Tens of thousands of businesses will be affected by one of the most significant changes to data regulations in years. The new Online Safety Bill, which has been tabled by the UK government and could come into force, could drag many companies that wouldn’t ordinarily expect to be subject to its oversight into the crosshairs. By one estimate, around 25,000 companies could come under its control.
All of which adds up to a headache. With nearly 200 clauses and 12 separate parts, keeping onside of the law can be a full-time job. And with potentially enormous punishments for breaching it, including personal responsibility for executives of the companies involved, it’s an issue that needs to be considered carefully from all perspectives – including data.
But before getting too worried, it’s worth putting the requirements of the upcoming law into perspective.
Business as usual
“It’s not too dissimilar from the legislation that was thrust upon financial services in 2008 off the back of an absolutely catastrophic event that left a lot of people without homes and losing their livelihoods,” says Dael Williamson, EMEA field CTO at Databricks. In the aftermath of the financial crash, which some believe was brought about by mismanagement in banks and other financial services companies, the government instigated stringent new rules around compliance.
Those rules were necessary then, and these ones are necessary now, believes Williamson. “It’s an important measure that’s come in place,” he says. “I don’t think it should impart fear.” The financial regulations put into place in the aftermath of the financial crisis created “a huge amount more resilience in our financial markets,” says Williamson, and he has no reason to think the Online Safety Bill would do anything different. Any organisations that choose to perceive it negatively would also likely fall foul of public perception: four in every five UK adults say that more action is needed to keep tech companies in check, showing broad support for the bill as currently devised.
There are wrinkles for any business to bear in mind about the legislation, cautions Alan Woodward, professor of cybersecurity at the University of Surrey. “It’s a tricky one this because the business implications are not obvious,” he says. “Much will depend on how it interacts with GDPR. Woodward points out that there is the potential for a business to become “vicariously liable” if they handle data that comes under the auspices of the Online Safety Bill. He says that could cover hardware such as corporate-issued devices or shared drives. But it’s not yet clear. “I think so much is up in the air because so many of the terms of the bill are vague and yet to be interpreted,” he says.
The bill as currently drafted would put power back in the hands of everyday users to dictate what they see and how they’re presented with information, says Robin Sutara, field CTO at Databricks. “Putting control back in the hands of people so algorithms are determining what content they do or don’t want to see is no bad thing,” she says. Instead, she sees this as a logical next step in the world of tech as consumers become savvier, knowing that they are the product as well as the user. “This is just the next step in the evolution of ‘how do we get more power to the consumer to be able to control what they do?’,” she says.
The changes do mean that businesses need to adapt to keep abreast of evolving regulations, however. That will require creativity, says Williamson. “What I mean by that is some data will need to be more guarded than other data,” he explains. It’s similar to how banks were forced to instigate a regime of red data and green data in the aftermath of their regulatory crackdown post-financial crisis. More governance was added around sensitive data needing careful oversight compared to everyday information that can be shared and handled more freely.
Taking such an approach requires data producers and those handling it to decide which bucket their data falls into, and to take the requisite approaches to it depending on that, says Williamson. At first, that may seem daunting, but needn’t be.
The case for continuity
“It’s kind of a healthy constraint, and it’s just putting enough friction in place to make sure that they’re adhering to the rules,” he says. In that sense, it’s best to approach the Online Safety Bill as a Goldilocks law, gently encouraging those already following the rules to double-check their working and justify their decisions, rather than requiring an entirely new team of individuals to work twice as hard on implementing its changes and meeting its new requirements.
For well-run organisations, this will be a small, additional task, rather than an overhaul of how they handle data. “It’s just a next step in the evolution of a process around governance and structure, and identification of the datasets that are more at risk versus less at risk,” says Sutara. “The hope would be they’ve already thought about those things as they’re setting up their data ecosystems.”
And often, says Williamson, companies already have in place the kinds of structures that will be required from the Online Safety Bill as part of their regular data compliance checks – they just don’t realise it. “The most important message is, you shouldn’t be scared of this if you’re doing these other things that we’ve spoken about,” says Williamson. “Actually, it’s just another opportunity to build trust with your customers and your consumers.”
To find out more, visit databricks.com