The General Data Protection Regulation (GDPR) epitomises what is best and worst about the EU. On the good side it prioritised protecting the privacy of the individual from criminal invasion and unscrupulous corporate overreach. On the bad side it resulted in an unwieldy, labyrinthine piece of documentation ten times as long as it needed to me which gave every qualifying organisation it a major headache when it had to implement it. Village scout troops and amateur orchestras suddenly found themselves having to jump through nearly the same regulatory hoops as Facebook, Barclays Bank and the NHS, seeking informed consent from and sending lengthy privacy policies and data transfer agreements to bemused members who neither knew nor cared what all the fuss was about. What's more, the principles of oversight and transparency underpinning GDPR are rapidly being left behind by the exponential increase in the scale, sophistication and scope of data processing made possible by AI and machine learning. The way music downloads drastically undermined the copyright protection system comes to mind.
It is therefore perhaps not surprising that the Government wishes to sever this particular Gordian Knot and replace it with a more user-friendly (i.e. business-friendly) regime but, as with many attempts to simplify things, it may not be as simple as it seems. Much of the disruption caused by GDPR came with its implementation. Now compliant businesses have that compliance in place, it is unclear how much of an impediment it really is to doing business. Having put one set of policies and procedures in place, do they really want to have to do the same thing all over again for a new regime? Moreover, although for many organisations GDPR is undeniably over the top, in the UK at least the relevant regulatory body, the ICO, has usually been sensible and proportionate in enforcing it. A hospital or financial institution letting sensitive information out in the open due to an egregious security breach or a social media company covertly tracking users' behaviour so that they can be manipulated into buying unrelated products or voting a certain way is going to be treated more harshly than a plumber with a defective privacy policy or a vicar who accidentally emails the wrong parishioner.
Most importantly, the current UK data protection regime benefits from an EU adequacy decision. If the UK is to seek approval for a new one, it may not necessarily get it even if the new regulations are objectively sufficient. The EU could well use the spectre of withholding approval as leverage in the next round of the seemingly endless Brexit bunfight.
So before these particular Augean Stables are cleaned out and we free ourselves from the Procrustean confines of GDPR, we should take stock of the fact that careful navigation will be required.
Meanwhile, that's enough Classical allusions for now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
