On 23 June, the UK Government unveiled the latest policy measures designed to support its vision of unlocking the power of data as a strategic asset to fuel innovation, scientific discovery and economic growth by reforming the UK's data protection regime.[1]
Collectively, these measures aim to create a more effective, proportionate, outcome-focused regulatory framework, able to keep pace with technological developments while delivering high data protection standards.
Overall, we believe the reforms will have a positive effect on increasing firms' confidence in investing in and adopting data-driven digital and technological innovation in the Financial Services (FS) sector. However, the impact of some proposals will only become clear after further detail is revealed in the implementing primary legislation. In addition, some key policy questions remain unanswered, including how to reconcile different strategic objectives. For example, how to balance a more agile and risk-based approach to international data transfer against the challenges it may pose to maintaining EU adequacy.
Finally, the Government also decided to defer some critical policy decisions and tackle them in further upcoming publications, e.g., concerning AI governance and Smart Data legislation. While we agree that these are complex topics that require their own focused policy consultations, it will be crucial for the UK's competitiveness to move swiftly and ensure coherence across all these - and other - interconnected policy initiatives.
DCMS published the Government's data protection reform plans in response to its initial consultation, "Data: A new direction", launched in the autumn of 2021. The Government will implement the reforms primarily via the announced Data Reform Bill, which it will lay before Parliament in the coming months.
Both the initial consultation and the recent response are extensive and technical documents, covering over 70 policy proposals across a broad set of areas. In this article, we focus our analysis on the key policy measures that we believe are immediately relevant to digital and technological investment and transformation strategies in the FS sector.
The Government announced three key policy changes to help create more transparent and consistent rules for using personal data to support the adoption of new data-driven technologies.
Overall, we think these measures will help give FS firms more confidence in using and collaborating with other organisations to leverage personal data as part of their innovation and growth strategies.
The Government stressed the importance of removing unnecessary barriers to cross-border data flow and wants to progress an ambitious, risk-based, and outcome-focused programme of adequacy assessments. For example, the Government will invest in ongoing monitoring of adequacy regulations and relax the requirement to review adequacy regulations every four years. The Government also plans to legislate to support the creation and recognition of new alternative data transfer mechanisms (ATMs).
FS firms will broadly welcome measures that remove unnecessary barriers to international data transfers, given the international footprint of their clients and third party service providers. However, while we agree with the UK Government's assessment that most of the proposed reforms should not pose a significant challenge to the UK maintaining its EU adequacy status, it may not be as straightforward concerning adequacy decisions and ATMs.
This is because they open the possibility of EU residents' data being shared freely via UK firms to third countries that have not received an adequacy decision from the EU, e.g., the USA. In its UK adequacy decision last year, the EU Commission highlighted that it would closely monitor the question of onward transfers under a future evolution of the UK's data protection regime. As the UK and EU currently share virtually the same rules for international transfers, the Commission expected that any problematic divergence could be avoided through cooperation and engagement.
Yet, it is unclear how the UK Government will balance its vision for an ambitious and autonomous UK international transfers regime with the need to cooperate and remain closely aligned to the EU. The clear message from most respondents to DCMS' initial consultation is that free data flows from/to the UK and the EU remain of primary strategic importance. Above all, long-term clarity around these issues will be critical for firms operating in FS across both the EU and UK.
The Government has decided to hold back on a broader set of innovation-focused proposals included in its initial consultations. For example, clarifying the definition of fairness in an AI context. It will instead consider these proposals further as part of the forthcoming white paper on AI Governance, expected by the end of the year.
Similarly, the Government confirmed its commitment to legislate to enable the development of secure and innovative data-sharing schemes and ecosystems. However, it will only provide further details in the forthcoming Smart Data legislation, which will also set up the high-level legislative framework to enable the development of Open Finance in the UK. Our understanding is that Smart Data legislation will form part of the forthcoming Data Reform Bill, together with data protection reforms.
Both AI and Smart Data are complex policy matters, and we agree that they require specific and thorough consideration. Yet, as the challenges of reconciling Open Banking and GDPR taught us, it is also essential to consider these initiatives as a holistic legislative package if the Government is to achieve its objectives of unlocking the power and value of data in FS. Accordingly, the Government should ensure that the future regimes for data protection, AI, Smart Data, as well as Digital ID are synchronised, move forward at pace and are compatible and coherent when considered in aggregate.
The Government's planned changes to the UK data protection regime are much more comprehensive than just the selected measures covered above. They also include wide-ranging reform to the Information Commissioner's Office (ICO) 's objectives, strategic priorities, governance and accountability model, and investigatory powers. For example, the Government will give the ICO new secondary duties to consider economic growth, innovation, and competition in its supervisory and enforcement activities. The ICO will also have a duty to consult and cooperate with other cross-sector and sector authorities when exercising these duties. We believe this is a very positive step. We have long argued that additional coordination between cross-sector and sector regulators is crucial to help provide the regulatory and supervisory clarity to support data-driven innovation in FS.
The Government also wants to reduce unnecessary compliance burdens for organisations, especially smaller ones. Legislative changes will facilitate a shift from a rule-based to a more risk-based and proportionate approach. For example, organisations will no longer be required to undertake Data Protection Impact Assessments or appoint a Data Protection Officer. Instead, they will need to appoint a suitable senior individual to be responsible for the organisation's privacy management programme (PMP), which should include tailored and proportionate risk assessment tools to manage data protection risks across their organisation. The focus on proportionality and flexibility should particularly help smaller FinTech firms. And the focus on senior management accountability aligns very well with the existing Senior Manager and Certification Regime that FS firms already need to comply with.
We expect the Government will lay its planned Data Reform Bill in Parliament in the coming weeks or months, which will help clarify some of the missing details or outstanding questions we highlighted. While gaps remain, and it will take time for legislation to be finalised and for the reforms to be implemented, it is encouraging to see the UK's post-Brexit innovation policy agenda finally starting to take shape.
_____________________________________________________________
[1] The current UK data protection regime consists of the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA).
[2] EU GDPR has been fully transposed into UK law and is now known as UK GDPR.