The UK government has unveiled the details behind its plan to replace the GDRP with more flexible and less stringent date protection laws. There are several interesting points to this change in legislation – good and bad – both from a business point of view and from the perspective of security.
Additional agility in business process, and a reduction in administrative overhead are both clear advantages, and the contrast of a more relaxed handling of personal data vs GDPR is a deliberate post-Brexit move to attract tech, retail, and other relevant businesses to the UK. There is certainly truth in the claim that the current GDPR regulations have a disproportionate impact on small businesses, which should see a positive change here.
The key will be maintaining sufficient data handling security to allow the current unfettered data flow between the UK and the EU. Should this be seen to be inadequate, a throttling of data would conversely be bad for UK businesses. In my opinion, negotiation would bring us to a position relatively close to the EU, if only primarily in data handling fundamentals themselves as opposed to how a business is charged with recognising these demands.
In terms of data security, on the surface a relaxing of data handling for these purposes appears a generally good thing, although it opens the potential for “hiding” the intention of data processing behind wide-ranging “scientific research” purposes. Once consent is granted, under current GDPR regulations, a change in the purpose of data processing requires re-consent. With the comments around “not asking every time”, there will clearly be gaps in the change of data handling purpose or scope that perhaps don’t need to be informed upon the PII owner.
Personally, I’d like to see the scope of consideration for PII to remain robust. As the outcome and spirit of the law seem to feature heavily in the new wording – all to entice businesses to understand that the data handling controls shouldn’t get in the way of commerce – I’d equally like to see the impact of a breach treated in the same way. Effort and work done to handle data properly by a business must be reflected, in fines for example. Issues here, of course, are that “judgement” by an individual will play a larger part, as opposed to defined rules.”