On 23 June, the UK Government unveiled the latest policy measures designed to support its vision of unlocking the power of data as a strategic asset to fuel innovation, scientific discovery and economic growth by reforming the UK's data protection regime.
Collectively, these measures aim to create a more effective, proportionate, outcome-focused regulatory framework, able to keep pace with technological developments while delivering high data protection standards.
Overall, we believe the reforms will have a positive effect on increasing firms' confidence in investing in and adopting data-driven digital and technological innovation in the Financial Services (FS) sector. However, the impact of some proposals will only become clear after further detail is revealed in the implementing primary legislation. In addition, some key policy questions remain unanswered, including how to reconcile different strategic objectives. For example, how to balance a more agile and risk-based approach to international data transfer against the challenges it may pose to maintaining EU adequacy.
Finally, the Government also decided to defer some critical policy decisions and tackle them in further upcoming publications, e.g., concerning AI governance and Smart Data legislation. While we agree that these are complex topics that require their own focused policy consultations, it will be crucial for the UK's competitiveness to move swiftly and ensure coherence across all these - and other - interconnected policy initiatives.
DCMS published the Government's data protection reform plans in response to its initial consultation, "Data: A new direction", launched in the autumn of 2021. The Government will implement the reforms primarily via the announced Data Reform Bill, which it will lay before Parliament in the coming months.
Both the initial consultation and the recent response are extensive and technical documents, covering over 70 policy proposals across a broad set of areas. In this article, we focus our analysis on the key policy measures that we believe are immediately relevant to digital and technological investment and transformation strategies in the FS sector.
Measures to reduce barriers to responsible innovation
The Government announced three key policy changes to help create more transparent and consistent rules for using personal data to support the adoption of new data-driven technologies.
- A clearer definition of scientific research. Organisations processing data for scientific research purposes are currently subject to somewhat less stringent data protection requirements – provided appropriate safeguards are in place. However, there is currently no definition of scientific research in the actual text of the UK GDPR.  Recital 159 provides a definition but does not have the same legal status, and many also argue that it leaves too much room for interpretation. Therefore, the Government confirmed it would create a statutory definition for scientific research, based on Recital 159, to improve clarity for researchers and individuals about what is in scope. We agree on the need for a more proper definition of scientific research with a solid legal status. However, the Government has not (yet) confirmed the exact definition. Specifically, it is not clear whether such definition will also explicitly cover commercial research and under what, if any, conditions. We believe that certainty on this issue is paramount to supporting the FS firms' investment and participation in research into new technology use cases aligned with public policy objectives (e.g., identity verification, AML, support for vulnerable customers).
- Removal of the "balancing test" requirement in limited circumstances. Organisations are currently required to complete a so-called "balancing test" when relying on the legitimate interest lawful basis for processing personal data. This involves weighing up whether the organisation's interests in using personal data outweigh the rights of data subjects. In many cases, organisations avoid using legitimate interest as a lawful basis due to the complexity and costs of completing this assessment, choosing to ask for consumers' consent instead. To give organisations the confidence to make better use of legitimate interest as a lawful basis, the Government confirmed it will create a limited list of legitimate interests for businesses to process personal data without applying the balancing test. The Government is still working on the final list, but it is likely to include processing activities to prevent crime, report safeguarding concerns, or necessary for other important reasons of public interest. Depending on the final list, and assuming FS would be in scope, this measure could substantially facilitate better use of personal data and technology in activities such as KYC, AML, and digital ID verification in FS.
- Facilitating bias monitoring in AI. The Government confirmed it will legislate to provide additional legal clarity and enable organisations to use sensitive personal data to monitor and correct bias in their AI systems, subject to appropriate safeguards. In our view, this is a significant positive step and one we had argued was critical to helping firms build Trustworthy AI systems.
Overall, we think these measures will help give FS firms more confidence in using and collaborating with other organisations to leverage personal data as part of their innovation and growth strategies.
Measures to reduce barriers to international data flows
The Government stressed the importance of removing unnecessary barriers to cross-border data flow and wants to progress an ambitious, risk-based, and outcome-focused programme of adequacy assessments. For example, the Government will invest in ongoing monitoring of adequacy regulations and relax the requirement to review adequacy regulations every four years. The Government also plans to legislate to support the creation and recognition of new alternative data transfer mechanisms (ATMs).
FS firms will broadly welcome measures that remove unnecessary barriers to international data transfers, given the international footprint of their clients and third party service providers. However, while we agree with the UK Government's assessment that most of the proposed reforms should not pose a significant challenge to the UK maintaining its EU adequacy status, it may not be as straightforward concerning adequacy decisions and ATMs.
This is because they open the possibility of EU residents' data being shared freely via UK firms to third countries that have not received an adequacy decision from the EU, e.g., the USA. In its UK adequacy decision last year, the EU Commission highlighted that it would closely monitor the question of onward transfers under a future evolution of the UK's data protection regime. As the UK and EU currently share virtually the same rules for international transfers, the Commission expected that any problematic divergence could be avoided through cooperation and engagement.
Yet, it is unclear how the UK Government will balance its vision for an ambitious and autonomous UK international transfers regime with the need to cooperate and remain closely aligned to the EU. The clear message from most respondents to DCMS' initial consultation is that free data flows from/to the UK and the EU remain of primary strategic importance. Above all, long-term clarity around these issues will be critical for firms operating in FS across both the EU and UK.
Outstanding strategic policy questions
The Government has decided to hold back on a broader set of innovation-focused proposals included in its initial consultations. For example, clarifying the definition of fairness in an AI context. It will instead consider these proposals further as part of the forthcoming white paper on AI Governance, expected by the end of the year.
Similarly, the Government confirmed its commitment to legislate to enable the development of secure and innovative data-sharing schemes and ecosystems. However, it will only provide further details in the forthcoming Smart Data legislation, which will also set up the high-level legislative framework to enable the development of Open Finance in the UK. Our understanding is that Smart Data legislation will form part of the forthcoming Data Reform Bill, together with data protection reforms.
Both AI and Smart Data are complex policy matters, and we agree that they require specific and thorough consideration. Yet, as the challenges of reconciling Open Banking and GDPR taught us, it is also essential to consider these initiatives as a holistic legislative package if the Government is to achieve its objectives of unlocking the power and value of data in FS. Accordingly, the Government should ensure that the future regimes for data protection, AI, Smart Data, as well as Digital ID are synchronised, move forward at pace and are compatible and coherent when considered in aggregate.
The Government's planned changes to the UK data protection regime are much more comprehensive than just the selected measures covered above. They also include wide-ranging reform to the Information Commissioner's Office (ICO) 's objectives, strategic priorities, governance and accountability model, and investigatory powers. For example, the Government will give the ICO new secondary duties to consider economic growth, innovation, and competition in its supervisory and enforcement activities. The ICO will also have a duty to consult and cooperate with other cross-sector and sector authorities when exercising these duties. We believe this is a very positive step. We have long argued that additional coordination between cross-sector and sector regulators is crucial to help provide the regulatory and supervisory clarity to support data-driven innovation in FS.
The Government also wants to reduce unnecessary compliance burdens for organisations, especially smaller ones. Legislative changes will facilitate a shift from a rule-based to a more risk-based and proportionate approach. For example, organisations will no longer be required to undertake Data Protection Impact Assessments or appoint a Data Protection Officer. Instead, they will need to appoint a suitable senior individual to be responsible for the organisation's privacy management programme (PMP), which should include tailored and proportionate risk assessment tools to manage data protection risks across their organisation. The focus on proportionality and flexibility should particularly help smaller FinTech firms. And the focus on senior management accountability aligns very well with the existing Senior Manager and Certification Regime that FS firms already need to comply with.
We expect the Government will lay its planned Data Reform Bill in Parliament in the coming weeks or months, which will help clarify some of the missing details or outstanding questions we highlighted. While gaps remain, and it will take time for legislation to be finalised and for the reforms to be implemented, it is encouraging to see the UK's post-Brexit innovation policy agenda finally starting to take shape.
 The current UK data protection regime consists of the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA).