Nigel Jones, co-founder of the award-winning Privacy Compliance Hub, explains why the government’s posturing over shaking up data rules could do the financial sector more harm than good
Last month, the government announced it wants to “shake up” the UK’s data rules in favour of a regime “based on common sense, not box ticking”. The move comes at a time when the tenure of the UK’s current Information Commissioner draws to a close. Elizabeth Denham’s likely replacement, John Edwards, is to be tasked with balancing the protection of individuals’ rights with promoting “innovation and economic growth”.
Such plans were lauded by former Digital Secretary of State for Digital, Culture, Media & Sport, Oliver Dowden, who called the reforms “one of the big prizes of leaving” the EU. Dowden is known for his dislike of the GDPR and what he called “pointless” cookie pop-ups. Back in February, he wrote in the Financial Times that the regulation “has hampered innovation and the improvement of public services and prevented scientists from making new discoveries”. Of course he doesn’t elaborate further, so I can only speculate about what exactly we’ve been missing out on.
Rhetoric about ripping up red tape and ‘taking back control’ might appeal to a populist crowd, but there will be serious implications for the financial sector if UK businesses stray too far from the parameters of the GDPR.
Driving the fintech boom
The financial services industry has evolved rapidly over the past two decades, thanks in part to changing customer behaviour and pressure applied by digitally native fintechs. It’s big business for the UK – in 2019, the financial services sector contributed £132bn to the UK economy, 6.9% of the country’s annual economic output. That makes it the ninth largest in the OECD. Our fintech sector is thriving, attracting a record £18bn investment in the first half of 2021, championed by a new generation that’s embracing new digital-first payment models and the insights facilitated by open banking.
Making those wheels turn is a vast amount of personal data that customers provide to these financial organisations. Crucially, that’s not just data held within the UK – we are a major hub for the rest of the world too. Almost 12% of global cross-border data flows pass through the UK and 75% of this traffic is with our European neighbours.
If we want this to continue, UK companies must continue to comply with the UK GDPR which is the basis of the adequacy decision granted in June by the EU. That decision deemed the UK’s data protection regime as offering equivalent protection to that offered by the EU so that data transfers from the EU to the UK can continue. In contrast, data transfers from the UK and the EU to the US were thrown into question when the Court of Justice of the European Union deemed the US standards insufficient (a decision known as Schrems II), which brought an end to what was known as ‘Safe Harbor’.
It’s about trust
So, deviating from the GDPR may be risky. But beyond the repercussions of disrupted trade, these are certainly not measures that the UK should be looking to water down anyway. The GDPR (which is only obliquely relevant to cookie pop ups in any event) is there to inform and protect the privacy of citizens. Data privacy is a fundamental human right, and it’s one we should protect – for the sake of ourselves and for future generations.
This is particularly true for the financial sector because much of the data being held is so sensitive. Customers care deeply about privacy when it comes to their financial information. A third of all UK organisations lose customers after a data breach and four in 10 consumers say they’ll never return to a business after a security issue. Demonstrating good practice in this area builds trust and boosts users’ confidence in businesses and services.
Having an ethical data culture also has benefits around security. The World Economic Forum reported a 50% increase in cyber attacks during the pandemic, with 71% of security professionals around the world reporting an increase in threats since lockdown started. According to Accenture, the average cost of cybercrime is $16.7m (£11.7m) for banking companies, 28% higher than other sectors.
Creating a culture of continuous privacy compliance
Data privacy isn’t a barrier to innovation. Done right, it actually empowers employees to use the information an organisation holds to glean insights and think outside of the box. It can drive revenue and fuel growth. It shows your commitment to the safety and security of your customers and can be a key competitive advantage. The public is more engaged with this than they’ve ever been and other organisations, such as potential partners and investors, are looking to work with companies that take this seriously.
Privacy compliance isn’t a one-off project or something that can be outsourced to your legal team. It’s an ongoing effort that must touch every employee across every department, and every product or service right from the moment it’s conceived as an idea.
I know that it can be difficult to know where to start. But do you and your team know what data you collect, what you do with it, and where you keep it? Do you know the permissions you have in relation to how you can use that data, how long you are allowed to keep it and what you do with it when you no longer need it? Who are you sharing it with and do you have the right agreement in place? Is your organisation as secure as it could be?
I’ll give Dowden credit where credit’s due. The UK can become a leader in data-driven growth. We have the momentum, the talent, and the investor interest to make that happen. But those business models need to be built on a solid foundation of privacy to succeed. That’s just how the cookie crumbles.
Nigel Jones is the Co-founder of The Privacy Compliance Hub, a no-nonsense platform created by two ex-Google lawyers that makes compliance easy for everyone to understand, care about and commit to. Take your free 10-minute GDPR health check here.