Matthew Hancock MP, the Minister of State for Digital and Culture, reaffirmed the UK government’s commitment to a strong framework for data protection and privacy in his keynote speech at Practical Law’s fifth annual Future of Data Protection Forum this week.
The minister confirmed that the UK will be implementing the EU General Data Protection Regulation ((EU) 2016/679) (GDPR), repeating Secretary of State, Karen Bradley MP’s comments on 24 October 2016.
The minister emphasised three key points in his speech:
1. The UK’s strong reputation for data protection and privacy
Mr Hancock expressed his “firm view” that the UK has a rich legacy in data protection and privacy which inspires other countries and has the trust of business and individuals. This will continue in the post-Brexit world. Mr Hancock reminded everyone of the key role the UK has taken in the GDPR’s design and refinement, not least building in the principles of a “risk-based approach” (as opposed to the prescriptive “rules-based approach” favoured by Germany and others), seen as essential to realistic and effective compliance programmes. The UK also argued for devolved discretionary power to the national regulators. The minister feels that UK expertise will be missed when the UK leaves the EU.
Indeed, turning to the Information Commissioner’s Office (ICO), the minister praised its pragmatic approach as educator, consultant and support service to the business community, supporting innovation and resulting, in large part, to industry baking in privacy rather than bolting privacy on. He also expressed confidence in the ICO’s willingness to take proportionate action and, if necessary, act tough, as shown by the recent record £400,000 fine imposed on Talk Talk. There is seemingly little appetite to tinker with a well-functioning and well-understood system.
The UK government, Mr Hancock says, is committed to continuing to create the “best possible” environment for consumer trust and business confidence as we approach the post-Brexit world.
2. The importance of trust in shaping the future
Mr Hancock was keen to draw attention to the approximately half-million tech start-ups which have been attracted to the UK market, underlining, in his view, industry’s confidence in the UK’s consistent rule of law and a practically-minded regulator. The minister noted the work to do, however, on the other side of the trust equation. In a recent ICO survey, only 1 in 4 individuals said they trust organisations with their data. Substantial work must and is being done here.
Mr Hancock emphasised the opportunity not to be missed in unlocking the power of data. He drew an analogy with the breakthrough of the printing press, by Johannes Gutenberg in the 15th Century which transformed European society and its economy into a hotbed of ideas and innovation. A digital revolution of potentially equivalent scale is in progress but, without trust based on sophisticated data handling, consumers will be reluctant to share the data on which this economic engine room is based. Without trust, the economic potential may not be realised and the UK could be left behind. If data is managed well, it can.
3. The vital connection with cyber security
Mr Hancock also highlighted the need to view data protection alongside cyber security. The two are complementary topics requiring joined-up strategy. He pointed to the government’s Cyber Essentials Scheme, a mandatory scheme for government suppliers, which reinforces an integrative approach to cyber and privacy risk management.
“Cyber must be a part of the data protection debate”, said the minister.
It is clear that data protection will remain a key area of focus for in-house counsel and their privacy professional colleagues and there is little sign of the regulatory regime being relaxed post-Brexit. The government recognises that trust is vital and draws a clear connection with cyber security. It’s certainly time to ramp up compliance efforts in these areas. To this end, keep an eye out in the coming weeks and months for further ICO guidance on the GDPR, discussed below.
Upcoming ICO guidance and priority topics
Jonathan Bamford, Head of Strategic Liaison at the ICO also spoke at the event. Mr Bamford indicated that a new version of ICO guidance on Big Data is due to be published by Christmas this year. Guidance on consent, profiling, contracts and liabilities, and children and privacy is also in the pipeline. The ICO will be undertaking further work on mergers and acquisitions and on personal data as an asset, particularly in light of its investigation of data sharing between Facebook and WhatsApp (see Legal update, Facebook agrees to pause using data from UK WhatsApp users). Certification, risk, penalties and the review of e-Privacy legislation will also be priority topics for the ICO in 2017.