By Sara Newman

It’s the 25th of May. Why is this important? It’s the release date for the long awaited ‘Top Gun, Maverick’ and I cannot wait to see it.  

Oh and it’s 4 years since the GDPR was enacted.   

What should we do with any four-year-olds?  Spend a lot of time answering questions starting with ‘why?’. 

Why is privacy important? Because it is not only a fundamental human right, but it can it prevent identity theft and fraud, emotional distress and even physical harm to individuals.  

Why is the UK Data protection act important? Because as it stands it is giving us adequacy with the EU when it comes to data transfers and that allows businesses to trade easily and freely. 

Why do the Department for Culture Media and Sport (DCMS) want to dilute the UK GDPR? I don’t know. But it’s concerning.  And I am not just saying that as privacy is my job but I am also a person who relies on organisations to look after and respect my data.  

I recently had a bit of a win with a well-known utility company (from a personal perspective not with my Securys hat on) who had been asking people to put their change of details on the back of an envelope that anyone in the Royal Mail and in their offices could see.  I contacted their data protection officer outlining that this is a data breach and it’s likely that their most vulnerable customers would be likely to do this.  Reluctantly they agreed to stop this practice and I got a bill at the weekend and the back of the envelope no longer requests personal data. This stuff is important to get right to protect individuals.  

We have had 4 years of the GDPR and in that time organisations globally have been striving to do privacy well.  Some are late to the party admittedly but their name is on the list and they are coming in. We have also seen other countries introduce privacy laws that are clearly based on the GDPR. This has to mean something. This has to mean that this level of regulation is right and diluting it would put the UK on the back foot not just with the EU but with much of the rest of the world. How does that help after the trials and tribulations of the last two years?  It doesn’t.  

We have had a change at the top of the Information Commissioner’s Office and we wait for John Edwards to move away from listening mode and in to action.  We are yet to find out what sort of regulator he will be. On This Monday. the 23rd of May,  he announced an enforcement action and a fine of £7.5 million to Clearview. This is incredibly important because Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way. Only if we have robust privacy laws can we punish people who take our data illegally. 

John Edwards said “This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.” 

We need to prove to regulators globally that we hold ourselves to the highest standard to allow global cooperation in the field of data protection.   

I am not saying the GPDR is perfect (don’t get me started on Article 14) but I don’t think dilution will serve the UK well.  I hope that next year I can wish the UK GDPR a Happy 5th Birthday knowing it’s growing as it should be.