Data protection and a potential Whitehall own goal

British businesses have until just before midnight on the 19 November 2021 to provide their feedback to the Department of Digital, Culture, Media and Sport (DCMS) on their paper, ‘Data: a new direction’.

Through this public consultation, the government’s aims are wide-reaching with DCMS proposing a series of innovative reforms to the UK’s data protection regime, all part of the National Data Strategy.

I am certain a decent behavioural scientist could tell plenty from how the government has ordered the contents of the document. Absent, however, from a paper packed with positivity and promised potential, are the stark warnings data protection commentators are currently tackling.

It is important to note that we’re truly fortunate to enjoy the levels of privacy protection we do in the UK. You don’t have to cast your mind back too far to remember a time when you couldn’t enjoy a coffee and some ‘free’ wifi without submitting all your details and ‘opting in’. Indeed I had a junk email address, just for this purpose! The following barrage of contact was as predictable as it was irritating, becoming less and less relevant as our data was sold and re-sold.

Going back to the government document,  I advise everyone to monitor this proposed direction with interest – personally and professionally in the post-Brexit world in which we live.

In the first chapter of the document titled ‘Reducing Barriers to Responsible Innovation’ it contains a broadly sensible set of recommendations which should empower positive change without driving poor outcomes for data subjects. It’s hard to disagree with the sentiment on these recommendations, it makes sense to begin with.

However, the following chapter of the document titled ‘Reducing Burdens on Businesses and Delivering Better Outcomes for People’ appears to me to be the point at which well-intentioned companies might start to deviate from those willing to skirt obligations to turn a quicker, easier profit.

Easing the accountability requirements is a minefield which, managed badly, creates loopholes for firms and blind spots for the regulator. This alone places the UK’s recently awarded, EU adequacy decision on shaky ground. But reading Chapter 3, ‘Boosting Trade and Reducing Barriers to Data Flows’, you can already hear the discontent murmuring in Brussels. Under these proposals, the UK would explore data transfer adequacy decisions for more countries and easier transfer mechanisms. It’s fair to say the EU have awarded adequacy to everyone they are prepared to, so everyone that the UK adds is a potential red rag. The EU were clear in saying that the UK’s future decisions around awarding adequacy to countries not on their own ‘adequate’ list would hold our ’safe’ status from Europe in jeopardy. So, for anyone trading with either EU businesses or UK businesses with EU parent companies, the future could be challenging.

The last few chapters of the document address public services and reforming the regulator, the latter of which I think was predictable. My expectation was a blueprint for a regulator resembling other modern regulatory frameworks such as the FCA, and much of the proposed review would lend itself to that thinking. However, it appears checks and balances are at risk, as the independence of a regulator that takes its cues directly from the Secretary of State could bring in to question their impartiality.

The ICO themselves have given very clear warnings around the perils of pushing through reforms without considering  short and long term impacts. The outgoing commissioner, Elizabeth Denham, has said that she can “support the intention of the proposals to make innovation easier for organisations” but equally warns that “the devil is in the detail”.

For me, it’s fascinating to see how different organisations approach the regulation and how they interpret what it says into business policy and practice. There is definitely a spectrum ranging from very rigid ‘computer says no’ regimes, through the sensibly practical, past the enlighteningly pragmatic and then unfortunately and occasionally ending with some approaches that are either careless or mal-intentioned.

Data traders may well be celebrating the proposed reforms, but I think in reality this will come down to our government’s analysis of whether Europe is more of, or less of, an economic opportunity then the rest of the world.

Here at Sigma Connected, employee and consumer privacy and protection are core to our values, part of what makes us tick. We believe privacy regulation is designed with flexibility, fundamentally intended to empower any business to achieve its goals, so long as those goals are aligned to good customer and employee outcomes.

Pragmatism is a word you hear a lot here at Sigma Connected, but pragmatism should never be confused with carelessness. We are careful to protect and preserve rights and freedoms for everyone whose information we are privileged to be the guardian, whether as employer or service provider, controller or processor.

ReachOut, our award-winning initiative which supports vulnerable customers who are struggling with debt, is a great example where we have taken GDPR protections and turned them into a badge of honour. We actually leverage privacy protections as key to the process for earning trust from service users. Our commitment to protecting their confidentiality is the first thing we make clear and the trust we foster through doing this well has been a huge part of making our vulnerability product such a success.

To sum up, it is obvious that responses to the consultation will be telling. This is potentially more of a watershed moment for privacy than the introduction of GDPR. We’ve adapted to a new regime under which privacy champions feel empowered. However, businesses have felt impeded by overzealous application but we the public have benefited, at times without even realising it.

With a bit of luck, we will move away from box ticking in business without losing the benefits of being in control of our privacy as citizens. I will be interested to see how the proposals evolve and the impact in our organisation and those of our partners.

For further information or a wider discussion on how we can help your business, contact us below.

About the author

Peter Hopgood-Gravett has led risk and compliance teams, in FCA regulated industry, for over 12 years and is Sigma Connected’s Director of Compliance, Risk and Audit.

You can connect with Peter on LinkedIn.


Get in touch, we’d love to hear from you.

Get connected