Matt Peake, Global Policy Director at Onfido, discusses the UK’s pivot from GDPR and why the replacement Data Protection and Digital Information Bill could be instrumental in shaping the UK’s digital economy
So much has been said about the rise of the digital economy. But where there’s less advancement is the regulation alongside it. Regulation is essential for ensuring safe and secure access and use of online services and encouraging further innovation. It’s here that the UK is in danger of falling behind its EU neighbours.
Data is at the very heart of what makes these digital services viable. It delivers personalised services, creates new occupations, informs product development, and helps to verify the identities of those using them. Data management and protection have become so important that they can make or break reputations. That’s why strict regulations have come into force in recent years to ensure businesses handle personal data responsibly.
The EU’s General Data Privacy Regulation (GDPR) has been at the forefront of setting this guidance. Since coming into effect five years ago, it’s clear that GDPR can be improved to match the pace of digital change.
Picking up where GDPR left off
The UK is looking to replace GDPR with the Data Protection and Digital Information Bill to set its own agenda for data privacy regulation. One of the aims of this new approach is to facilitate businesses taking a more practical approach to using data to drive innovations, like identity verification. The former Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, spoke of a ‘newly independent’ UK with less red tape and a proportionate, fair approach to regulation. It was expected to clarify data storage and sharing rules and encourage innovation without excessive bureaucratic processes and hurdles.
But amidst political turbulence, the bill has fallen down the UK’s legislative agenda. This means that its businesses must put their digital projects on hold. To seize the opportunity presented by Brexit, the UK must rediscover its regulatory momentum, consult with the private sector and provide a new data regime fit for the booming digital economy.
Data protection without compromising innovation
When first introduced, some argued that GDPR was late. It lagged behind the exponential growth of data and calls to harmonise EU data privacy laws and clarify data sovereignty restrictions. It also followed many public requests for the EU to guide businesses in handling personal data.
Since its introduction, globalisation has accelerated, particularly after pandemic-induced lockdowns, and customers can be reached worldwide. At the same time, technology that requires access to customer data, such as IP address or geolocation checks, has grown in use and become ever-present. Businesses of all shapes and sizes use customer data to ensure they know who their customer is, comply with Know Your Customers (KYC) regulations, deliver innovative products and services and drive the economy. That’s why the approach to data compliance and protection must be fit for purpose and avoid regulatory hurdles that risk diluting the full potential of data.
The argument to stick closely to GDPR has typically centred around protecting the UK’s data adequacy status. Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) that provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without requiring further safeguards.
But it’s not a case of one or the other. The UK can improve its regulatory approach without compromising its adequacy status. It’s right in front of us; the Data Protection and Digital Information Bill has the potential to be the cornerstone of a progressive data regime, allowing businesses to innovate in areas such as online financial services more easily.
Future-proofing the Data Protection & Digital Information Bill
The opportunity to pivot from GDPR means there’s undeniable pressure on the UK government to get right what comes next. The new regime must help businesses grow and innovate without losing privacy safeguards. But fundamentally, it has the potential to shape tomorrow’s digital economy, and support the future of how consumers interact and engage with online services.
Here are my five considerations for how the bill can be future-proofed, ensuring it is fit for purpose:
1. We must simultaneously broaden and clarify the research provisions that fall within the bill’s scope. For example, for those involved in using personal data to strengthen protections against fraudsters, the extent to which this data can be applied to support commercial product development.
2. Confirm the specifics of the legitimate interest list, and what’s covered within it, to allow organisations to reduce unnecessary regulatory burden.
3. Ensure regulatory coherence between data protection legislation and the UK’s AI governance policy. Regulation cannot exist in a silo; that’s how use-cases can fall between the gaps and data is left unprotected. It also increases the burden of compliance and increases business expenses.
4. Deliver a clear, innovation-enabling framework for digital verification services, which can lower barriers for new market entrants, while promoting growth and competition.
5. Ensure the Secretary of State’s new regulatory powers are proportionate, particularly the ability to approve statutory codes of practice.
In the coming years, the UK will diverge – but not completely break away – from the EU’s data protection policies. But businesses underpinning the digital economy depend upon regulatory clarity and guidance to comply and grow sustainably. The Data Protection and Digital Information Bill could provide this – but it must be comprehensive and balanced to secure the future of the UK’s online businesses.