New regulation is exciting – and yes you have read that correctly. It’s the infrastructure that defines how markets work and how companies grow. What was once vague or a legal grey area comes into focus with rules, responsibilities, and real commercial opportunity.
Businesses need this structure. It enables new markets, drives innovation, and supports the development of
services, standards and technology that can be exported globally. But for the full potential to be realised, regulation has to be clear, practical, and – most importantly – grounded in reality.
Momentum stalls when poorly defined rules create friction and misaligned policy stunts growth. That’s why governments shouldn’t build regulation in isolation, and why the businesses at the sharp end need to be directly involved in shaping it.
Private sector thinking for the public good
The UK’s Data (Use and Access) Act is an inflection point. For the first time we have a legislative backbone supporting the UK’s digital trust framework in highly regulated sectors. From right-to-rent to criminal record checks, certified providers can now carry out digital ID verification and provide regulatory safe harbour to landlords and employers.
This could be the starting point to unlock a more reliable, inclusive and user-friendly identity ecosystem across all industries. But the real test lies in what happens next, how closely the government and private sector work together to build on the foundations.
One path forward is to test regulation the same way we’d test a product: openly and collaboratively before it ‘leaves Beta’. On this basis we could develop policies through “proof-of-value” pilots – created to test shared standards, raise real-world questions early, and shape regulation that is fit for use across categories.
Let’s take identity checks in sectors like property letting, employment, or legal services as an example. Today, people often have to prove who they are multiple times, to different organisations, even after already passing a regulated verification process.
But what if certified services allowed businesses to reuse identity data that’s already been verified as trusted? What if businesses could access consistent, government-recognised records without taking on extra liability time and time again?
Both industry and consumers would benefit, so there’s a clear opportunity. It’s a realistic ambition, but achieving it would require buy-in from multiple, currently disconnected, stakeholders across sectors.
Levelling the playing field for SMEs
If these projects are to work, everyone needs to have a say. After all, if we only test regulation with large firms, we’ll only solve large-firm problems. Digital identity is just one example. Across policy areas, from AI and data sharing to sustainability reporting and online safety, regulation is accelerating. But too often, it’s designed with large enterprises in mind: the ones with the resources and bandwidth to absorb new obligations.
The reality is SMEs stand to benefit most from smarter identity infrastructure. Coming back to the digital identity example, let’s consider which businesses are doing the bulk of verification work across the UK? It’s letting agents performing right-to-rent checks, high-street accountants onboarding clients, recruitment firms running background checks. These are, typically, the firms working without in-house compliance teams or dedicated legal support.
If identity systems are too rigid or complex, SMEs are the first to feel it. Drop-off rates increase. Customers are excluded. Risk piles up. That’s why smaller businesses need a voice in how standards are designed, not just guidance on how to follow them.
That’s why involving the businesses on the frontlines is so crucial. These companies know where systems break down, where duplication creeps in, and where guidance needs clarity. And they’re often the fastest to adapt, if the path is clear.
No matter how technically elegant a new standard or rule might be on paper, if it doesn’t work at scale it won’t achieve the outcomes policymakers are aiming for. Then it’s back to the drawing board… Again.
The importance of long term thinking
I speak from experience as someone who has spent nearly two decades on the frontlines of digital identity – first in government, and now in the private sector. The history of digital ID in the UK is a story of great ideas slowed by shifting priorities. GOV.UK Verify was launched with real intent, and it made significant early progress, but it was ultimately overtaken by broader political and institutional changes.
That doesn’t mean the need went away. It just means momentum moved elsewhere.
One thing that stuck with me: good ideas don’t always survive political shifts. That’s why today, I believe industry has a responsibility to provide continuity, to stay engaged, to push for workable standards, and to help policy evolve in a way that supports long-term outcomes.
Trade associations and professional bodies are crucial here. They give businesses, especially smaller ones, a seat at the table and a way to engage constructively as new frameworks emerge. Identity is rooted in trust and this is something you build with others. Through shared standards, open testing, and ongoing feedback. And this is equally true for any regulation.
So, whether it’s through trade associations, implementation pilots or standards consultations, we need to make it easier for SMEs to help shape the rules that impact them. We’ve seen what happens when regulation is developed in isolation. Now let’s show what’s possible when the public and private sectors work together.
David Rennie, Chief Trust Officer at Orchestrating Identity