Will changes to UK data protection law reduce commercial costs and boost economic growth? asks SEAN MORRIS
An updated Data Protection and Digital Information Bill has been introduced into Parliament aimed at positioning post-Brexit UK as a desirable base for digital economy businesses. Time will tell whether these changes will impact positively on the economy or save it more than £4 billion over the next 10 years, as stated in the gov.uk press release.
Sceptics respond that in the current economic climate, both in the UK and elsewhere, few businesses are eager to move away from the current GDPR standard because to do so would require them to commit limited resources to overhaul their current data protection compliance which they have invested time and money in implementing.
Also, since the EU GDPR has extraterritorial effect, for many UK and international businesses trading with the EU, it remains commercially advantageous to maintain that standard. Any significant lowering of standards by the UK runs the risk of removal of adequacy status when reviewed by the European Commission in 2025, which would only lead to unwelcome compliance complications impacting on UK-EU trade at an already challenging time for economic growth.
In the last twelve months there have been a range of pro-business initiatives from the UK’s Information Commissioners Office (ICO), aimed at boosting current compliance standards. These have focused on issues identified by the regulator’s three-year strategic plan, published in July 2022.
One of its stated aims has been to ‘empower responsible innovation and sustainable economic growth’ and bring down the burden and costs of compliance for UK businesses. Already the ICO has started delivering practical support, providing tools to help manage information risk.
It has made free, off-the-shelf products or templates available online to help organisations develop proportionate internal privacy management. And in October 2022, it launched online guidance and new resources on direct marketing, an area which has often resulted in fines for businesses, including free training modules, checklists for internal use, and online self-assessment tools.
In February, the ICO published new online guidance for organisations designing products, such as apps and online tools, using personal data, and in recent weeks there has been further guidance for businesses seeking clarification on requirements for fairness in AI (Artificial Intelligence).
AI-driven discrimination has been a concern for the ICO and the Equalities and Human Rights Commission for some time. Both regulators are actively collaborating to improve awareness of how the UK’s Human Rights Act and Equality Act are relevant to personal data used for automated decision-making in new AI tools, such as those increasingly used for financial screening and recruitment.
Increasingly, the impact of AI is becoming apparent, as is the need for the law and regulation to keep pace with it and other technologies. And so, the ICO has set itself the ambition to safeguard and empower the public, in particular, vulnerable groups.
It has flagged how biometric technologies, such as facial recognition, increasingly drive innovation and the provision of new services across a range of sectors, including finance, entertainment, health, and education. While recognising the potential commercial and consumer benefits, the privacy risks which inevitably arise are plain to see.
Going forward, the ICO role involves not only providing resources to support UK businesses which develop products in this sector, but also investigating complaints about how such technologies are being deployed.
In February, it published a statement on the use of Facial Recognition Technology (FRT) in North Ayrshire Council schools involving processing personal data of pupils ranging in age from 11-18 years, and which the ICO viewed as operating in a manner likely to infringe data protection law.
Online tracking, where businesses gather personal data online for purposes which can range from advertising to age estimation, are among the issues currently on its enforcement radar. Another issue which has occupied the ICO is the monitoring by employers of staff activities, which has increased since remote working.
All of this feels daunting for business, and the landscape is fast moving even without any of the changes to the underlying data protection law proposed in the Data Protection and Information Bill. Since the EU GDPR regime was introduced much time and money has been committed by business to ensure compliance and that will continue to be the case.
It is well known that business seeks certainty from government and regulators so it can create wealth for the wider benefit of the economy and society, and whatever changes to the law are coming down the track, will be viewed through that microscope.