In the Queens Speech in May, a legislative programme was laid out for the reform of our core data protection laws in what has now been labelled the Data Protection and Digital Information Bill.
The government’s ambition with the reform is to establish the UK as ‘the most attractive global data marketplace’. Key themes include giving individuals greater clarity over their rights and control of their personal data, reducing the burden on businesses and empowering them to grow and innovate, whilst maintaining high standards of data protection and data privacy. The goal is also to increase the authority of the UK’s independent data protection regulator, the ICO (Information Commissioner’s Office), and its ability to deal with breaches through higher financial penalties.
With the introduction of the General Data Protection Regulations (GDPR) what seems only a short while ago, businesses may shudder at the thought of yet more data reform, or conversely welcome the relaxation of some red tape brought in with the GDPR UK. To help you understand how these proposed reforms might impact you, we’ve pulled together some highlights and key things for marketers to look out for.
An outline of the government’s commitments –
The current data protection scheme in the UK consists of a combination of the following:
- UK General Data Protection Regulation (UK GDPR)
- Privacy and Electronic Communications Regulations (PECR)
- The Data Protection Act 2018 (DPA)
The proposed reform aims to reinforce these by:
- Ensuring high standards of data protection while providing more flexibility for organisations to find the most effective and proportionate way of protecting personal data.
- Future-proofing the UK’s data protection regime by enabling organisations to invest in what matters rather than ticking boxes so that regulatory certainty is maintained, regardless of technological change.
- Introducing a refined set of changes that account for existing regulations and incorporate requirements that already form best practice in most businesses and organisations.
- Delivering concrete advantages for the UK while preserving data subjects’ rights and the independence of our regulator, creating a net benefit for businesses and the wider society.
- Reforming the ICO to make sure there is ‘effective, risk-based and preventative supervision, improving its governance, accountability and transparency in line with best regulatory practice’.
In one of our earlier blog posts titled ‘Can businesses still cold call under GDPR? YES THEY CAN!!’ we considered GDPR and cold calling. Specifically, how the strict regulations surrounding personal data might impact direct marketing and cold calling, in particular.
Despite popular belief, UK GDPR legislation was not put in place to stop cold calling but instead to ensure that the processing of personal data, including for direct marketing purposes, was conducted responsibly, protecting the ‘Legitimate interests’ of all parties.
Let’s consider which proposed changes might impact marketers this time round:
UK Data Reform ‘at a glance’
Proposed changes that might impact marketers
- Increased consumer protection – The introduction of steep fines for PECR breaches that could reach as much as £17.5 million (previously £500,000) or 4% of global turnover in the proceeding financial year, with the aim of reducing nuisance calls, texts and emails.
- Soft opt-in for charities – the extension of the soft opt-in, which allows organisations to contact individuals with whom they have previously been in touch (provided an opt-out was offered when details were captured) to non-commercial organisations such as charities.
- The removal of cookie consent – Cookies may once again be allowed without consent (excluding websites likely to be accessed by children), which will dramatically improve the user experience and impact web analytics. If implemented this will be limited to within the UK and advertising cookies will likely be gated with requirement to consent.
- Data anonymisation - the proposal is to clarify when data would be regarded as anonymous and therefore outside the scope of current data protection legislation. This would need to take account of the means available for identification, including technologies.
- Legitimate Interests – The creation of a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test. However, initially it appears this list will be limited to carefully defined processing activities and exclude marketing use cases
The new Data Reform Bill is anticipated to be introduced in 2023 and while there has not been confirmation of the exact changes, it is worth keeping informed and ensuring you are well prepared ahead of implementation.
Four things you can do to prepare –
-
Align with your legal team – set time aside to ensure that your processes are in line with the existing and proposed new requirements.
-
Assess your analytics – make sure you’re clear on the data you’re obtaining and how you’re using this.
-
Review your record keeping – what information are you holding on file? How are you using data to inform your decisions? Are your insights just insights or do they hold more personal data?
- Pay attention to PECR – one of the biggest potential changes to current legislation. Given the hefty financial penalties now proposed, it is critical to ensure you are compliant.
Find out how we work with personal data under GDPR:
FAQs: Data Protection and Information Security
References
https://www.performancemarketingworld.com/article/1791514/navigate-data-reform-bill
https://ttmc.co.uk/knowledge/articles/marketing-in-a-post-gdpr-world-what-s-changed
https://www.dataprotectionreport.com/2022/06/uk-gdpr-reform-government-publishes-response-to-consultation-likely-to-form-basis-of-forthcoming-uk-data-reform-bill/
https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation
https://www.theguardian.com/money/2022/jun/16/fines-for-nuisance-callers-could-be-raised-to-175m