Co-authored by TechUK’s Antony Walker.
This stuff is important. Whether it’s government snooping or companies abusing ‘God-view’ features, there is real and legitimate concern that our personal data is handled properly and our privacy respected.
If we want more people using digital services and taking advantage of all the benefits that brings, they need to trust that their data will not be abused.
Startups gain hugely from data protection rules that provide consumers with the confidence to embrace new digital technologies. But they are also disproportionately impacted by rules that are excessively onerous on business.
Is change good?
Imagine you’re the founder of a startup when you get the news that your company will have to radically change its business model, and may even be put out of business. This is the problem posed by new EU data protection rules currently being agreed in Brussels; well-intentioned regulations that end up stifling innovation and harming startups.
To bring to life this rather dry subject, Coadec working together with techUK has commissioned a leading data protection law firm to look at what current drafts of the new law would mean for a fintech startup we invented, Lend.io.
You can read the full analysis here, but there are a few key points.
Data protection officers and audits
Any startup that processes data on more than 5,000 people will need to appoint an expert data protection officer, and audit and document their data processing practices.
In practice, this would mean hiring expensive consultants and lawyers, something most startups could ill-afford.
Roadblocks and delays
The more advanced data processing done by many startups will require even more stringent checks: a risk assessment, a privacy impact assessment, and most importantly getting the advance permission from the Information Commissioner’s Office to operate.
This would require yet more expensive advice, and given that in their last annual report the ICO complained it did not have the resources needed to fulfil their current mandate, how will they cope when thousands of digital businesses are suddenly knocking on their door for approval.
An end to automation
Perhaps most worrying is the possibility that ‘profiling’ which leads to legal effects and is automated could be prohibited entirely.
What this would mean for our example of Lend.io, is that automated processes that pull in credit ratings and other data about an individual to make decisions about risk and lending would be outlawed. They might need to introduce human review of lending decisions, massively increasing their costs.
Ongoing confusion for businesses and consumers
Terms and conditions presented to consumers will become more complicated as a result of the new rules and changes to the definition of ‘legitimate interest’ could mean that consumers are inundated with confusing requests to give consent. Some Internet of Things services that use personal data could just become completely impractical for this reason.
Meanwhile without an effective one stop shop it looks highly likely that member states could end up taking different views on how the whole regime is implemented in practices – leading to years of regulatory uncertainty.
Still a chance to make a difference
Thankfully the final rules haven’t yet been fully agreed and the next few months are vital.
So we are calling on the UK government to continue raising these concerns, and also plan to take some UK digital entrepreneurs to Brussels to make this case.
Two of the key MEPs on the dossier are both British and both represent important tech hubs: Vicky Ford, Chair of the Internal Market Committee from Cambridge and Claude Moraes, Chair of the Justice Committee from London. If you are interested in being involved do please get in touch.
We need data protection rules that make it easier for consumers to understand and exercise control over how their data is being used, whilst at the same time not imposing excessive burdens on business. We’re not there yet, and it is vital that we make up the ground soon.