The new Liz Truss Government ‘will be replacing GDPR with our own business and consumer-friendly, British data protection system’, Michelle Donelan, Secretary of State for Digital, Culture, Media and Sport, told the Conservative Party Conference in Birmingham.
She promised that the new law would ‘be simpler and clearer for businesses to navigate’, and said: “Our plan will protect consumer privacy and keep their data safe, whilst retaining our data adequacy so businesses can trade freely.”
She promised a ‘business friendly’ data protection law, and said Government would ‘co-design with business’ the new system. She said: “We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand.
“Our new data protection plan will focus on growth and common sense, helping to prevent losses from cyber attacks and data breaches, while protecting data privacy. This will allow us to reduce the needless regulations and business-stifling elements, while taking the best bits from others around the world to form a truly bespoke, British system of data protection.”
She spoke also of seizing ‘post-Brexit opportunity’ and offered the prospect of the UK as ‘the world’s data hub’.
For the speech in full visit the Conservative Party website. The speech also covered online user safety and ‘the horrific failure of social media platforms to put the welfare of children first’.
Comment
Neil Thacker, CISO EMEA, at the cloud security product company Netskope said Michelle Donelan’s speech has largely been received with cautious concern by the data privacy professionals that he has spoken to. “The stated intention of replacing the GDPR with national legislation that can prove GDPR adequacy requirements has been expected and trailed for a while now by the Conservative Party. Adequacy is a very functional approach used by states across the world to ensure organisations can continue to trade with the EU and handle EU citizens’ data. However, the concern here is that in walking away from existing legislation, the UK risks adding further complications rather than bringing the simplicity that it seeks.
“Good data practice should always be the goal, and it is the data type – not the type of organisation holding it – that should guide data policy. A church, school or small business should not be exempt from best practice (as captured in the GDPR) when they are handling the data types the GDPR seeks to protect, such as children’s personal information, health records or payment information.
“Having to process data differently for any region adds to the costs of businesses, so for any organisation working internationally, adding yet another international regulation will bring cost and further resource burden.
“In addition, gaining adequacy confirmation with the GDPR is a process that takes time, which risks causing yet more uncertainty for British businesses and those looking to trade with the UK. Lawyers will get work from this, infosecurity and data professionals will get headaches from this, and data subjects can only be more confused.”
