What is the best approach to managing Smart Data privacy risks?

Big, strategic policy goals are increasingly pushing governments around the world to drive the Smart Data agenda. The idea is to make large datasets in areas like financial services and energy more open to allow innovators to create new services that can benefit everyone from end consumers to policy makers.

However, obvious privacy risks arise from making data like half-hourly energy consumption and generation data and financial transaction records more widely available. These include risks associated with exposing the data to more organisations, given that the nature of innovators is that often these will be smaller companies with less cyber security sophistication. In 2025, Verizon’s Data Breach Investigations Report found that the proportion of breaches involving third parties had doubled to 30% and noted issues with access controls and time to remediate leaked secrets. 

Different governments are taking different approaches – but what are they, and which one is the best? 

United States 

The United States generally sees light regulation as a competitive advantage that fosters world-dominating innovation. Laws are typically focused on addressing specific risks – data breach legislation is designed to prevent and mitigate identity theft, for example – or that apply only to specific sectors. However, a 2025 Cornell University study found “rampant non-compliance”, with 40% of surveyed organisations failing to respond at all to the researchers’ data subject access requests, and the design of some request processes introducing new privacy risks. 

Latin America, Europe and UK 

Countries in these regions generally favour a more highly-regulated approach, and culturally can be suspicious of innovation, particularly when regulation is seen as inadequate. This does not stop useful US innovations achieving significant market penetration. Many countries look to Europe as a thought leader in how to approach regulation, but in markets such as Energy this approach can lead to highly complex regulatory landscapes. This can introduce high barriers to entry for new participants but means Smart Data initiatives are more trustworthy. 

Asia Pacific 

Countries such as Australia and Singapore are adopting a more hybrid approach. Australia has introduced one of the world’s most comprehensive smart data frameworks, the Consumer Data Right. It combines legal and technical measures to control participation and build trust while provide a simple way for innovators to engage. Singapore has an innovation-led, initiative-based approach that focuses more on use cases that compliance structures that allows rapid experimentation but might result in variability of safeguards and a reliance on organisations implementing good practices. 

Africa 

There are some continent-wide initiatives, such as the African Union Data Policy Framework, but not all African countries have data protection laws or data portability frameworks to underpin Smart Data initiatives. This results in a larger and less controlled privacy risk surface, but fewer barriers to entry for innovators. 

So – which approach is best? 

The nature of Smart Data is that data is shared and can thrive, and that makes it hard for individuals to retain control of their data when they engage with Smart Data projects. It brings privacy risks like difficulties understanding who is processing data and why, and larger cybersecurity attack surfaces with more scope for personal data to find itself insecure. Data loss is a genie that simply cannot be put back in the bottle. 

However, Smart Data schemes have the potential to provide huge benefits at a macro level – such as improving energy market efficiency, reducing energy demand and addressing climate change – and at a micro level – such as helping consumers make better financial decisions for themselves. 

Ultimately, while Smart Data schemes are new and innovators collect limited amounts of data, participants are likely to be early adopters who will typically have higher risk appetites and may have more capacity to understand and manage privacy risk. As the market matures, regulation becomes more important, particularly in cultures that expect the government to protect people against risks that are hard for them to manage individually while still benefitting from the innovations.