By Alexis Kirkman, Associate General Counsel, Senior Director, Fivetran

Data is increasingly becoming a currency in the digital world – it can be made, tracked and traded; the more you have of it, the more options you have to explore new avenues to grow; and now, increasingly, the less transparent you are with it, the more trouble you can get into. The world is more privacy-conscious about data than ever before – from platforms enabling users to download their data, to apps on your iPhone requesting your explicit permission to use your data for personalisation.

Yet the European Union’s General Data Protection Regulation (GDPR), which came into force in 2018 with the aim to enhance individuals’ control and rights over their personal data, is increasingly seen as unfit for our times. Since leaving the EU, the UK has progressively made it clear that it shares this view and it intends to move away from GDPR legislation in order to chart a new course in data protection regulation.

Regulating the unknown

The most detailed evidence to these efforts comes from a report published by the government’s Taskforce for Innovation, Growth and Regulatory Reform (TIGRR), which proposes the UK replace GDPR with a new framework for data protection. It says GDPR “overwhelms people with consent requests and complexity they cannot understand, while unnecessarily restricting the use of data for worthwhile purposes,” stifling innovation in AI, blockchain and other growth sectors.

With the UK operating the largest data market in Europe – and growth in the digital sector outstripping growth across the nation’s economy as a whole six times – claims like this must be given proper attention. Under GDPR, data collection can only take place for explicit purposes, which imposes limits. It can be argued that the very power of AI comes from the fact that it can dissect and rearrange diverse data sets to find new insights and revenue centres that humans can’t – and key to this is the ability to collect data even before its potential value can be understood by humans.

Additionally, GDPR stipulates that people can’t be subject to a decision based solely on automated processing and that human review must be part of the process. In the UK’s vision for future data protection, this requirement is fully removed, paving the way to more flexible AI use cases where automated profiling is in a legitimate or public interest. Of course, no organisation or government wants to be seen as indifferent to an individual’s privacy choices so any new system will have to strike the right balance between enabling innovation and compliance with the spirit of the law.

SMEs versus tech giants

The financial cost of inflexible data processing rules – manifesting in possible lost opportunities and revenue in the arena of AI-led innovation – is just one side of this coin. There is a strong argument to be made that small and medium-sized enterprises (SMEs) have been more negatively impacted under GDPR than their much larger counterparts.

With resources galore, large companies not only have more choice in designing consent requests so that they are more readily-accepted, they are also in a better financial position to deal with any negative repercussions. Fighting the regulator or paying the price of non-compliance is not an easy option for most SMEs. The UK’s proposed new regulatory infrastructure seeks to establish a level playing field between companies of all sizes, where more proportionate practices ensure users can give “more meaningful and informed consent in a way that is less intrusive”.

As consumers and technology users, many of us will remember websites before GDPR and cookie banners, just as we remember flying through airports before 100ml travel bottles were a staple item in suitcases. But just like airport security, we can’t imagine – nor would we want – the protections put in place to safeguard our data to be undone. This means any ‘lighter-touch’ system the UK ends up with will be a balancing act – and for sure a test of adaptability for businesses.

Keep your house in order

Whether the new data protection rules will live up to the promises of accelerating growth in the digital economy, improving productivity and enabling businesses to provide more value to customers, one thing is for sure: until a new data framework is signed, SMEs must focus on prioritising their technology investments to prepare for the unexpected.

One sure-fire way to navigate the uncertainty is ensuring that the company’s own systems for handling data are up to scratch. Do you know where permissions lie for user data? If a user revokes their consent, how fast is this communicated to all relevant data teams? Can you trust the data? These are all questions decision-makers should be asking – and they all come down to data governance.

Good data governance is characterised by clear decision rights and accountability over how data is created and managed by an organisation. This includes adhering to industry security standards while connecting up data sources, moving data around and replicating it across the enterprise. Your entire technology stack – from source applications, data integration and cloud data destinations to business intelligence or AI tools – must combine enterprise-class security features with comprehensive audit capabilities.

Then, there is first-party data. If Apple taught the world anything by doing away with its identifier for advertisers (IDFA), it’s that third-party data – meaning data not directly acquired by a company – is getting increasingly hard to come by, as it is not something users choose to give away, if they are given the choice. First-party data, by contrast, is much more reliable, since it is explicitly provided to the organisation by the customer. Maximising the use of this data source should be at the top of business leaders’ agenda, and they can do this with a scalable data strategy and the right stack.

A cautious outlook

Safeguarding data is both an operational and financial imperative. After all, if individuals are unhappy with the way a business uses their data, it is their prerogative to take their custom elsewhere – and legal transgressions cost businesses even more than customer loyalty.

But today, data protection is even more than that – it’s a value that businesses want to wear like a badge of honour. Going forward, to successfully navigate the evolving UK data privacy landscape, SMEs will have to focus on managing what’s manageable and instilling the bones of a data governance strategy that will save them from the financial peril of non-compliance and stand the test of time.