By Ben Rapp
The UK seems firmly committed to reducing what it perceives to be the “burden” of data privacy compliance. I could write about the probable negative consequences of this approach from a consumer perspective; I could point out that Singapore, often cited by the UK as a kind of role model, is not only not a liberal democracy but also recently introduced substantial additional privacy regulation.
But instead, let’s talk about whether there’s actually any benefit to the government’s proposals, and if so, to whom it accrues. The reality of the situation is that whatever the UK does, the GDPR continues to exist and be enforced; indeed European privacy regulation is travelling in the opposite direction, towards further protections for data subjects.
So what? I hear you cry. Brexit and all that. Well, yes, but we live in an interconnected world. At Securys most of our clients are multinationals, and most of them – indeed almost all – have adopted the GDPR as their internal privacy standard and operating model. Why? Well, partly because it’s necessary if you want to trade with the 460 million people who live in countries subject to the GDPR: roughly the same size as the US by GDP, with a similar external trade volume, and representing geographically the largest single market area in the world. But also because the GDPR has first-mover advantage. As the original comprehensive and principles-based privacy regulation, it has inspired many of the new privacy regulations around the world and in most cases represents a superset of local requirements.
If you’re working across dozens of jurisdictions globally, it’s remarkably simplifying to apply the GDPR everywhere as a starting point and know that you’re unlikely to find yourselves in serious compliance trouble. There is still work to be done – indeed much of Securys’ practice lies in helping customers navigate these waters – but usually it’s handling those cases where the local law is more demanding than the GDPR, rather than trying to profit from regulatory arbitrage.
Why don’t companies look for opportunities to avoid regulation? Why not, say, do all your business improvement activity in Singapore, where it’s a wide-ranging and lightly-governed basis for processing? Because that’s not how either regulation or indeed data works. Data processed in the EEA are subject to the GDPR, as are data relating to residents in GDPR countries, wherever the processing may be performed. For multinationals much of their economy of scale comes from being able to centralise business functions, which necessarily requires accepting international data transfers and the associated extraterritoriality of their source jurisdictions.
Even if there was some strong potential benefit from keeping data and processing local to a single jurisdiction, you’ll only really see the value in that one location – you can’t scale it out globally – and you have all the additional costs of a separate compliance regime. Never mind the ethics, it’s simply good business sense to have standardisation of processes wherever you can – that’s one reason companies commonly grant data subjects GDPR rights irrespective of where they actually live.
Take the simple example of cookies. The UK might try to “get rid” of cookie banners, but is it really worth engineering your English-language website to work differently for UK visitors, and take the risk of mis-identifying someone as UK resident when they aren’t, just to get away with dropping a load of behavioural cookies that likely add little real-world value to your bottom line in any case? Besides which, thinking about this from a Privacy Made Positive® perspective for a second, it’s not the cookie banners that people really resent – although they were always a poor solution to the problem – it’s the cookies themselves. Do less tracking, and do it less intrusively, and you have a globally-compatible website and some privacy-protecting behaviour to shout about to consumers.
The UK’s desire to have a Brexit-validating “bonfire of red tape” reflects a failure to understand that we – the consumers who actually buy products and services – have moved on from an exploitative, least-cost mindset to caring about how companies treat their customers and employees in the digital world as well as the physical environment. Privacy done well is a competitive advantage, not a burden, and our research has proven that ethical companies outperform their peers, especially in tough economic times.
So even if you’re not a multinational and don’t need to think about markets, consumers or employees outside the UK, you should embrace privacy as a virtue and an opportunity rather than deriding it as bureaucracy gone mad. Just because our political leaders seem incapable of following rules doesn’t mean we should throw out the rulebook.