The data protection regulatory regime in the UK could soon look very different, if proposed changes to the current UK General Data Protection Regulation (UK GDPR) come to fruition as part of a recently published UK government plan to move its data protection laws in a new direction following the country’s split from the EU.
As the government’s consultation on these proposed changes closes, leading privacy and data management technology vendors are looking at what opportunities a more agile approach to data protection might open up for financial firms and how they can start to prepare for a potential regulatory shift.
Additional details about what the changes to data protection laws in the UK could be, in addition to analysis of the potential impact, have been published by the government, and its public consultation on the proposed changes closes this coming Friday, November 19. According to the consultation document, the proposed reforms will create an “ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”. In addition, it says that the proposals will also “build on the key elements” of the current UK GDPR.
According to Linda Thielova, Chief Privacy Officer and Data Protection Officer (DPO) at privacy technology specialist OneTrust, the proposals could offer a number of opportunities for UK capital markets firms in terms of reducing barriers to innovation. The first of these is the proposal to create a list of legitimate interests, similar to a ‘white list’ of all legitimate interests, which Thielova believes would free up businesses to use personal data without having to go through the balancing test exercise first. “This will help businesses to gain more confidence and clarity regarding the data practices,” she says. “It will allow businesses to leverage the data for activities such as monitoring or detecting, but while giving them much needed clarity that they are still solid in terms of their compliance efforts.”
Tackling GDPR costs and complexity
A second key area that could be impacted is that of AI, Thielova says. According to the consultation document, the government plans to create a new condition within Schedule 1 to the Data Protection Act (DPA 2018) which specifically addresses the processing of sensitive personal data as necessary for bias monitoring, detection and correction in relation to AI systems. “This clarification offers businesses much more information regarding permissions for use of personal data, as well as special categories of personal data, which is very, very significant, especially for the machine learning piece, and it also contains guidance regarding bias monitoring and correction in AI systems for processing these types of data,” adds Thielova. “Again, this potential new legislation provides much more clarity and certainty for businesses that want to go into this innovation sphere.”
The third major proposal that Thielova identifies as significant is that of the change in approach to cookies. “Cookies are one of those topics that most businesses come across and the proposal includes the option for allowing analytics cookies and similar technologies to be processed without the consumer’s consent or data subject’s consent,” she says. “There are still safeguards in place for ensuring that these are very low risks proposed to the data subjects and that this is very low harm processing. But ultimately, this might further break down some of the barriers and provide quite a boost to innovation when businesses can rely on analytics cookies without seeking the consent.”
Financial markets have long understood the inherent value in data collection and analysis, while also recognising the need for a robust data protection regime to ensure that this process stands up to regulatory scrutiny. Yet since the introduction of GDPR, the cost and complexity of becoming GDPR compliant has proven to be significant for financial firms and institutions. According to figures published by Statista, banks faced an estimated £66 million in GDPR compliance costs for 2018, three times more than expected for any other sector. Initial analysis published by the government of the impact from the proposed changes indicates a net direct monetised benefit of £1.04 billion over 10 years, “driven by removing barriers to responsible data use and reducing business burdens”. In the event EU adequacy is maintained alongside these reforms, this would rise to £1.45 billion, through saving £410 million in associated costs of switching to alternative transfer mechanisms.
UK as a data innovation hub
In addition, the government says that “evidence indicates that the current level and nature of data use may be suboptimal” and that while businesses identify benefits of the GDPR and DPA 2018, some organisations find this legislation “difficult to understand and implement”. According to the proposal, approximately 40% of UK businesses report lacking certainty on key definitions in the UK’s data protection regime, what people’s data rights are and how and when to report a breach. The consultation paper argues that there is also evidence that the current regime may reduce firm-level innovation, business creation and employment, decrease investment in emerging technology firms and negatively impact data-driven industries.
To counteract this situation, there are five main key themes addressed by the consultation document, including reducing barriers to innovation; reducing burdens on businesses and delivering better outcomes for people; and boosting trade and reducing barriers to data flows, says Heather Federman, Vice President of Privacy & Policy at BigID, which offers a data intelligence platform for privacy. “If the UK government is able to follow through with its intentions, then the proposed changes could put UK firms on the global map when it comes to innovative data uses. This could be the case even despite the challenges it may potentially face with EU compliance measures,” she adds.
In addition, Federman notes that one of the proposed changes is to remove the right of human review for decisions made on the basis of solely automated data processing. She explains that while this could enable firms to make credit/financial decisions in a much more convenient manner, there is always a concern that without any human review, unfair and biased results could occur. However, Federman says that if UK firms have already been complying with the EU-GDPR version, then in general they may find they have more room to innovate as a result of these proposed reforms. She adds that the UK takes a very practical approach to data processing and so she believes that UK firms will have that opportunity to take a more risk-based rather than principled approach, which is currently the case under EU GDPR.
Holding on to equivalency status
However, he says that the UK ultimately “cannot afford to lose the EU data privacy equivalency status it currently enjoys” and so expects that the nucleus of the individual protections will remain, if not strengthened. For financial firms, if the changes retain GDPR equivalency, the benefits will be in reduced compliance oversight overhead, Finlay says, but warns that if the changes remove equivalency, “there will be no benefits and firms will face significant difficulties in interacting with EU citizens”.
In real terms, Finlay expects that if equivalency status is granted by the EU then the only changes firms will need to make will be the removal of certain requirements of acknowledgement and changing workflows to exclude such acknowledgements and statements. “Any changes firms will need to make to adapt their existing systems and processes as a result of the planned legal changes will be dependent on how firms have addressed the GDPR requirements, but we can expect the need for flags on customer and employee files to indicate that the firm has met any disclaimer requirement or obtained whatever permissions necessary to store, utilise or transfer any personally identifiable data,” he adds.
Easing the compliance burden
Big data analysis, predictive analytics and AI applications are key areas of potential opportunity for financial firms and institutions, but according to the proposals these are also examples of where data processing in relation to which “many data subjects do not have clear expectations or understanding” which it warns presents “clear challenges to the transparency of data processing for individuals”. When it comes to big data and the issues around data use in machine learning and AI, OneTrust’s Thielova says that proposals suggest creating simpler and clearer rules for processing personally identifiable information (PII), even including sensitive data, as well as trying to facilitate big data processing cross border.
“This proposal shows an evolution for some of the more restrictive elements that we’ve seen in the GDPR and morphing them into that more flexible and risk-based approach, which is friendlier to businesses, as well as individuals,” Thielova adds. She believes that there are “definitely some bonuses” in the proposal which capital markets businesses should take into consideration when deciding whether to support the planned changes or not. For example, there is the proposal to remove the data protection officer (DPO) position for certain businesses that might not need it, she says. “A lot of these operational steps are requirements that we’re used to under the current GDPR which might actually be taken away and so businesses should be following this quite closely,” Thielova adds. “But I would not be expecting that the current GDPR principles would be completely stripped away from the new legislation, yet on the operational level, we are seeing the manifestations of that much more flexible risk-based approach.”
The proposed changes also include certain key points which could help ease the compliance burden on firms. BigID’s Federman says that one such proposal is the removal of the Records of Processing Activities (ROPA) requirement as well as the Data Protecting Impact Assessment (DPIA) requirement. This would leave it up to the discretion of firms as to whether they need to use these documentation tools on a case-by-case basis, rather than require them in all cases, she explains. “In addition, compliance will be somewhat easier for firms when it comes to analytics tracking. The proposed changes include a removal of the consent requirement for analytic-type cookies, rather than requiring consent for any type of cookie – even the ones used for normal business operations,” Federman adds.
Preparing for change
Furthermore, many employees use the Data Subject Access Rights (DSAR) to obtain information they can use as part of a separation package or for litigation purposes. Federman explains that the government is considering lowering the threshold for which businesses can refuse to comply with DSAR, which means they can refuse requests from employees submitting a DSAR request for these litigation purposes. “If this goes into effect, it will help make compliance easier for internal/HR purposes,” she adds.
While the consultation is still open for review, the proposed changes are at a very early stage for firms to be preparing their operations for this to come through as law. Federman says that for now firms should have a solid understanding of their data assets, what type of data is transferred across jurisdictions and what practical steps they may need to take if adequacy between the EU-UK is revoked. “If that happens, then best to look to what US firms have done in such a case,” she adds.
Whether the proposal is likely to create any technology or additional data challenges for financial firms is largely dependent on whether firms have a single view on the individual or not, irrespective of the role(s) which that individual plays when interacting with the firm, Finlay adds. “For example, does the firm have a single ‘person’ record, then assign roles such as client, employee, beneficiary, etc., to that person, or does the firm maintain separate records for each role? The former approach allows for flagging files once, the second approach means flagging multiple files, with the possibility of records falling out of synch,” he explains.
Finlay argues that compliance under GDPR is also largely box-ticking and not really focussed on protecting personally identifiable information. “Any significant strengthening of rules is likely to result in a clearer requirement of what is required and how to comply with the requirement,” he concludes. “For now, firms need to catalogue the current GDPR oriented controls in place and ensure they have the ability of making changes, as and when required.”