‘GDPR Is Holding Back Data-Driven Businesses’

In an important contribution to the debate about the use of data in society, insurance-focused law firm, Kennedys, has said that it believes that when it comes to areas such as GDPR ‘we have a legal framework which potentially hinders businesses from innovation and the use of new technologies’.

The comments come at the end of a vital consultation in the UK that will help to build what the Government is calling the National Data Strategy, or NDS – another acronym you’ll be hearing a lot more about in the months ahead.

The NDS, the Government explains, is: ‘[An] ambitious, pro-growth strategy that drives the UK in building a world-leading data economy while ensuring public trust in data use.

‘It will help ensure that people, businesses and organisations trust the data ecosystem, are sufficiently skilled to operate effectively within it, and can get access to data when they need it.

‘The NDS will also provide coherence and impetus to the wide range of data-led work across Government, while creating a shared understanding across the economy of how data is used.’

And that all sounds fair enough. Moreover it comes at a time when the UK is leaving the EU and therefore – as an independent country once again – it has an opportunity to reshape data rules here.

That said, the assumption by many experts here has been that even after Brexit the data rules in the UK would effectively mirror the EU’s rules and not really differ. And yet….given that the UK Government is consulting on what is in effect a new data strategy there may well be some significant changes after all.

Understandably, lawyers are very engaged on this topic, especially those in the insurance sector because of the essential role there in leveraging and analysing data from people in order to deliver their products.

After all, what is an insurance product but a prediction based on observable data and observable patterns in human behaviour? If you make those observations, and the calculations that follow, very hard to do, you scupper the ability to design and deliver value via insurance. Hence, Kennedys have some strong views on the matter.

The firm went on to say: ‘Data and data use should be seen as opportunities to be embraced, rather than threats against which to be guarded.’

And that really is a key phrase here. Data as opportunity to create new value, rather than seen as a threat. Of course……easy to say, but we still need some protections. The challenge, as ever, is getting the balance right. However, clearly some believe the balance at present is not working.

They point out that in the insurance sector in particular: ‘Data around risk, policies and claims are poorly standardised. Non-standardisation and a lack of coordination on data mean that data collected by one organisation cannot easily be used by another. This results in duplication of effort and wasted resources.

‘This is happening across multiple verticals in the UK and it generates unnecessary friction and cost. By standardising in order to remove these frictions, the delivery of services can be more effective. 

Pooling data across multiple sources, both within and between sectors will create new economic opportunities just as has been shown to save lives during the Covid pandemic. Equally, data that is not standardised but is nevertheless pooled produces inaccurate results and in fact increases friction.’

But……and here is where it all gets complicated…..pooling data about people can create much better products and outcomes, but it also leads a business into some tricky legal territory at present with the EU’s GDPR rules. As mentioned, when the UK leaves the EU there is a chance for some kind of re-jig. The question is what will it look like and then how will the UK system play nicely with the EU’s data rules?

Karim Derrick, Director of Research and Development Innovation at Kennedys, has a clear view on the need for some kind of change: ‘The insurance industry has certainly had to find a way to adapt to the GDPR and is arguably not reaching its full potential due to the limitations and complexities associated with the current data protection framework.

‘The fact that we have a legal framework which potentially hinders businesses from innovation and the use of new technologies – such as using aggregated data to price risk or otherwise – in an increasingly digital and data-driven age suggests that changes or clarification may be required.’

And he goes on to say:

‘We also recognise that the rules which underpin such innovation must encapsulate principles that do not infringe human rights. As the UK takes over the G7 presidency in 2021, there is a clear opportunity for the UK to drive forward a framework that develops those principles, and at the same time, cement its role as a world leader.

Indeed, we believe we are at a critical moment. Through responsible and human-centred rules, the UK has a very positive opportunity in both data-driven technology and rule-making.’

Powerful stuff!

Now back to the legal side of things. The law firm said that the first priority post Brexit should be ‘to obtain an EU adequacy decision for the UK, while issuing an adequacy decision of its own for the EU immediately, to speed up what can be a slow process’. 

Once an EU adequacy decision is obtained, Kennedys said the UK should adopt ‘a much more pragmatic approach to adequacy criteria and adequacy decisions for third countries than the EU does‘. 

Interestingly they added that the US/UK data relationship may be the way forward: ‘This approach should include negotiating a version of the Privacy Shield between the US and the UK.’

And that no doubt is going to need a lot of negotiation

To conclude, Deborah Newberry, Head of Public Affairs at Kennedys, said: ‘The draft National Data Strategy is a significant and welcome plan that puts data at the heart of the country’s economic wellbeing and seeks to address issues such as trust and human rights that are a vital part of the conversation.

‘At Kennedys, we have been working on legal and technical frameworks for operating within the GDPR to protect individual privacy rights whilst ensuring that consumer and corporates are still able to benefit from aggregated data. 

We are developing anonymisation techniques that bring together machine-driven personal data identification, data standardisation, data classification and hashing algorithms to develop data-driven insight free of bias and without compromising individual identities.

‘The draft National Data Strategy gives us confidence that the government wants to put a structure in place that supports vital developments like these and place the UK at the forefront of data-driven technology.’

So, there you go. Just when you thought you’d come to terms with the current regime for data protection there could be some important changes coming, at least in relation to the UK.