Post-Brexit shake-up of data rules: What does it mean for small businesses?

Digital secretary Oliver Dowden has pledged businesses will enjoy new opportunities as a result of "common sense", rather than "box ticking", data laws now that Britain has left the European Union.

Last Thursday, the government announced proposed reforms for data regulations including removing from most websites pop-ups that notify users they are being tracked by cookies. Dowden told the Daily Telegraph that the notifications are "pointless" and they should be scrapped from sites that don't pose a "high risk" to privacy.

The move is part of ministers' efforts to take control of internet laws in the UK. A government press release said an estimated £11bn worth of trade goes unrealised around the world due to barriers associated with data transfers.

"Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK," Dowden said.

"That means seeking exciting new international data partnerships with some of the world’s fastest growing economies, for the benefit of British firms and British customers alike.

"It means reforming our own data laws so that they’re based on common sense, not box-ticking."

The reforms could see the UK moving away from the requirements of the General Data Protection Regulation (GDPR), which introduced in 2018 more stringent controls across the EU for how businesses and other organisations can use personal data. The rules have been criticised for an over-reliance on consent-based permissions.

The government intends to create new "data adequacy agreements" with non-EU countries. This means two nations accepting that each other's data protection rules are adequate to allow for free and easy cross border transfer of data.

The government's initial targets for new agreements are Australia, the US, the Republic of Korea, Singapore and Dubai International Finance Centre. Longer term it is looking at India, Brazil, Indonesia and Kenya.

The UK currently has 42 data adequacy agreements in place, including with EU countries.

In a new "mission statement", the government said: "We want the UK to be a nation of digital entrepreneurs, innovators and investors - the best place in the world to start and grow a digital business, as well as the safest place in the world to go online."

It laid out the following benefits for innovative businesses:

"UK organisations of all sizes and across all sectors rely on various services like these from overseas, such as email marketing, online retail, and communication platforms like Zoom, and cloud storage in order to grow, collaborate, and innovate in a cost-effective manner. In an era of remote work, cross-border data transfers have enabled growth, productivity, innovation, and a strong and competitive market position for these companies.

"Data transfers are especially important for micro, small and medium-sized businesses as it can open up overseas markets and supply chains, improve innovation and competitiveness, and build access to finance.

"For individuals, data transfers underpin services that mean we can shop far and wide when buying a car via Cazoo, help us and our children sleep better and think mindfully via Moshi, open up the sharing economy for items small and large via Fat Llama. UK companies like Revolut and Babylon empower fingertip access to our bank accounts and to healthcare services, respectively."

Reaction to the announcement

Data experts have said the announcement could cause a new row between Britain and the EU. That was shown by the reaction of a Brussels spokesperson who told the Financial Times that the EU is "very closely" monitoring the UK's decisions and will "immediately" revoke its data-sharing agreement if the privacy of European citizens is put at risk.

Businesses already trading in the EU are likely to have to continue complying with GDPR whatever the UK's changes and given the effort that thousands of firms made to comply with the new regulations in 2018, they may be wary of new changes.

Speaking to Third Sector, fundraising consultant Sarah Goddard said "so much charity time, money, resource, effort went into (and still goes into) making sure organisations were GDPR-compliant" and they will be anxious about having to "go through something similar again, or know that that investment was so large for so little".

The government also announced that John Edwards, who is currently New Zealand’s privacy commissioner, is its preferred candidate for the UK's new information commissioner.

"It is a great honour and responsibility to be considered for appointment to this key role as a watchdog for the information rights of the people of the United Kingdom," Edwards said.

"There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all."

Eduardo Ustaran from law firm Hogan Lovells told the Guardian: "The appointment of John Edwards as the next information commissioner is a vote for no-nonsense and pragmatism for the future of data protection regulation."

Current information commissioner Elizabeth Denham, who leaves the role on 31 October, commented: "Data driven innovation stands to bring enormous benefits to the UK economy and to our society, but the digital opportunity before us today will only be realised where people continue to trust their data will be used fairly and transparently, both here in the UK and when shared overseas.

"My office has supported valuable innovation while encouraging public trust in data use, particularly during the pandemic. We stand ready to provide our expert advice and insight as part of any future government consultation."