The UK’s expected divergence from the EU General Data Protection Regulation (GDR) was a key talking point from IAPP UK’s recent conference. Yvonne McKeown, senior data privacy consultant with BH Consulting, was there and she outlines her thoughts in this blog.
The International Association of Privacy Professionals’ event, dubbed ‘IAPP UK Intensive 2023’, took place in London on March 8 and 9. It brought together privacy professionals to discuss the latest trends, challenges, and best practices in data protection and privacy.
It featured keynote speeches from prominent privacy experts, as well as panel discussions and workshops. Among the range of topics were: GDPR compliance, data breach management, privacy by design, and emerging technologies like artificial intelligence (AI).
GDPR in the UK: diverging from Europe’s way?
Michelle Donelan, secretary of state for the newly created Department for Science, Innovation and Technology, spoke of a “common-sense-led” UK version of the GDPR. She claimed UK industry would save more than £4 billion over the next 10 years through reducing bureaucratic overhead. As Donelan delivered her speech, the UK Government announced the new data laws. The press release took aim at the “pointless paperwork” it said UK businesses currently need to deal with.
It will be intriguing to observe how this legislation, which has its own set of compliance requirements, simplifies matters and saves the intended £4.7 billion for the UK economy. As many of BH Consulting clients provide goods and services to the UK, we will be watching this closely as the Bill progresses through the parliamentary process.
Tim Clement-Jones, Liberal Democrat House of Lords spokesperson for Science, Innovation and Technology, spoke in favour of the current UK data protection regime. However he advocated incorporating components of the EU GDPR into the UK version to clarify legitimate interests and research aspects.
On the morning of the conference, IAPP’s research and insights director Joe Jones published his thoughts on the proposed reforms. He noted that the proposals make “targeted changes” to the current law – many of them stemming from the lived experience of working with the EU regulation.
An agile authority: UK ICO’s approach
One of the highlights of the conference was a keynote speech by UK Information Commissioner John Edwards, who outlined his vision of a more agile ICO that promotes “confidence in the digital economy”.
He explained that the ICO is not keen to pursue the minutiae of technical compliance in every case if it sees that pursuing an issue further would, in fact, bring no benefit to citizens. Consequently, he has stopped investigations when he didn’t consider them a good use of limited resources.
Privacy Laws & Business led with this angle for its report on Edwards’ keynote. The story has a good summary of the main points of his presentation. Interestingly, with all the talk of AI right now, the story includes a detail that his team had investigated complaints that an AI-Assisted Benefits system led to prejudiced decision-making. However, on investigation, his team found no evidence of discrimination in the algorithm.
The ICO website also reported on his talk, including an embedded video featuring the full half-hour speaking slot.
Perspectives on privacy: the global view
Other notable speakers included a discussion between the former UK Information Commissioner Elizabeth Denham and privacy activist Max Schrems. They talked about the global data transfer environment – “chaos”, in Denham’s words – and the advantages and disadvantages of the EU’s one-stop shop regulation model, which Schrems said “kind of works” but is “messy and slow”.
IAPP covered the discussion in a report about the conference. It elaborated on Schrems’ remarks, pointing out that the regulation allows for data protection supervisory authorities to collaborate without directing them as to how they should do this.
In addition to the keynote speeches, there were numerous breakout sessions. These discussions covered topics including AI, upcoming regulations impacting data protection, cross-border data transfers, and statutory updates in major jurisdictions.
There were also many practical sessions covering a wide range of operational issues: protecting children’s data, maturing beyond first-generation privacy programmes and technology, automating data protection processes.
During the event, Dan Whitehead from Hogan Lovells delivered a notable session, where he presented on the impending arrival of the AI Act and shared valuable insights on the subject. Dan’s presentation was highly practical and included a 10-step AI Governance Checklist, which was especially noteworthy.
The conference also offered a range of training and certification training programmes for privacy professionals, including the Certified Information Privacy Professional (CIPP) certification and the Certified Information Privacy Manager (CIPM) certification.
Overall, I found the IAPP conference was a valuable forum for networking and sharing experiences and best practices with other privacy and data protection professionals. I also enjoyed the opportunity to learn from leading privacy professionals and hear from thought leaders.
Yvonne McKeown is a Senior Data Protection Consultant at BH Consulting.