Any lingering suspicion that the UK's decision to leave the European Union would impact its implementation of the EU's General Data Protection Regulation (GDPR) have been quashed following the announcement of a new bill.
The UK’s Digital Minister, Matt Hancock today announced the Data Protection Bill, a proposed overhaul of UK data law that will bring it in line with the EU’s GDPR.
New Data Protection Bill will strengthen protections, support innovation, implement GDPR &help prepare UK for Brexit pic.twitter.com/q1KrawzAfw
— Matt Hancock (@MattHancock) August 7, 2017
The updated Statement of Intent highlights new legislation that will correspond directly with the proposals laid out by the GDPR, including:
- The ability for consumers to withdraw consent for their personal data being used by companies and the ‘right to be forgotten’.
- The requirement for all organisations to gain “explicit” consent in the process of using personal data.
- The constituency of ‘personal data’ to be expanded to include IP addresses, DNA and small text files such as cookies.
- Easier access for consumers looking to establish what data organisations hold on them.
- Fines of up to £17m or 4% of global turnover for any organisations that breach policy, with greater authority being granted to the Information Commissioners.
In addition to complying with the stipulations outlined by the GDPR, the Statement of Intent also specifies that additional laws will be applied to “exercise the available derogations in the GDPR that the UK government negotiated”. This is set to include “the ability to require social media platforms to, on request, delete information held about [the public] at the age of 18”.
Keep calm and get compliant
Some businesses have already raised the question as to whether their efforts to become GDPR compliant should be put on hold whilst the Digital Protection Bill is being finalised, however a number of experts have stated that this is only likely to lead to a rushed attempt to meet the legislation further down the line.
“With such a large degree of change taking place there may be a temptation for customer marketers to simply turn their backs on it, or put off any action until all new legislation is in place,” says Nick Rines, spokesperson for Call For Action On the TPS, which campaigns for improving regulation and the use of data in telemarketing.
“The sanctions the ICO will be able to impose in future will be far tougher than what it is able to hand out at the moment, but more importantly consumers have growing expectation from relationships with companies, and they are growing increasingly aware of the responsibilities companies have in terms of personal information.
“Breaking the bonds of trust and statutory law at the same time is not for the feint hearted.”
Equally, customer insights expert, Paul Laughlin believes burying any plans to comply with GDPR is simply putting brands at a competitive disadvantage:
“Perhaps most significant for UK businesses is that this legislation is prompting greater media coverage.
“Consumers being told about new UK laws in these clear and simple terms may well prompt more proactive action from consumers. Those businesses planning to wait to execute re-permissioning campaigns may want to reconsider that in light of this.
“GDPR may have sounded esoteric and clouded with the uncertainty of everything to do with the EU, in consumers’ minds, but erasing embarrassing past data or denying permission for more ‘junk email’ could well appeal.
“I would advise firms to start designing clear communications now, citing the provisions of UK data protection law. The winners will be those who can communicate a clear value proposition for their customers, i.e. if they are to share their data with you, what’s in it for them?”
Breaking the bonds of trust and statutory law at the same time is not for the feint hearted.
Despite this, Rine sympathises with businesses that are confused about the exact regulatory requirements they’re being asked to adhere, and expects further adaptations of both UK and EU legislation as GDPR’s May 2018 deadline hovers in the distance.
“There is no doubt GDPR will be the foundation of what the ICO recommends in the guidelines, but there is scope for far more. Also, the EU has yet to announce content of the new EU privacy law, that will come into effect at the same time as GDPR. Plus, the ICO has not yet given full details of how it intends to interpret GDPR in law."
What all this means is that marketing departments will have to wait a little longer to find out what the new data rules will be. The ICO, however, has produced useful guidelines on how to get ready for GDPR.