When it comes to data privacy, today’s top headlines are usually related to some kind of data breach or misuse of data. Whilst these are significant issues, an even bigger concern is the way companies handle consumer data. This is what the General Data Protection Regulation (GDPR) was brought in to address, but it was just the first stepping stone towards better data regulation across the board. More recently, GDPR has come under fire for overly complicated processes and not delivering the transparency required.
In June 2021, the UK government published its TIGRR report (Taskforce on Innovation, Growth and Regulatory reform) – which was commissioned to explore post-Brexit opportunities – including the way data privacy is handled. The report calls for individuals to have greater rights and powers over their own data and offers a glimpse of possible data regulation in the future. So, what happens next?
What are the best ways to ensure user privacy?
The urgent need for data privacy reform…
The basic premise of the TIGRR report – cutting through red tape, to enable innovation – is certainly appealing overall. But as it stands, today data privacy needs more regulation – not less. Britain has an incredible opportunity to shape the future of data regulation.
One of the key themes within the report is a UK Framework of Citizen Data Rights, which is essentially a good idea if implemented with a focus on all stakeholders, especially individuals. But the report fails to provide detail of what such a framework would look like, nor the steps needed to deliver it.
The report also states the importance of looking after the rights of citizens and consumers. But it then does an ‘about turn’ and says consumer data should be used to ‘attract top start-ups and leaders in tech’. The reformation of data privacy rights does not align with the selling/giving out of data for commercial gain – it’s the complete opposite of any data privacy law. In fact, any new data regulation needs to urgently address how organisations handle consumer data.
Additionally, there are no timescales outlined, so there is no motivation for implementation of new regulation. It outlines that GDPR in its current form is out of date, yet it suggests using common law – which is even further out of date.
GDPR+ and the move towards a Data Privacy law
Since the implementation of GDPR, there has been a surge in recruitment for roles like ‘head of data governance and privacy’. It’s time to seize this momentum and move to the next milestone – let’s call it GDPR+.
GDPR+ needs to answer the question of how we protect and use data within the country and cross-border. Ideally, we need a Data Privacy Act and a cross-party overseer of the whole process whose remit spans all government departments – a kind of ‘data privacy czar’. Ideally this would be an individual with a strong background in data.
The question that needs to be answered is how do we ensure businesses align their practices with any new regulation and handle data responsibly rather than selling it for their own gain? Data fiduciaries could be part of the solution; third-party organisations who are given the legal right to handle private data. But it needs to be a non-political government-funded third party. It’s most likely that the government would outsource any enforcement, but it’s pertinent to ask whether a private company would have the best interests of individual citizens.
The curious case of Brexit and the disappearing GDPR
On the third anniversary of the day the EU GDPR became applicable, Elizabeth Schweyen, senior manager of global privacy and compliance at Druva, discusses the current state of GDPR in the UK following Brexit. Read here
A Data Privacy Law would protect the individual
A Data Privacy Law would offer huge benefits to individual consumers, but also to business. It’s becoming more and more of a badge of honour for companies to step up and be transparent with consumers about how their data is handled – generating consumer trust, which ultimately has an impact on brand value and on the bottom line.
A Data Privacy Law should be in force to protect the consumers – especially the most vulnerable. And although it may be a challenging ‘ask’, I believe it’s crucial for any data privacy law to forbid data profiling of under 18s. We now have an opportunity to draw a line in the sand and say, this is what data privacy needs to deliver and this is how it will be done.
At present, tech platforms have algorithms designed to keep users looking at their apps for as long as possible. They do this by feeding the original thought. For example, a teenage girl could be looking at “ways to lose weight” or a teenage boy looking at “how to put on muscle” and within a view short clicks be getting content around bulimia, laxatives, steroid use, or worse. Or it could be something as simple as an email that has the subject of “look what your friends are doing”, implying that they are being left out or missing out on something. People under the age of 18 shouldn’t be targeted in this way. We wouldn’t let it happen outside of the internet, so why do we let it happen on the internet?
Focus on future generations
Data rights and privileges are being eroded more rapidly than people even imagine, and it’s time to get regulation in place. There are huge challenges facing our society and we need the government to focus on how to create the digital infrastructure that will enable the country to flourish in 10 years time. The Bank of England, for example, is talking about the largest change to currency ever known. But nobody in the government is talking about how that data is going to be stored, or what it will/won’t be used for by them. Getting more robust data privacy regulation in place will enable the UK to lead the way in this area and help to develop the future focus that we need to thrive as an independent nation.