There has been a lot of discussion about changes to UK privacy law this year, but with so much movement in government, a firm decision on new plans has yet to be made.
When the European Union first introduced the General Data Protection Regulation (GDPR) in May 2018, it brought with it a host of new data privacy rules for marketers to get to grips with.
Yet despite all the planning, preparation, expense – and at times panic – four years on and with the UK having finally completed its exit from the EU, the GDPR is already on its way out. The government first revealed it planned to rethink its data protection regime towards the end of 2021. More details about what was subsequently called the Data Protection and Digital Information Bill were outlined in May during the Queen’s Speech, and then in June by former secretary of state for digital, culture, media and sport (DCMS), Nadine Dorries, while Boris Johnson was still in power.
At the time, Dorries promised to “reduce the burdens on businesses” while delivering “wider societal benefits”. She outlined a host of measures, including a change to the consent requirement for cookies, an extension of the “soft opt-in” for marketing material to more organisations, and to tighten rules around cold callers.
But progress stalled following Johnson’s resignation in July and the bill’s second reading, which was supposed to take place on 5 September, was cancelled.
A month later a rethink of the rethink was announced, with the government – now under Liz Truss’s leadership – revealing plans to ditch the previous reforms and create an entirely new data privacy regime.
Michelle Donelan, the new secretary of state for the DCMS, outlined the revised plan at the Conservative Party conference at the beginning of October. She promised a “truly bespoke” data privacy system, billing it as a “simpler” replacement for the GDPR that would free businesses from a “regulatory minefield”.
“Our plan will protect consumer privacy and keep their data safe while retaining our data adequacy so that businesses can of course trade freely,” she said. “No longer will our businesses be shackled by lots of unnecessary red tape.”
However, despite the promise of more “clarity”, marketing organisations and industry experts raised concerns about what deviating from the EU’s system could mean for businesses in practice.
“Despite the UK government’s emphasis on making things simpler for businesses, the more regulations diverge from the EU and other geographies, the more costly and difficult it becomes for global brands to rationalise their approach across borders,” said Gartner’s research vice president and distinguished analyst Andrew Frank.
As the UK is no longer a member of the EU it must maintain data ‘adequacy’, a status given to non-members it believes provide an equivalent level of protection for personal data. As a result, bodies including the Advertising Association (AA) have urged the government to ensure any changes to the UK GDPR are backed by evidence and not driven “purely for the sake of seeking divergence”.
The AA’s director of policy research, Konrad Shek, warned at the time that changes could result in “additional cost” for businesses, due to “the need to maintain compliance with parallel data protection regimes”.
With yet another prime minister now in situ, nothing more has been revealed since Donelan first shared the plan. She has, however, kept hold of her position, so there is at least some consistency there.
With so much chopping and changing and lack of a firm plan moving into 2023, brands will understandably be confused about where they stand and what to expect. While most will welcome the introduction of simpler legislation, there are still many unanswered questions. How far Rishi Sunak’s government goes to achieving this promised clarity on data regulation remains to be seen.