Hello everybody, welcome to C&F Talks. Today I have with me Gareth Oldale, who's a
Partner at TLT, which is sponsoring our upcoming event, Data, AI and the Future of Financial Services Summit on the 9th of June in London. Gareth, welcome.

Thank you.

Let's turn to our first question.

What do you think of the proposed changes under the Data Use and Access Bill and which changes do you think will have the greatest impact for companies and DPOs?

Yeah, it's a really interesting piece of legislation. It's something we've been tracking for a long time, both in its current form and prior to that when it was under the guise of the Data Protection and Digital Information Bill, so it's felt like a long time coming for those of us that have been involved with it. Some of the key changes that were originally proposed have now been removed in the latest iteration, so there's perhaps less to focus on, but still some very impactful changes for organisations in all sectors and certainly in a financial services context.

Perhaps just to draw out two of those that I think may have a particularly heavy impact. One is around marketing and the use of cookies and the interplay with the privacy and electronic communications regulations, and specifically the penalty regime that applies to breaches there. For a long time, there's been a disconnect between the GDPR and the cookies rules as to the penalties if things go wrong.

Those are being aligned through this new legislation, so that fines for when direct marketing goes wrong will now be aligned to the GDPR standard, so rather than a cap of half a million pounds, it's 17.5 million pounds or 4% of global turnover, so quite a significant shift there, especially as that's one of the areas where the ICO is particularly active in enforcement activity. The second is automated decision making, which is one of those perhaps lesser known elements of the GDPR, but actually is increasingly relevant to the work that financial institutions and other organisations do, especially when we start to think about AI tooling and products that are being rolled out.

Again, some changes to the rules around automated decision making, which on their face are good news for business and certainly pro-innovation, pro-AI effectively, but will present some challenges, especially for those organisations that operate across the UK and Europe, as it will mark a bit of a change in approach as compared to the EU rules that we've been used to for the last few years.

So, a few things that people really need to get their teeth into there.

What do you think the future holds for data and AI, specifically in financial services in the UK and overseas, and how can we balance data privacy and an appropriate flexible regulatory regime, on the one hand, with an environment in which innovation can flourish and be internationally competitive on the other?

Yeah, it's an excellent question, if I may say, Maurice. I think that interplay between striving for innovation and harnessing all of the benefits that AI and other technology transformation allows, but doing so in a way which remains not just compliant with the law, but also compliant with ethical standards and other regulatory burdens, you know, things like consumer duty, which will have an impact on banks and other lenders, is increasingly difficult.

I think some of the key features that have already been established but will continue to grow throughout the rest of this decade, is implementing and embedding strong AI governance processes and interweaving those with other existing corporate governance frameworks within organisations. And then just looking with one eye to the rest of the world, I think finding a way to have a harmonised policy and approach within an organisation, in a world where you have differing legislation, different policy and customer practice in different jurisdictions, is something that's really a nettle to be grasped.

Finding that common standard, I think the approach that we take with most clients is finding a common standard that can be applied globally but then allowing some flexibility within the system for local variations where, for example, some AI tools will just be prohibited in the EU, but may be permissible in the US or other jurisdictions.

So, allowing that flexibility for local customer practice to still come to the fore, is really where the magic lies, I think. But I guess one final point there, Marisa, what we are seeing, without a shadow of a doubt, is some really excellent areas for innovation and for service improvement in areas like fraud prevention, for example, where AI and other tools can really help. And so far from data protection and AI governance regulation being an inhibitor to that, it's finding a way to benefit from that innovation and the benefits that it provides to customers without transgressing those rules.

Very difficult, I guess, for firms as they prepare for all of this.

I mean, you talk about trying to have a common standard internationally for firms internally, but allow for regional or countrywide fluctuations. Does that mean that really firms have to apply the highest of the standards of the various regulations across borders that they have to adhere to, and then try and incorporate within that local practices? It must be quite a challenge. So, what's your advice to firms as they prepare for all of this?

Yeah, there is certainly that temptation to say, well, we'll just apply essentially the gold standard everywhere, because at least we know then that we're compliant. What we found is that where firms have taken that approach, it's meant that they've not been able to make advances in some areas or in some jurisdictions that they might wish to do so. And so not quite turning that logic on its head, but at least looking for what is a common minimum viable product for things that we would be happy to deploy anywhere, and also minimum standards that we will always apply, regardless of what the local privacy law regime may be.

We find tends to work better, and it enables that more pro-innovation approach while still having full regard to the legal rules that are in place.

Yeah, because you certainly don't want to get left behind by being stuck in the mire of these differences in regulation, do you? There's clearly a lot to discuss, Gareth, that was very interesting indeed.

But for our viewers, please do have a look at our website www.cityandfinancial.com for further details of the conference. That's the Data, AI and Future Financial Services Summit. We'd love to see you there on the 9th of June in London.

Gareth, thank you so much for sharing those thoughts, and we'll see you at the conference.

You certainly will, thank you.