Is a big British version of GDPR likely to balance the demands of consumers, advertisers and media owners alike? We ask marketers what they think of the UK’s planned divergence.
Michelle Donelan, the secretary of state for digital, culture, media and sport, has said the UK will be “replacing” the EU’s General Data Protection Regulation (GDPR) with its own bespoke version, intent on cutting as yet undisclosed “red tape” in favor of a “simplified” model that will better help businesses operate and grow.
The announcement came shortly after new prime minister Liz Truss declared war on the ”anti-growth coalition”, but change has been in the air for some time. In 2021, then secretary of state for digital, culture, media and sport Oliver Dowden promised “common sense, not box-ticking” as he talked up plans to reform data laws.
The dangers of deviation
GDPR schism or not, businesses operating in Europe will still have to adhere to the standards. The UK may have voted to leave the EU but, via the internet, businesses cross borders and must follow local rules. Labour’s Chris Bryant deemed the government’s split from GDPR “madness”, adding that “UK divergence will simply mean UK double costs.” And that’s not mentioning the burgeoning GDPR equivalents being developed in the US.
<!– inArticleBlock –>
Any UK divergence from GDPR threatens incompatibility with EU adequacy levels, threatening to cut off the market completely. Would it be possible to reduce red tape while also being compatible with growing privacy regulations in the US and EU?
As it stands, both the ICO and the DCMS believed that the Data Protection and Digital Information Bill (DPDI) going through parliament does not threaten the UK’s EU adequacy status. IAB UK chief marketing officer James Chandler previously warned that the loss of adequacy would mean “UK businesses face even more costs and bureaucracy to operate in the EEA“.
So, could a UK-centric GDPR be a success?
Jo Eckersley, CEO and founder of Bubbl, believes “it is rather too easy, if not disingenuous, to suggest that we can simply rip up GDPR and start again“. Building a whole new system “won’t happen overnight“ – GDPR replaced some policies written in the 90s, so it can be glacial in pace.
She urges industry peers to “use this as an opportunity to really innovate around providing valuable experiences to consumers, rather than just trying to find a privacy workaround… to carry on using legacy tech, covert data collection and business models.“
Damon Reeve, CEO of Ozone, welcomes policies that remove the “box-ticking” compliance and stop treating “all businesses the same“.
He speaks on behalf of publishers and media owners that fund their content with advertising – for them, life could be easier. He would also like to see the international transfer of data simplified – digital advertising crosses borders and so should the legislation.
And finally, he would like to improve the user experience by creating a simplified consent management platform (CMP) that “puts the responsibility back on to the company and not on the user“. We should be able to trust the sites we visit, right?
<!– inArticleBlock –>
Nicola Newitt, senior privacy and product counsel at InfoSum, believes GDPR is fit for purpose, but posits that the UK could theoretically make life easier for businesses with a reduced compliance burden, but adds that changes “would be damaging for consumers“.
“The best thing for businesses in the UK would be to have certainty that the new privacy regime will not stray so far from GDPR that they lose the adequacy decision.“
And as “significant resources“ have been spent to meet GDPR compliance, there would have to be a “significant reward“ to rally businesses behind any change.
Susana Figueredo, legal and compliance manager at Incubeta, warns that the EU adequacy tests of today may have a lower threshold than those of tomorrow. “Not many countries have been found to be adequate even now. However, it is reasonable to assume that any UK privacy law should respect the core protections granted by the GDPR.“
Any changes, particularly around “valid consent, may not be well received by the EU,“ but Figueredo believes that in the end the UK is in a good position to shape the policy, itself being “one of the principal architects of GDPR.“
But she takes a harder stance on GDPR than most, saying it is no longer fit for purpose for marketers because “regulation is being outpaced by new ways of gathering data.“
<!– inArticleBlock –>
Husna Grimes, vice-president of global privacy at Permutive, accused the UK government of “creating another set of rules for multinational companies to comply with,“ adding even “more red tape.“
We’ve been through this before, she adds, but this time minus any real specifics that could help marketers prepare. “Today regulators and platforms are providing consumers with the choice of whether their data can or can’t be used for digital advertising. And when given that choice, consumers are opting out. It means advertisers are facing drastically reduced addressability – already today, advertisers can only reach around 30% of consumers. Protecting consumer privacy is now non-negotiable.“
Bradley Williamson, analytics manager at Tribal Worldwide, has some practical requests. He rubbished the need for data controllers that operate in the UK (but are not based there) to have a UK-based data protection representative. He also wants to see the use-case of cookies expanded. He worries that GDPR fell short on a few areas and adds that there doesn’t seem to be “the desire to update GDPR protocols to keep it up to date with the ever-changing landscape.“
<!– inArticleBlock –>
Tom Jenen, chief revenue officer of Brand Metrics, believes that people “want“ data regulation after two decades of businesses “greatly over-reaching.“
“GDPR was a good, if imperfect, start,“ and any changes would only benefit “UK businesses that only do business in the UK with UK customers – a need that is actually at odds with the government’s desire to help our businesses be more global.“
James Leaver, founder and CEO of Multilocal, warns that “if we deviate too far from GDPR, we risk the decision to cut the UK out of global plans,“ and adds that GDPR “is far from perfect and needs some improvement, the world doesn’t need another privacy standard.“
Julia Linehan, founder and managing director of The Digital Voice, adds: “Rather like Brexit, we need to bear in mind the law of unintended consequences. We must not risk a further widening of the division between EU and British businesses, especially at a time of such change and upheaval.“
To find out more about what marketers and their partners need to do to succeed on a global level, check out The Drum’s Globalization Deep Dive.