When the Online Safety Bill becomes law in 2023 it will mark the beginning of a new era in how direct to consumer organisations engage with their customers online. This article explores how organisations can get on the front foot with preparing for the new regulation and go one step further to ensure that they are best in class.
A new online landscape
The Online Safety Bill is nearing the end of its passage through Parliament. When it becomes law, the responsibility will be handed over to Ofcom to establish a suitable regulatory regime to hold in-scope organisations to account.
The new rules and regulations will transform the online landscape for a wide range of organisations operating online, both in the UK and globally. All those which host user-generated content online, as well as search engines which have links with the UK, will be in scope of the regime.
Attempting to ‘clean up the internet’ is a hugely ambitious task, considering the number of people using these sites and the potentially limitless amount of content that can be posted. While organisations will be free from having to moderate individual pieces of content - which would be near impossible - they will need to able to assess the risk of harm to their users and put in place systems and processes to keep them safe online. Ofcom's future role will be to make sure that online organisations ensure that their controls are effective.
Who will be impacted?
Putting in place measures to protect users online will not be new to the tech giants. Public scrutiny means that they are already active in this space.
However, there is likely to be a long tail of direct-to-consumer online organisations who have user generated content that will fall into scope of the legislation.
It has been estimated that around 25,000 UK organisations will be in scope.
Among those impacted will be dating apps, gaming providers, online marketplaces, community forums, as well as the more expected social media platforms (Facebook, Instagram etc) and search services (Google, Yahoo etc). However, many more types of organisations, particularly those who are consumer-facing, could be exposed to elements of online safety, and face either repuitational risk, or have an opportunity to demonstrate their own responsibility in this important area.
Organisations with the most widely used and highest risk services will have the greatest level of requirements. However, every organisation in scope, at a minimum, will need to 1) assess the risk of harm related to illegal content and take steps to mitigate identified risks, and 2) establish whether children are likely to use their service; if they are, the organisation will also need to assess those risks and put safety measures in place.
Organisations with user-to-user and search services who think they are in scope will need to get up to speed on what the new legislation means for them. This will be challenging, given that organisations will not know exactly what measures they need to have in place until Ofcom has issued its guidance (between 2023 and 2024 according to proposed timelines).
Despite this, there are steps which organisations can start taking now to prepare, even in this period of uncertainty.
What do organisations need to do?
From now
Bill nears the end of its passage through Parliament
The Bill is currently in committee stage in the House of Lords and is still due to have amendments considered in the final stage. Judging by this progress, we can make the rough assumption that the Bill will receive Royal Assent in late Spring / Summer, which is later than originally planned.
Suggested actions:
1. Understand what this means for you
It may be difficult for organisations to know whether they fall in scope of the new regulation – if, for instance, they operate online but do not fall into the more obvious social media or search engine categories.
In order to understand what this means for them, organisations may want to engage with Ofcom to get confirmation on whether they are in scope. If they are in scope, they will need to ensure that they are fully aware of and understand the latest developments.
2. Carry out risk assessments
For all major areas of the Bill, organisations should first assess whether audiences could be at risk. Following this, they should carry out an internal audit to identify whether there are gaps in existing user protections and how effective they are.
Elements of a good risk assessment:
- Identify the risks – Could your organisation be displaying any of the types of content included in the Bill to your users? How likely are users to come across it?
- Evaluate the risk controls and processes in place – Do you have these in place? Are they robust enough?
- Review governance – Are their identified individuals / teams who are accountable for managing risks?
- Sense check awareness – Are staff across the wider business aware of their role and responsibilities?
3. Develop a plan
In order to be prepared for when regulation comes into force, organisations should create a plan setting out the steps they need to between now and then. As part of this, they will need to determine whether they have the internal resources to respond to the new regime and agree a view on the level of intervention needed.
Spring/Summer 2023
Ofcom's powers commence
Ofcom expects it powers to commence two months after the Bill passes into law. Shortly after, Ofcom will aim to publish consultations on the some of the areas set out in the Bill. These documents will set out the regulator’s initial views on how organisations will need to comply.
Timings will depend on when the Bill receives Royal Assent. It is likely that Ofcom will either publish the first consultations before or after Parliamentary recess in the summer rather than during it, as this would prevent Parliamentarians from being able to engage. If the consultations are published after Parliament returns in the autumn, the original timings set out by Ofcom are likely to be delayed.
Suggested actions:
1. Be ready to respond to consultations with hard evidence
Once Ofcom has published its consultations, organisations will need to be ready to respond if they want to have a say in what the final rules and regulations look like.
It is important to note that while the Bill itself is critical in terms of setting out the scope of the regulation and Ofcom’s powers, it will be up to Ofcom to determine how the regulation applies on a practical level.
To deliver a compelling response, organisations should provide quantitative and qualitative evidence where they can, to back up any suggested changes to Ofcom’s proposals or to quantify the impact of a proposed measure.
2. Be ready to respond to information requests – again, with hard evidence
From the point at which Ofcom has powers, organisations will need to be ready to respond to information requests from the regulator. In doing so, they are likely to need to provide details on what processes are in place and how effective they are. For the latter, organisations should be ready to provide data to demonstrate effectiveness.
2023 - 2024
Throughout the consultation period
Although timings are subject to change, Ofcom has indicated that statements on some consultations are likely to be published around a year after the initial draft is published. That means that organisations will have some time to get their internal operations ready, although they will need to rely on proposed guidance and Codes of Practice to understand what they need to do, rather than documents which are set in stone.
Suggested actions:
1. Map existing measures against proposed requirements
Using the new information available in the legislation and proposed guidance and Codes of Practice about what processes and systems need to be in place, organisations should identify where the gaps are using the results of the risk assessment.
2. Determine what best in practice looks like
In re-evaluating and possibly re-designing user safety, organisations can ensure that they are doing whatever they can to serve and protect their customers. We encourage organisations to challenge themselves to go further than the legislation, where they identify opportunities to further expand user protections.
3. Design, develop and implement new or improved systems and processes
This is likely to be the most substantive action that organisations are required to take. Some may have processes and systems in place which need to be made more robust to meet the criteria for compliance, while others may be required to build them from scratch.
The operational capabilities required include, among others, the ability to:
- Minimise users coming across harmful content
- Identify and quickly remove illegal content
- Manage risks of harm identified in risk assessments
- Allow users to report content
- Manage complaints
4. Be transparent with stakeholders
Organisations should engage with their stakeholders and be transparent about progress and performance in order to get them on board. Publishing the safety statistics and countermeasures in place with every shareholder report could be a good way to do this.
From 2024
Regulation comes into force
Suggested actions:
1. Be ready to comply
Once the guidance and Codes are finalised they will be submitted to the Secretary of State to be laid in Parliament, before coming into effect 21 days after being issued. Organisations will be required to comply with the regulation from that point onwards and will therefore need to have their regulatory tools ready.
2. Be a socially responsible organisation
The Online Safety Bill will force organisations to re-examine – and likely significantly improve – how they manage risks and protect their users. This creates an opportunity for organisations to demonstrate their commitment to user safety, and in doing so, maximise their customer service.
Responding to new regulation can feel burdensome and overwhelming. To avoid this, the intent needs to stay focused on the potential to reduce harm online. This should be organisations’ north star as they seek to navigate the new requirements.
The new regime is our chance to get user safety right. Consumers will only expect more as society becomes increasingly digital. If organisations not only build solid foundations, but also strive to set the gold standard, it will be an investment that pays dividends in the future.
We have significant experience helping organisations with regulatory change, from GDPR compliance to adapting to new financial regulation, and can help organisations understand the impact the Bill will have on their business.
Given the scrutiny around this topic and the potential impact coming to many organisations, now is a good time to start to respond - not just keep on top of new obligations but to help meet a new level of customer expectation. As the Chinese proverb goes “The best time to plant a tree was 20 years ago. The second best time is now.”
Get in touch
Our Impact
Delivering regulatory change for UK building society
How can a UK building society deliver regulatory change while ensuring a great customer experience?
Read more
Helping a large insurer strengthen operational resilience to meet regulatory demands
The FCA and PRA introduced strict rules on operational resilience. One insurer approached us to interpret the rules and implement the changes.
Read more
Using regulatory change as an opportunity to strengthen and rationalise internal controls
As UK regulators plan an Internal Controls and Governance directive, this major insurer seized the opportunity to achieve its long-term ambition.
Read more
How to go beyond TCFD compliance to meet the proposed SEC requirements for climate reporting
We've created a gap analysis for US financial institutions facing a changing regulatory landscape.
Read more