Data protection, Brexit and the National Data Strategy
The Information Commissioner, Elizabeth Denham says data protection has an important role to play as businesses continue to innovate new products and solutions.
With all the challenges 2020 presented, we saw the growing use of data for research and public information purposes and for product and service developments as a response to the Coronavirus pandemic. And this is set to continue into 2021.
The Commissioner’s comments come in her response to the UK’s National Data Strategy framework which was open for consultation until 9th December.
The NDS seeks to harness the opportunities and address the challenges presented by the rapid development in data driven technologies. The strategy is built upon four pillars of effective use: foundations, skills, availability and responsibility.
It would be fair to say the strategy has not met with universal acclaim, and arguably Ms Denham’s response is somewhat diplomatic.
While welcoming the strategy, and supporting the focus on unlocking the power of data to support building a world leading digital economy, the Regulator stresses the importance of openness and accountability in decision-making.
Ms Denham commented:
‘The Covid-19 crisis has accelerated the growth of digital and data enabled services, such as online shopping, increased working from home and virtual medical consultations. It has also created a renewed focus on using data to support research and tracking health outcomes.
As we rebuild, high data protection standards will be vital in ensuring the benefits of these advances can be maximised for all citizens.
Data protection is an enabler of innovation and economic growth because it builds public trust that their data will be protected; provides organisations with the confidence to share data to improve the quality and efficiency of public services; and supports the take-up and use of new data-enabled services.’
The ICO is calling for accountability, transparency and trust to be core themes running through the Government’s National Data Strategy. Transparency to enable customers & citizens to trust how organisations’ use their data and proper accountability. The Regulator also stressed the need for privacy by design and the role of certification and codes for the use of AI & machine learning.
The ICO encourages businesses large and small to adopt a risk-based approach to ensure the actions they take to protect personal data are flexible and proportionate.
There are tools you can use to assist your business with this risk-based approach. One would be the ICO’s Accountability Framework.
Another useful tool, when embarking on a new project or use for personal data, is to conduct a Data Protection Impact Assessment (DPIA). Conducting a DPIA can help a business to identify any data protection risks of a new project, so you can find practical ways to minimise those risks.
DPIAs should be a flexible and scalable tool that you can apply successfully to a wide range of projects.
The ICO reminds us that, from 1st January 2021, the UK will have an independent data protection regime. The ICO will continue to provide expert regulatory advice to Government on how the data protection framework works in practice, and its role in protecting individuals’ information rights and enabling data use.
Some see the National Data Strategy as a clear attempt by the UK to break away and show independence from Europe in a post-Brexit world. And depending on your viewpoint this is seen as a good or a bad thing. But how far the UK will, in practice, differ from its European counterparts when it comes to data protection law remains to be seen.
Crucially, if the UK wishes to continue to benefit from the free data flows from the European Economic Area, it will need to be able to demonstrate an equivalent commitment to data protection to secure an ‘adequacy decision’ from the European Commission.
The eleventh-hour Trade Agreement, has led to more optimism that an adequacy decision is now more likely, but it is not a done deal yet.
Simon Blanchard, January 2021
Data protection team overstretched? Find out how we can support you with our Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.