The recent publication of the UK Government’s planned Data Protection Bill filled me with dread.
My first thought was “Oh God, what now!?” but I decided to read the statement of intent before drawing any firm conclusions.
The UK has a booming digital economy and, in a post-Brexit world, it could well be one of our sources of competitive advantage in the global economy too.
The Government quotes data from the Boston Consulting Group that says digital will make up around 12% of our economy — nearly double the rest of the G20, the EU27, the US, India or China.
Getting data governance right, therefore, is a core element in the strategy for both surviving and flourishing in a digital future.
The legislation effectively brings into UK law the impact of the now infamous General Data Protection Regulation (GDPR), DPLED (Data protection in Law Enforcement Directive) and the updated Data Protection Act.
The Bill enshrines three essential objectives: maintain and build consumer trust and power; secure future trade; and enhance law enforcement capabilities. We’ve already commented at length about the relationship of consent and trust, with consumers twice as likely to share their data with a trusted brand.
Beyond the obvious challenge of gaining consent from consumers who are, in the main, unwilling to give it, there is a fundamental change within the legislation of which businesses — not least insurers — need to be aware. The government makes a number of profound statements about what it wants to achieve (while avoiding the “chilling effect of over regulation”) but shifts the burden for how this is to be achieved onto business — and to an extent, onto the consumer too.
Consumer: more power to you
The government wants to give the people the right to take control over their data, to empower them to control who has it and what can they do with it, while ensuring ease of access, adjustment and deletion.
With these incredible rights come responsibilities for consumers. They need to care about their data. They need to understand the contracts, explicit and implicit, they make with service providers. Insurers know only to well how well consumers generally do that.
We undertook research last year where we asked people if they would pay £1 a month for Facebook. The vast majority said no. And yet Facebook in the UK actually has revenue of over £14 a year per user from advertising.
It’s about understanding what you’re worth as well as what you’re prepared to give.
Being educated about rights and responsibilities is crucial for consumers to understand what they are dealing with. If the government isn’t going to directly play a hand in this then it will be left to the media instead — which, ultimately, means a win for sensationalism over rationalism.
Business: it’s your responsibility
Government is speaking softly to business but carrying a very big stick. The statement of intent talks about accountability, but less bureaucracy; the need for impact assessments and simpler rules. With this comes the need for business to appoint a dedicated Data Controller who will be legally responsible for making sure the business is compliant.
The law will require business to “step-up” to create a safe environment for consumers to share and access their data in a conscious, free and easy way.
The fines for falling short are up to £17m or 4% of global turnover, and let’s be clear: it can be the higher of those. At the moment the Information Commissioner is limited to fines of £500,000 and the highest fine they have ever levied is £400,000. While the full extent of the fines will not be brought to bear, except as a last resort, how many businesses will be prepared to take that risk?
And let us also be clear about what “personal data” is. It’s not just my name. It’s anything you can attribute to me, including my IP address and the machine ID of my computer. It’s all mine. In the case of portability, deletion, or the standard approach of profiling customers for, say, a credit card application, the solutions are complex, and the clock is ticking. It remains largely unclear how they can be delivered at all — let alone in a way that tangibly benefits consumers outside the standard Orwellian narrative.
What is clear is the Government is trying to make sure that the digital economy is an integral part of our future. By creating this new environment, it also is creating an obligation for businesses to ensure that consumers’ existing rights are protected, while giving them new ones.
There’s also a kicker. The dryness of the topic, and the intangibility of some of the benefits, does leave one wondering “Who cares?”. Consumers didn’t ask for these rights. They probably don’t understand them and will, in all likelihood, have only limited education on the power of their data as a result of a new Act of Parliament.
The UK’s future may well be digital, but it’s crucial that consumers, as well as business and Government, all step up to meet the opportunity. This legislation is only the first step – a canvas at best – and its true impact will only become clear when the rubber hits the road.
GDPR: need to know
The Government wants to achieve 3 things:
1) Maintaining trust of consumers in how their data is used by
2) Secure future trade
3) Protect law enforcement activities
1) Consent: should be unambiguously and explicitly obtained and easy to withdraw
At Consumer Intelligence we want our clients to survive and thrive in the new framework, so here are some things we are doing to help:
To be clear, our research shows that there are some things that brands can do to gain a distinct advantage in this process but not every brand is starting in the same place. Some companies are going to have to work a lot harder and they need to start now.
Data is the lifeblood of the modern insurance industry. It influences everything from pricing to claims, and insurers are constantly searching for the right data on the right customers. Without data, the insurance industry just ceases to operate...