Digital regulation | The alchemy of a strategic framing for compliance
Published on 4th Oct 2021
As the scope of digital regulation continues to expand and sanctions for non-compliance ramp up, how can you turn onerous risk management into a strategic and competitive advantage?
As digital transformation sweeps across all sectors, so an ever-expanding landscape of products and services are falling within the scope of digital regulation. With regulation comes compliance – an important aspect of corporate risk management. Not only is there enforcement risk and the potential for financial sanctions, but in many areas, a failure to meet legal obligations can generate adverse PR and reputational damage.
Not only is the impact of digital regulation expanding with digitalisation but the volume of such laws is expanding at a notable rate. Data governance and artificial intelligence regulation are currently under consideration at EU level. Legislation to open up data access is expected to be issued in the EU and UK. Legislators are also reshaping competition law in the UK and EU to address digital gatekeepers, strengthening the consumer protection regime and rethinking online safety – again, at both EU and UK levels. E-commerce and financial payments regulation continue to shape online sales and subscriptions. Websites need to consider issues such as geo-blocking, and the rules governing online distribution networks are being overhauled. Our digital regulation timeline tracks this complex and fragmented terrain.
Whether a business is born digital or has transformed itself from a once-traditional approach, there is now a huge swathe of legislation to be taken into consideration in shaping digital products and services. Compliance is, moreover, an ongoing requirement rather than a one-off project that can be shelved once completed.
One notable trend, particularly at EU level, is to follow the approach of the General Data Protection Regulation (GDPR) – and, before that, competition law – in imposing heavy fines and other sanctions.
Businesses in breach of the competition rules can be fined up to 10 per cent or worldwide group turnover. For the GDPR, the maximum fine is 4 per cent. The proposals for regulating artificial intelligence include fines of up to 6 per cent for non-compliance. One of the notable changes in the forthcoming New Deal for Consumers is the introduction of heavy financial sanctions where consumer law was previously relatively toothless. The EU directive (to be implemented at national level) requires that maximum fines should be fixed no lower than 4 per cent of annual turnover in the jurisdiction concerned.
Although penalties are rarely fixed at the maximum level and are typically tempered by requirements of proportionality, they are also intended to be effective and dissuasive. Fines under the GDPR are ramping up as enforcement practices mature and competition fines for the largest companies are often measured in billions of Euros. Regulators increasingly have teeth.
Taking a strategic approach to framing compliance does not mean taking a selective approach to compliance (although in some contexts, compliance may be shaped by risk assessment). Strategic framing of compliance means thinking about the benefits of compliance, whether for customers, end consumers or employees, and making sure those benefits are brought to the fore. Moreover, compliance in practice is often nuanced and coloured in shades of grey. There are potential gains to be had from shaping the detail of compliance policies and practices to align with wider objectives.
This approach has developed strongly in the field of data protection. Some business models are built around GDPR-compliant apps where a more mainstream one might carry risks. Some businesses make a virtue of putting user data privacy at the forefront of their strategy, sometimes drawing a contrast with competitors.
Drawing an example from the financial services sector, regulation requires certain customer protections to be put in place. Those actions may have been driven by compliance risk management, but they can be presented to customers to highlight that the business has invested in their protection.
The sector offers a further example in relation to open banking. Open banking regulations in the UK require retail banks to build interfaces into their systems so that customers can choose to pipe their banking transaction data to a third party. All banks need to comply. Some do the minimum, not least since compliance requires changes to their IT systems and can therefore be technically complex and expensive. But some banks have taken a strategic approach, developing new customer offerings by leveraging the new rights to access customer accounts held with other banks. Compliance has created opportunities for innovative new products and services and potential competitive advantage.
Reframing compliance in this way can generate positive PR and reputation enhancement from activities that might otherwise be seen as a burden and a cost centre for the business. To maximise this benefit, it is worth liaising with marketing and public affairs teams to ensure that a consistent and positive story is told across the business's communications and external engagements.
Creating a positive attitude to compliance can also make it easier to maintain a compliance culture – staff can see that the effort is valued and makes a positive contribution to the business beyond box-ticking. It may also reinforce whistleblowing policies, ensuring that issues are brought to light and can be pro-actively addressed. In the event of regulatory enforcement, showing a positive attitude across the business to compliance may help to frame an infringement as a one-off and not a pattern of behaviour.
It might not always be possible to create a revenue stream from compliance, but there is an undoubted alchemy in being able to draw positives beyond the core risk management benefits of regulatory compliance. Our digital regulation specialists understand this skill and work with our clients to ensure a creative and strategic approach to regulation, where there is scope to do so.
If you would like to discuss any of the points raised in this article, please speak to the authors or your usual Osborne Clarke contact.