Data Protection: Take Two

Our Chief Digital Officer and privacy top dog, Nick Smith, gives his down low on the Data Protection and Digital Information Bill No. 2 and what it means for advertisers.

On 8th March we saw the government’s latest iterations of the proposed reforms to data protection in the UK. Having set their stall out under previous PM’s stewardship the government have been clear in their agenda – create a more tailored, “business friendly”, and ultimately, British system of data protection.

There was a little nervousness with just how far this second bill would go, too much divergence from EU GDPR would certainly bring into question compliance with soon-to-be-reviewed adequacy agreements, threatening the free flow of data between the EU and the UK. However, whilst the bill proposes wide reaching changes it is demonstrably a case of evolution not revolution – with many of the changes likely to be warmly welcomed by business seeking a more proportionate approach to data management.

Within the proposed changes there is a general theme of establishing a more flexible approach, better tailored to the specific nature of any data processing and the associated risks – recognising previous criticism from some quarters with regards the excessive burden of compliance. Gone are the universal need for a Data Protection Officer, responsibility shifting to a senior member of staff, but ultimately only if the business carries out high risk processing.
Similarly removed are the need for Data Protection Impact Assessments – replaced with a more targeted “assessment of high risk processing”. Effectively allowing the application of measures better suited to the specific nature of a business’ data processing. And changes too when it comes to maintaining records of processing – records only now need to be kept where a processing activity is likely to result in a high level of risk to the rights and freedoms of individuals.

A key tenet of UK GDPR is centred on the provision of requesting user consent for the placement of third party Cookies – something which doesn’t change when it comes to processing for the use in advertising. However, what has changed is the blanket consent requirement for all types of 3P Cookies – the revised bill looking to expand the categories of Cookies that do not need consent to include those collecting data for analytical purposes. The implications of which could be substantial when it comes to one of the industry’s most vexing challenges in the era of Privacy – measurement.

Of similar importance to marketing teams is the announcement that the bill now includes examples of types of processing that may be considered to fall under legitimate interest by means of permission to process. This now includes provision for direct marketing purposes.

Whilst not a wholesale carte blanche, controllers must still ensure its interests are not outweighed by the data subjects’. It does at least suggest there will be a framework where organisations may more freely assess the use of ‘Legitimate Interest’ when it comes to DM activities. It is worth noting that with no accompanying changes to PECR (Privacy and Electronic Communications Regulations) with regards electronic marketing, the obligation to obtain consent still applies.

As is often the case, business will be no doubt disappointed the recommendations don’t go further. Yet there is clear, and rightly so, recognition that too dramatic a shift away from EU GDPR could have far more uncomfortable consequences.  And whilst not that dramatic, the changes proposed will ease some of that compliance burden experienced since 2018.

The bigger question will be whether we’ll get to see the bill successfully navigate the parliamentary process before the current session ends, an October deadline looms, or whether the similarly pending Online Safety Bill, and the inclusion of new surveillance measures really will raise EU eyebrows.