Building consumer trust in Smart Data

Executive Summary 

What is Smart Data?

Smart data gives consumers the ability to share their data between businesses and other organisations, to enable new uses of data in ways that benefit consumers, society, and economy. There is great potential for smart data schemes to deliver benefits across many sectors of the economy. Greater productivity and competition benefits enabled by personal data mobility has been estimated to increase UK GDP by £27.8bn. The Government’s 2024 Smart Data Roadmap identifies priority sectors of banking, finance, energy and road fuels, telecoms and transport; and retail and home-buying as further sectors of interest. Schemes across multiple sectors can also enable consumers to have greater choice to personalised services and could lead to better prices, for instance services such as automatic switching or tailored account management. To realise the benefits of smart data consumer trust and confidence, and therefore consumer engagement, is critical. This policy paper provides a blueprint for data holders, authorised third parties, civil society and any other participating organisation to secure consumer trust in smart data schemes through the use of a trust framework. 

A trust framework aims to provide a set of rules, standards, and agreements that govern how data is shared, used, and protected among various participants in smart data schemes. This will be enforced by the relevant oversight body for each scheme. Robust and effective trust frameworks are the key to ensure consumer protections are built in from the very start to foster consumer trust and confidence, and for businesses to feel equally protected with legal certainty for all parties. 

Risks and consumer harm

Which? has conducted analysis of a number of existing smart data schemes and their trust frameworks and undertaken 6 months of detailed engagement with key stakeholders and technical experts across a diverse range of sectors including energy, banking and finance. 

Our stakeholder engagement indicated that consumers will struggle to engage with new smart data products and services unless they understand what is happening and they trust that they and their data are protected. Our stakeholder analysis shows that if smart data schemes are developed without the right protections in place, there is a risk of consumer harm such as:

• Poor quality products and services
• Lack of meaningful consent
• Risk to consumer safety
• Exploitation of vulnerable users

A trust framework built on consumer control and consent

In December 2023, the Smart Data Council tasked Which? with determining ‘what good looks like for consumers’ in smart data trust frameworks.

We recommend a trust framework that goes further than ICO’s statutory data-sharing code  or guidance on valid consent because the ICO does not have a specific remit in the smart data consumer harms we identify, above. 

From our analysis and engagement, we have identified that there is currently no template to follow to ensure that new trust frameworks for smart data schemes adequately protect consumers. This led us to develop and test a new model for trust frameworks with a range of stakeholders including regulators, civil society organisations, startup representatives, service providers and technical experts. We consider this model to be agnostic on sector and technology. That is, no matter what sector the smart data scheme is established in, or which technologies are used, the principles will still apply and be effective. 

Our model for trust frameworks aims to encourage future schemes to foster consumer trust and confidence from the very start. To do this, consumer control and consent is at the centre of Which?’s model for trust frameworks. By considering consumers in the design stage of smart data schemes, the risks posed to consumers are minimised, building consumer confidence and trust that is essential to realising the social and economic benefits that smart data schemes can unlock. 

These requirements are feasible to implement and universal adoption would create consistency, resulting in increased consumer confidence and engagement with smart data products and services. 

Figure 1: Which?’s model for smart data trust frameworks

Governance

Clear governance requirements act as an incentive for all parties to assess and manage consumer risk and take steps to build in continuous monitoring, robust liability and redress mechanisms with clear steps for all participating organisations. These proactive measures build consumer confidence and trust by assuring consumers that they can reach resolution in the event of something going wrong. In turn, this increases consumer engagement with the smart data product or service. 

Protection

Consumer data in smart data schemes must be protected from misuse or cyberattack. Smart data schemes will change the way in which consumer data has previously been shared and analysed between parties and it is essential that fundamental consumer rights and protections are not weakened or reduced. Adherence to the principles of data management and cyber security will give consumers confidence that they can control the secure access and use of their data, building trust and engagement with smart data schemes. 

Scalability

Ensuring smart data schemes are scalable will result in the greater participation of relevant organisations. We consider scalability to refer to technical infrastructure for interoperability. In addition, enabling the access of further data points will increase coverage and social inclusion, unlocking innovative and diverse smart data products and services to consumers. This is supported by inclusive-by-design measures such as common language and accessibility.

Next Steps 

To unlock the benefits that smart data can provide, consumer trust and confidence is critical for uptake and engagement with smart data products and services. Using Which?’s model for trust frameworks will ensure the principles underpinning governance, protection and scalability are robustly applied to mitigate risks and promote consumer confidence and trust in smart data schemes. 

Which? calls on businesses and organisations participating in smart data schemes to adopt this model for a smart data trust framework, and put them into practice in current and forthcoming smart data schemes. This commitment should be made even in the absence of legislation, demonstrating a proactive approach to consumer protection. It also removes the risk that a failure in one use case within one sector compromises consumer trust, confidence and engagement in the wider smart data ecosystem as a whole.

Whilst each major stakeholder within the smart data ecosystem has specific responsibilities, cooperation between stakeholders is essential to building and maintaining consumer confidence and trust. Participating organisations using our trust framework principles and outcomes to strengthen their current approaches to protection (data management and cybersecurity), and accessibility. Scheme providers should oversee the quality and standards of the above, using Which?’s trust framework principles to prevent the consumer harms we have identified. They should also lead on governance (especially scheme roles and responsibilities, accountability and liability, monitoring and redress) and scalability (especially interoperability).

Which? also urges the Government through the Department for Business and Trade (DBT) to take a leading role in coordinating the smart data landscape, guiding the development of smart data schemes and facilitating cross-sector interoperability and a common language. This involves providing oversight for how scheme providers are preventing the consumer risks we have identified, and how they are implementing governance and scalability in their sectors. The Government’s new Data (Use and Access) Bill (‘DUA Bill’) represents a key opportunity to strengthen the legislative framework to support consumer trust and confidence in smart data schemes. In particular:

• The Government should take the opportunity through the Bill to signal its intent to implement Article 80(2) of the UK GDPR, so that if a provider designs a service in a flawed way such that the rights of several users are infringed in a similar way, an appropriate organisation can bring an action for redress on behalf of all of those affected as a group. 
• In addition, the regulations that are being brought forward under the Bill should contain requirements about how smart data schemes must address the needs of more vulnerable individuals.
• If the Bill passes into legislation, the new powers that the Government will have should be used to prevent consumer harms and support consumer trust and confidence in smart data.