GDPR, CCPA, CCCL, PDPA, DPA, LGPD, POPI - data protection laws worldwide are an alphabet soup of different principles and requirements around a fundamental desire to ensure that personal data remains secure. Regulations are growing and changing all the time: in 2018 only 80 countries had data protection laws, but by 2021 this had increased to 130 countries.
In this discussion around the challenges facing international businesses who want to protect critical data and remain compliant, Senior Sales Engineer Alexandra Willsher and Corporate Counsel and Data Protection Officer Brice Cagle focus on changes in the EU and UK, what this means for US data protection, international data protection challenges, and how politics can impact rule changes.
Thanks for making the time to talk to me, Brice. I wanted to get your perspective particularly around potential shifts in laws and regulations in the UK. In late 2021, the UK Government published a proposal to reform data protection laws in a number of areas, with the intention to help create a more attractive environment for British data businesses to grow. Their goal was to simplify the use of data by researchers and businesses, with an eye on building new international trade deals post-Brexit. What do you think will happen in terms of law?
It’s a very interesting situation to watch. As you know, EU GDPR is a binding regulation, but still allows flexibility for different member states across Europe. This is why you see differences from country to country with national laws which align to GDPR but require different levels of data protection
See our Hogan Lovells whitepaper which details differences in data protection laws worldwide
Immediately post-Brexit, British data protection laws or the UK GDPR aligned with the EU GDPR. The current proposals being considered create deviations between the UK data protection requirements and EU GDPR. The goal of many of these proposed changes are to provide a more flexible and risk-based accountability framework. For example, removing requirements for organisations to designate a data protection officer, and changing the threshold for reporting a data breach: if the risk is ‘not material’, then businesses don’t need to report it to the ICO.
Don’t you think there are risks to removing the data protection officer role? After all, organisations will still need to be compliant with data protection legislation and accountable for compliance.
Ultimately, it benefits the business to ensure it has a single point of contact for data privacy measures. However, there is a benefit to allowing each company more freedom on how to structure their privacy teams based on what works best for its operations and structure – keeping in mind that the organisation remains accountable for its compliance with the relevant regulations. The removal of the DPO requirement seems to reframe the existing obligation, rather than completely removing it, since each organisation would still be required to designate a suitable individual to manage its privacy program.
And how about the changing of the threshold for reporting? It worries me that while the proposal is designed, in my view, to add flexibility and reduce administrative burdens, it must not tip too far away from EU regulation. The EU granted the UK ‘data adequacy’ in June 2021, meaning that data can be transferred from the EU to UK without requiring the use of an additional transfer mechanism (i.e. BCRs or SCCs). But, if the UK moves too far from EU GDPR, the adequacy decision could be reversed which would have significant impact on businesses based in the UK.
Still, it’s clear that these proposals are supporting the UK National Data Strategy, which is committed to championing the international flow of data, and supporting global business operations, supply chains and trade.
Agreed. While the EU has granted data adequacy to the UK, the UK will still need to tread carefully. Regulatory burden is a pendulum: and no one nation should cause the pendulum to swing too far in either direction (complete deregulation vs. heavy regulation) but ensure a sensible, middle-ground balance that appropriately protects the rights of individuals.
The moves by the UK government seem to be removing some of the mousetraps within the data protection maze, which is intended to help long-term. But remember when it comes to data adequacy, the EU has not granted the US data adequacy, as the ECJ recently deemed Privacy Shield insufficient to provide an adequate level of protection for EU residents’ data.
This does have some impact on international data transfers, and in some cases global organizations need to retain data in local data centres, but remember most businesses will need to adhere to the highest data protection standard anyway – which is likely to be GDPR. The same challenge occurs in the US: where national businesses typically apply the most restrictive state regulations to protect personal data at a national level.
When it comes to how Forcepoint protects its own data on customers, prospects and staff, for example, we ensure all data we manage is protected at the highest level required under applicable law.
So, do you think then that these proposed changes will only really benefit smaller or national-only businesses?
It’s an interesting question, but I think really this move by the UK is a step towards the evolution of data protection laws and best practices because it will allow us to gauge whether more flexibility can be offered under current regulatory regimes while ensuring that data is appropriately protected and that data privacy is appropriately respected. Really, data protection is an industry in flux. There is a valid question out there which is are data protection regulations more stringent than they need to be?
Some would argue no: that it was only the threat of large fines (See British Airways) which forced companies to take data protection seriously, but some would say that perhaps some regulations go too far and restrict and stifle businesses from innovating in other areas, as current data protection regimes prevent the free flow of information. Either way, the proposed data regulations and updated approaches show that this is an evolving environment with the balancing of interests being considered.
It’s a fascinating industry to be part of, during all this change. No-one is questioning that protecting personal data is a good thing: but perhaps, over time as more businesses protect data as a matter of course, could the regulations become more flexible? Time will tell! As we know from the US, other data protection regulations are available and allow businesses to still operate effectively while protecting people’s data.
Exactly. Of course there is always the possibility that any changes the UK makes may end up impacting EU GDPR, or the UK’s data adequacy position, but these decisions are likely to be political. Although consumers and businesses may put pressure on systems and enterprises to protect their data, ultimately it’s the politicians in power who influence which direction data regulations go. This goes for both the countries implementing the regulations, as well as the countries on which the regulations are being imposed - for example, the Schrems II decision invalidating Privacy Shield. In any case, it is always in an organisations interest to ensure that it is taking appropriate measures to protect data and ensure an individual’s privacy, particularly if that is the expectation of its customer base.
So what do you think business leaders need to do, in the face of all this change and adaptation to data protection regulations?
Keep informed, for a start! And keep a watching brief on changing regulations, as well as ensuring that their own cross-functional leadership team (technology, security, legal, HR and risk officers) are providing strong guidance and direction on data management and protection – what tools and systems they recommend to keep data safe and business adhering to regulation.
Rapid digitisation and remote/hybrid working has driven a huge raft of changes in how we handle data, and we’re only now beginning to understand what that means.
Indeed, I’ve often found working in security that we suffer from a feeling that overlaying multiple tools will fix all our problems. We need to be aware that without careful planning they can often become less than the sum of their parts – the expected efficacy of stacking them doesn’t add up.
Data protection and management is a huge challenge for multinational enterprises, but I do think that the cybersecurity industry can empower leaders to implement simple systems, and help protect our people and businesses against unnecessary data breaches.
Learn more about international data protection regulations with the Hogan Lovells Whitepaper: Protecting the Workforce and Information in a Global Landscape or read this Geek Guide to Cybersecurity, Compliance and Protecting Critical Data