Take the steps to becoming a data driven organisation

Information is one of any organisation’s most valuable assets. Those businesses which harness the power of the data that they hold are those which we see thriving in the digital economy. The data protection landscape in the UK can be daunting and we know it may be limiting businesses’ ability to use their data effectively.

Businesses should not let concerns around compliance with data protection laws stop them exploring new and exciting ways they could be using personal data. The organisations that we see succeeding most are those that view the data protection framework as an enabler to success rather than as a blocker or something to be scared of. So that more organisations can succeed TLT has partnered with the CBI and Infosys to bring you a toolkit to help navigate these challenges and transform potential limitations into opportunities.

GDPR

Any organisations looking to make the most of their data – whether they are just starting out on their compliance journey, or looking to venture into new areas or try different things with data – need to innovate with the legislative requirements and the data protection principles in mind.

The key principles of UK GDPR are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

You can find out more about the data compliance landscape here.

It is for each organisation to decide how they embody these data protection principles when processing personal data, and to explore how this is done in practice. Factors such as sector, the sensitivity of personal data, and reputational considerations will all play a part in an organisation’s approach to how it processes personal data.

Data ethics and trust

Being regarded as a trusted brand has never been more important. And as a trusted user of personal data people expect businesses to not only comply with the law (that’s a given) but to ‘do the right thing’ when it comes to using data. The principles of purpose limitation and lawfulness, fairness and transparency are especially relevant when we think about the link between data and ethics. The ‘purpose limitation principle’ means that organisations must be clear from the outset about what the data they collect will be used for. Businesses must identify a legal basis to do this which is fair to the individuals, and the individual must be informed of this in an open, easy-to-understand and transparent way.

When a business is considering using personal data in any particular way, they need to ask themselves questions like “would undertaking this processing uphold our brand’s ethos and values?”; “are we proud of processing data in this way?” and “would the individuals want us to process their data in this way?” This should also extend from your own organisation to any other businesses you consider sharing data with. If there is even an inkling that your business would not be happy to be open and honest about how it is using data, the likelihood is that you won’t be being transparent and therefore won’t be complying with the principles.

The Data Protection and Digital Information Bill

Following extensive public consultation, the UK government is now looking to use its post-Brexit freedoms to move away from privacy legislation that started in EU law. It has proposed legislative change in the form of The Data Protection and Digital Information Bill, which is currently going through Parliament. The new Bill is regarded by DCMS as “evolution rather than revolution,” but the extent of the change will depend on whether the Bill goes through Parliament unamended. As the Bill is not currently in final form organisations should not yet start making changes relating to it, but it is interesting to note the direction of travel in the proposed legislation.

Many of the changes in the new Bill relate to accountability, and the impact this will have on how organisations structure responsibilities in their privacy teams. One example is that there may no longer be a need to appoint a Data Protection Officer, but there will be a requirement for some organisations to appoint a Senior Responsible Individual (SRI) to perform specific tasks. The SRI must be part of the organisation’s senior management and be responsible for ensuring and monitoring compliance, as well as dealing with requests and complaints, liaising with the ICO and arranging appropriate training for the rest of the organisation.

The future of artificial intelligence regulation

A particularly exciting area of development is in Artificial Intelligence. Whilst the development and fast-paced nature of AI can pose inevitable risks, the UK government’s approach seems to set out a far less prescriptive approach to addressing potential risks compared to other countries’ approaches. Despite no existing laws in the UK being explicitly written to regulate AI, it is partially regulated through a combination of legal and regulatory requirements that have been designed for other purposes. Proposed UK reforms do not appear to involve a new AI regulator, nor new AI regulatory powers for existing regulators. Instead, the reforms focus on encouraging the responsible use of AI and promoting the responsibility of sector-specific regulators for the implementation of principles in their areas.

It is only once further guidance is provided on how The Data Protection and Digital Information Bill is intended to work in practice that organisations will have a clearer understanding of how their current data protection processes will be affected by the Bill, and whether it actually delivers on the less onerous data protection regime that the government seeks. Bearing in mind the government’s vision to strengthen the UK’s position as a global AI super-power, it will be interesting to see how the UK’s regulatory approach to AI compares with its global competitors once finalised.

Conclusion

The past 12 months have been characterised by global uncertainty, concerns around the war in Ukraine, the continued impact of COVID-19, and (in a privacy context) the future of international data transfers following the Schrems II judgement and the UK’s exit from the EU. With one of the largest dedicated Data, Privacy and Cybersecurity teams in the country, TLT has been at the forefront of legal developments in each of these areas, not only responding to these events after they have happened; in many cases, advising on the development of policy before the changes happen. 

Complying with the latest data protection and cybersecurity rules keeps a business and its key stakeholders safe, it mitigates against reputational damage and prevents significant penalties. Navigating the complex international network of rules on data privacy, confidentiality and Freedom of Information can benefit every area of a business; uncovering rich information sources that lead to much more effective commercial decision-making.

TLT supports large corporates, public institutions and high growth businesses on their strategic and day-to-day legal needs. We offer clients market-leading legal expertise, near-legal consultancy services and a suite of solutions developed under our FutureLaw innovation programme. With local, national and international reach, we work with organisations in the future energy; digital; financial services; leisure, food & drink; public sector; real estate; and retail & consumer goods sectors, protecting their interests today and progressing their ambitions for tomorrow. Whether it’s building relationships or the sustainability of our actions, we think long term – working with our clients to put people, communities and the environment at the forefront. To find out more, contact Gareth, partner at TLT and head of Data Privacy and Cybersecurity.