Interview: Bojana Bellamy Discusses GDPR Reform Post-Brexit

Bojana Bellamy, president of Hunton Andrews Kurth LLP's Centre for Information Policy Leadership (CIPL)
Bojana Bellamy, president of Hunton Andrews Kurth LLP's Centre for Information Policy Leadership (CIPL)

Recently, the UK government made several announcements regarding its post-Brexit global data plans, with the overarching aim of gaining maximal economic and societal benefits from the free flow of information. The Department of Digital, Culture, Media and Sport (DCMS) stated: "Estimates suggest there is as much as £11bn worth of trade that goes unrealized around the world due to barriers associated with data transfers."

The department unveiled its intention to strike new data adequacy partnerships with the US, Australia, Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia, while prioritizing future agreements with India, Brazil, Kenya and Indonesia. For these partnerships to take effect, Culture Secretary Oliver Dowden suggested that the UK's current data laws, likely including UK GDPR, require reform. Dowden said: "It means reforming our own data laws so that they're based on common sense, not box-ticking."

The government also named its preferred candidate to be the next information commissioner to help oversee these changes. This is John Edwards, who currently serves as New Zealand's current privacy commissioner.

While we await further details on these plans, Infosecurity recently caught up with Bojana Bellamy, president of the global privacy and data policy think tank, the Centre for Information Policy Leadership (CIPL). She discusses the potential changes the UK government could make regarding data protection and privacy and what the broader impact of these could be.

While Bellamy was fully expecting the UK to announce data adequacy arrangements post-Brexit, she was pleasantly surprised by just how "bold" the DCMS was in openly stating the countries it wants to create new agreements with. In her view, it offers a much-needed opportunity to adapt the current GDPR regime and its enforcement. "I was pleased because we've been in this field for such a long time, and there are so many things that simply don't work, or don't work very well, and you need something to shake the system," she explained. "So I think that's what the UK's trying to do, shake the system a little bit — it doesn't mean necessarily diverge from the system, it doesn't mean to renounce the system, it just means we can do things a little bit differently."

This is important because Bellamy believes in many policy circles in the EU, GDPR "has been put on a pedestal," making changes difficult. "If Europe really wants to make a success of this, they need to consider what they can do to turn the dial on GDPR to make it work better," she said.

Risk-Based Approach

She is especially encouraged by Dowden's comments about the need to avoid 'box-ticking' regarding the UK's data laws. This statement indicates the UK government wants to move towards a 'risk-based approach' to information, shifting away from the position of viewing all data as "sacred." This is the right move to make, according to Bellamy, as it will allow organizations to "calibrate compliance in the areas that are higher risk for individuals, because of security, privacy or the use of emergent technologies." She added: "Then we don't need to focus on areas that are a low risk and don't cause any harm for people."

Bellamy expects the UK to adopt an 'outcomes-based' model regarding data security and privacy
Bellamy expects the UK to adopt an 'outcomes-based' model regarding data security and privacy

She continued: "Not all data is the same: for example, exchanging emails between business accounts is very different to my health data or sexual preferences or anything of that nature."

Bellamy also expects the UK to adopt an 'outcomes-based' model, which focuses on what organizations need to achieve concerning their data security and privacy rather than specifying how they go about it. This can prevent a box-ticking culture from taking hold and allow organizations to assess and manage data risks relative to them. This approach should force organizations to "embrace a privacy and security culture and build privacy/security programs with leadership and oversight that are based on risks and harms – the more risks you create, the more controls you have."

This outcomes-based model should also enable the ICO to work more effectively, allowing them "to focus on where there really is harm as opposed to wasting their resources on trivial complaints or cases."

Data Adequacy

As per the government's stated intentions around adequacy agreements worldwide, Bellamy believes there is enormous scope for improvement in how adequacy is currently determined under GDPR. She pointed out that the EU now only has these arrangements in place with 12 countries around the world in addition to the recent decision made in respect of the UK. "Clearly, the process is broken; you can't take years to declare countries adequate," she commented.

The UK should therefore move away from the methods the EU uses to determine adequacy, which tend to look at "exact requirements" of the laws of third countries, according to Bellamy. Instead, the UK is likely to pursue "a more agile way of determining adequacy," which analyzes the 'spirit' of other countries' data laws and the outcomes they achieve.

This is particularly critical given the economic damage associated with restricting the free flow of data. "One can be very legalistic about data flows and compliance, and that's what's happening in Europe. Where we are now is that most companies are spending huge amounts of time, energy and resources, to ensure their data flows, which are happening every day, every minute, are lawful," she stated.

Should the UK go down this route of undertaking "contextual comparison," Bellamy expects it will prove to be a good precedent and persuade the EU to change course in this direction too. "Hopefully, it will become more of an enabler rather than a political and legal exercise, which it has been at the moment under the EU regime," she commented.

Reforming GDPR

Bellamy also believes the UK will look to change the way GDPR is enforced in several other areas as part of its ambition to unlock the full potential of data. In particular, the current rules have been too restrictive on the use and sharing of data for research purposes in areas such as science, health and product development. She said: "There are many who are saying the rules are too onerous, too complex, and there is the reticent risk that researchers are scared of sharing data and therefore we are losing the benefits of creating new drugs, vaccines, etc."

Major tech firms like Google and Microsoft are researching emerging AI and quantum computing technologies
Major tech firms like Google and Microsoft are researching emerging AI and quantum computing technologies

Bellamy also pointed out that major tech firms like Google and Microsoft are conducting significant internal research into emerging AI and quantum computing technologies. "They're doing it in order to create better security or less biased AI — we need to enable that as well."

This type of research requires vast quantities of personal data, which are currently difficult to obtain because this information is considered 'sensitive' under GDPR and therefore requires explicit consent. According to Bellamy, this has created a lot of tension between data protection rules and work on developing AI/machine learning technology. "For example, to ensure that AI/machine learning is not biased and does not discriminate, you have to process so-called sensitive data under GDPR, such as health, sexual orientation, gender, religion and opinion," she explained. "The idea that we are going to be asking people to keep consenting all the time for this is unrealistic — it has to be allowed because we want to make sure our algorithms are fair."

Impact on Privacy

Despite the fears of some privacy professionals, easing rules around the collection and sharing of data does not mean individual privacy rights will be weakened, according to Bellamy. "All the rights are going to remain there — right of access, correction of data, deletion, portability, etc.," she outlined. "So I'm sure that is all going to remain, but companies will be able to deal with it in a more streamlined way."

An outcomes-based approach, in which more responsibility is placed on the shoulders of organizations, should serve to enhance individual privacy. For example, Bellamy said she would like to see individuals be given a right to complain to organizations, which would require them to develop stringent privacy programs and complaints procedures. This will also help prevent the ICO from being overloaded with complaints, as is currently the case. "Focusing more on a risk-based approach and accountability will actually help individuals long-term because companies will be forced to do something that really protects people as opposed to just bureaucratic ticking the box exercise," she commented.

Bellamy, therefore, believes the UK can gain substantial benefits from reforming its current data laws, ensuring data's full economic and social potential can be fulfilled. This can also be achieved without any significant divergence occurring, instead of taking a more flexible approach to GDPR principles, including placing more responsibility on organizations in this area.

If you liked this article, be sure to check out these upcoming Online Summit sessions:

What’s Hot on Infosecurity Magazine?