Our Opinion. Data: A New Direction

You may be aware that the UK government is currently holding a consultation "Data: A new direction" on the future of data protection law and regulation in the UK.

Here are some thoughts on our opinion.

As the title of the consultation suggests, they would like a new direction, believing that deregulation and moving away from the standards developed over the last few years opens an opportunity for organisations to flourish with the removal of red-tape and box-ticking.

The consultation highlights are wide-ranging and suggest many areas where changes could be made - from the role of the Information Commissioner's Office, approaches to adequacy (agreements that ensure safeguarded cross-border data transfers), SAR and breach handling, artificial intelligence and much more, including the role of data protection officers within public authorities.

At Data Protection Education (DPE) we will be responding to the consultation, and not favourably. Frankly, if this consultation is implemented in full, we will have the wild west of data processing in the UK, at a time when the rest of the world, including China, Russia, the USA, India and many others are enhancing the safeguards and regulatory controls in relation to data protection law and the rights of data subjects, mostly to a standard equivalent to the EU GDPR. 

Whilst we don't know at the moment what the outcome of the consultation will be, we are concerned about the relaxation of rules that will negatively impact the data rights of individuals under the guise that this purports to remove burdens on organisations. 

For example, allowing a charge for data subject access requests. Whilst this might seem like an opportunity to prevent frivolous requests, it potentially allows a refusal to provide data if the time taken would be above a certain threshold. All this does is reward organisations with poor data protection practices where data access is too difficult - these are the organisations who need to be able to demonstrate increased responsibility in relation to data subject rights, but who could easily say "it would take us too long". It rewards poor data and information management.

Who will then represent the rights of data subjects if the requirement for a data protection officer is watered down or removed? Schools process the data of children, young people and their families. Much of this data is sensitive in nature and includes special category data. Young people, in particular, may not have any understanding of their rights, nor any insight about whether their school is a responsible custodian of their data. 

Data controllers, including schools, must look at the volume and type of data being collected, the risks presented and ensure that we act responsibly in ensuring that there are safeguards and oversight in place - and the data protection officer provides that oversight. We are completely against an approach that places the opportunities of business above the rights of the individual.

Data breaches, rights requests, cyber-attacks, incident management and the need for specialist advice as to what the law and regulations require, especially in a time of change, are not issues that will go away or disappear as a result of the Government's proposals. They are all risks that a data protection officer and Data Protection Education helps mitigate against, whether you are a maintained school, academy, multi-academy trust or indeed a business.

Good data protection practices should enhance organisational capability and efficiency, and the DPE model is built around risk management and proportionality. Our framework and platform are constantly developing to help not only document data protection issues, but help manage improvements across these areas along with the new emerging threats.

These threats and the lack of regulation in this area are a real concern. We aren't saying that data protection shouldn't evolve as new opportunities such as artificial intelligence (AI) become more prevalent. But who seriously wants more AI data processing with a lowering of data protection standards and safeguards? Do we really want AI to make decisions for us without the possibility of a human reviewing any of the outcomes? Grading exam results by algorithm instead of teachers didn't work out so well. How would you feel if an algorithm was being used to determine treatment for a loved ones' life-threatening illness without a doctor's intervention?

Adapting to the developments of how data is used in this world should not mean lowering of standards. The DPE framework has been evolving to support more than data protection as we believe we need to constantly develop as do risks. That manifests, for example, by incorporating an additional focus on high-risk areas such as data processing risks and enhanced support for information security (tech risks) benchmarking and response. Further, as it is well understood that "people are the biggest risk" we've incorporated tools and methodologies to deal with "people risk" by providing training, behaviour assessment (e.g. phishing simulations), and performance management with our unique Data Protection Competency framework.  

Very soon, we'll have an announcement on how these different elements within our framework can work together to the benefit of every organisation. We constantly strive to go above and beyond as a data protection officer, and that means we continually invest in providing products and services delivered by professionals that allows you to manage your data and information security, and people risks, to the highest standards within the existing regulatory framework. Our objective is not to be a burden, but to bring tangible benefits and value to your organisation through good practice.

James England

Data Protection Education Ltd

Subscribe to our newsletter

Please enable the javascript to submit this form