’s Digital Secretary, Mr Edwards is promising a “shake-up” of data and privacy policies, with a greater focus on “light touch” regulation.
So, what kind of changes does the UK government have in mind? And how will they affect you?
How are GDPR rules likely to change?
While nothing is set in stone yet, the government and the ICO have hinted at a handful of changes to how data will be regulated in the new post-Brexit era. And some of the proposed policy amendments are surprisingly far-reaching, with a clear mandate towards removing bureaucracy and red tape from data protection and enforcement.
Some of the proposed changes to the UK’s post-Brexit data protection laws include:
Removing cookie pop-ups
One of the most notable changes the new Information Commissioner has put forward is the removal of cookie pop-ups from web pages. Described as “pointless” and “endless” by Oliver Dowden, these alerts have been a constant presence since the arrival of GDPR, and are used as a means of asking a user’s permission to store their personal information.
Though it’s not yet clear what – if anything – will replace cookie pop-ups, the move could prove popular. Many businesses view cookie pop-ups as a major barrier to online sales performance, with users often deterred from continuing with a transaction when presented with a privacy notification.
Good news for businesses and users alike, then? Not everyone is convinced by the proposed law changes, with critics quick to point out that cookie pop-ups represent one of the foremost points of consent for users.
Like them or not, such notifications do offer some means of controlling your personal information. The government and ICO will need to tread carefully if they’re to strike a balance between protecting rights and removing GDPR-related red tape.
New “data adequacy” partnerships
Another key issue raised thus far by the government and ICO is a bold new direction for the UK’s “data adequacy” partnerships. Confused? Let us explain.
Data adequacy is an agreement between two or more countries that requires that they each share similar data protection policies. It’s a way of protecting a person’s data, even if they’re engaging with a business or organisation that operates in a different country.
Currently, the UK has a data adequacy agreement with the EU, though its content and terms were a sticking point during the Brexit negotiations. As such, it’s likely that the two states will need to work out a new relationship in the future, particularly if the UK plans to move a long way from the EU’s existing GDPR rules.
What’s more, both Oliver Dowden and John Edwards have confirmed that the UK plans to prioritise creating new data adequacy relationships with other countries around the globe, including the United States, South Korea, Singapore, Colombia, and the UAE. Such partnerships will essentially allow people’s data to be used on a more international scale, something the government says will be of benefit to both users and businesses.
As with the removal of cookie pop-ups, there is some scepticism about the security, safety, and ethics behind proposed new international data adequacy partnerships. With the UK no longer confined by EU governance, time will tell how rapidly the government chooses to pursue a more international and open approach to data protection, privacy and sharing.
What do GDPR changes mean for you?
Businesses that struggled for months to adapt to new GDPR rules may feel exasperated that the laws are now seemingly going out the window. With the government and ICO moving towards a more cautious and light-touched approach to data regulation, some of the existing rules and requirements may no longer be necessary in the UK’s post-Brexit, post-GDPR landscape.
The good news is, for businesses at least, a relaxation of data protection regulations ought to be good for business. With fewer boxes to tick, simpler rules to abide by, and no need for those pesky cookie pop-ups, online brands could see an upsurge in sales, conversions, and click-throughs when the government’s proposed law changes come into effect.
For day-to-day users, however, the future may not be so rosy. While many web users will be happy to see the back of cookie pop-ups, there are concerns about the long-term repercussions of relaxed data laws, with new data adequacy partnerships having the potential to erode rights on data governance, personal privacy, consent, and control.
Of course, we can only speculate on what the future holds for GDPR and UK data protection. With John Edwards only recently appointed as the new chief regulator for the ICO, the next few months will give a clearer indication of the UK’s direction as it moves away from the standard GDPR framework. Stay tuned to the CDL blog for all the latest news and updates.
CDL is one of the UK’s leading IT disposal companies, working to help private and public businesses safely retire and recycle their outdated IT assets. To find out how we could help your business, or for more of the latest tech news and advice, visit our homepage or call our team today on 0333 060 2846.