The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Some elements of the provisions which are in force add clarity for firms, but the impact of other provisions is to be determined. This is because they are expected to commence two, six and twelve months after the Commencement Date via the passing of further statutory instruments.

The Information Commissioner’s Office (to be known as the Information Commission in due course under DUAA) is also to publish guidance on the provisions of the Act.

A new dawn for open banking?

Provisions yet to come into force include sections 14 - 17 which provide for the Treasury, by regulation, being able to make provision enabling or requiring the FCA:

• to make interface rules regarding customer data/business data
• to use prescribed interfaces
• comply with prescribed interface standards
• issue notices and give directions
• impose penalties for non-compliance

This arguably looks to build upon the open banking and open finance agenda by the Competition and Markets Authority with a view to creating more competition and innovation within the financial services sector.

Clarity under DUAA

Where DUAA adds clarity is for example, in section 78 (which came into force on the Commencement Date), which provides that a data subject is only entitled to such information as the controller is able to provide based on a “reasonable and proportionate” search.

What else is in force now?

Other changes are also in force now such as in respect of the retention of biometric data and recordable offences and the retention of pseudonymised biometric data by law enforcement.

What can we expect to see in the near future?

Two months after the Commencement Date, provisions amongst others, will come into force clarifying what constitutes a valid notice served by the Information Commissioner’s Office.  Also that both information and documents may be required by the ICO.

What about the mid-term?

As future regulations are yet to be implemented, the details of these are not yet known. Therefore it is difficult to make an assessment of how evolutionary or revolutionary these regulations might be.

Whilst at first sight DUAA may appear innocuous, there are certainly a good number of known unknowns including provisions to come into force in respect of digital verification services and the details of the revised framework for automated decision making.

Certainty of the future regulatory landscape

However, what is a known known is that markets do not like uncertainty.

Recently a representative of the ICO stated that whilst firms lack regulatory certainty and confidence, the ICO would:

• help inform governance and provide visibility of guard rails
• update automated decision-making guidance to reflect DUAA in due course
• set clear expectations for responsible use of automated decision-making in recruitment

It is also continuing to collaborate with the FCA, Ofcom and the CMA under the Digital Regulation Cooperation Forum in order to provide consistency and alignment with a view to removing duplication across regulators.

How will the ICO make decisions?

The ICO’s position is that it will apply the law as it stands at the time an infringement took place, rather than the date it received any complaint or report or when the infringement was detected.

On its website it states “In some cases, we will need to exercise our discretion when considering regulatory action on alleged non-compliance with an existing provision under the data protection legislation which is going to be removed, amended or replaced with a similar provision under the DUAA. We will make a judgement on whether to proceed with regulatory action under the old provision or, where there is ongoing non-compliance, consider action under the new provisions.

When considering regulatory action on the DUAA’s new provisions, we will consider the ICO guidance available to organisations at the time of the alleged non-compliance.”

What can you do now?

Yet again, we are in uncertain times. For now, firms should keep an eye on the Gov.UK website as to when any further regulations under DUAA come into force. In the meantime, they have provided a summary of the changes to expect. Firms should start preparing for these now and ensure they are compliant with the provisions that are already in force.