Written by André Thompson, Privacy Counsel, Trūata.
As UK-based companies grapple with the many consequences of Brexit, one European initiative they may be happy to depart from is the General Data Protection Regulation (the GDPR). The considerable burden of compliance that organisations found themselves subject and the complexity of understanding and implementing a compliance programme to meet the new and, for many companies, unprecedented demands of the law means that the GDPR is something that most UK companies won’t be sorry to put behind them. Such relief is misplaced and short-lived however as the UK Government has already put a number of measures in place to ensure that GDPR-standard data protection rights survive in a post-Brexit UK.
Firstly, the UK’s Data Protection Act 2018 which tailors and supplements the GDPR to UK law is already in force. Secondly, post-Brexit the Government will enter a new UK version of the GDPR into law, which is being referred to as the “UK GDPR”. This will ensure that the UK’s present data protection legal framework continues to have effect and therefore the same compliance standards set by the GDPR must continue to be met by UK companies.
There are other good reasons why UK companies would want to ensure their processing of personal data meets the standards set by the GDPR. Most obviously it should be understood that the GDPR should be viewed as a holistic compliance programme designed to protect fundamental human rights and which will foster in the long run better trust amongst customers. More importantly however key post-Brexit trading partners such as California and other US states, Canada, Brazil, South Africa, Japan, Australia and India have or are implementing standards of privacy protection that GDPR compliance will help meet.
What is becoming clear is that privacy laws are becoming more prevalent around the globe with different flavours and approaches and that managing and analysing data while maintaining customer trust in this context is becoming increasingly difficult for companies with global footprints. This is why many companies are turning to genuine anonymisation of personal data as a way of assisting with compliance.
Given that new post-Brexit trade deals will improve access to non-EU markets, the best approach for UK companies to prepare for Brexit is to build a single common approach to genuine anonymisation. As the GDPR is very often recognised as representing the gold standard for anonymisation, it is sensible to use this standard for anonymisation as the benchmark threshold for one single globally applicable threshold. This reduces the compliance burden and gives organisations the confidence to unlock the value in their data and keep their reputations for trustworthiness intact.