The UK has had four years to get used to the sweeping changes that the EU General Data Protection Regulation (GDPR) brought with it when its provisions were implemented in the Data Protection Act 2018. That year, businesses were forced to rewrite data-handling procedures and implement stringent new ways of interacting with their customers.
Having been marched up to the top of the GDPR hill, it looks increasingly likely that marketers and their clients will be marched back down again some time soon. In the Queen’s Speech on 10 May, the government revealed that it was planning significant reforms to data protection law.
Details were thin on the ground, but the government did say that it intended to replace the “highly complex” legislation that it had inherited from the EU with something offering a lighter touch. The main goal: to make the whole process more straightforward and save organisations from having to do “excessive paperwork”.
But there are causes for concern for businesses, many of which have only just managed to wrap their heads around all the complexities created by the GDPR. For instance, firms that have one foot in the UK and the other in Europe are worried that the extra bureaucratic burden of having to comply with two sets of regulations could cause them huge problems.
Westminster has said that it will open its proposals to consultation, which means that the industry – and consumers – have the power to shape the law. So what should the future of data protection regulation look like?
Preparing for change
There tends to be a lot of anxiety surrounding big legislative changes, but this often proves unfounded when the realities of compliance don’t prove as difficult as feared. This is why some marketers suggest that worrying too much in this respect is a stressful waste of time and energy.
“Data protection regulation is quite simply beyond the capacity of us mere mortals,” admits Andrew Armitage, founder and MD of A Digital, an agency based in Kendal, Cumbria. “People running small businesses can’t afford the services of a compliance department, a chief data officer or an information security officer. The reality is that most small firms – and probably larger ones too – will choose their providers carefully and do the best they can.”
But Armitage believes that no company can categorically say that it’s always 100% compliant with all the rules. “It’s too complicated to know what material gets sent where and when. This becomes a problem only in the event of a security breach or a scandal,” he says.
The main aim of the proposed reforms is to save firms from “excessive paperwork”, which should, at least in theory, reduce the risks of non-compliance. But the key question is whether some of the more bureaucratic elements of the GDPR will have to remain in UK law.
A data privacy update
There is a good reason for retaining certain elements of the GDPR, according to Natalie Cramp, CEO of data science company Profusion.
“I don’t think anyone can argue that it’s a flawless piece of legislation,” she says. “But, if you consider how weak and outdated our data privacy laws were before its enactment, it has substantially improved the situation overall.”
For instance, the GDPR drove a significant change in consumer rights by putting the individual at the centre of data protection legislation. The concern is that the good work it prompted the marketing industry to do to smarten up its act – and build public trust in the process – will be undone.
“The fear is that the government will favour weak and/or vague regulations in the name of simplicity,” says Cramp, who foresees a potential double whammy. “The UK could end up in a situation where businesses are struggling to navigate a new set of rules, thereby damaging their ability to operate internationally, while people are left with little protection.”
The prospect of a two-track system is worrying plenty of British businesses with interests in the EU, observes Dr Janet Ward, senior lecturer in marketing at the University of Brighton.
Although firms that rely on foreign markets further afield “may welcome some easing of the GDPR, companies that depend on European trade may raise concerns”, she predicts, noting that UK exports to the EU in 2021 were £20bn down on the total for 2018, the latest comparable year of stable trading.
Ward points out that having different regulations from those of our nearest foreign market may seem like a nightmare, particularly for smaller firms that have had to deal with problems caused by the Northern Ireland protocol. She adds that “those more focused on consumer behaviour will be concerned about a dilution of protections, particularly for children and other vulnerable people”.
Marketers hope for clarity
Whatever reforms are eventually enacted, there is one thing for certain: the whole marketing profession would like these to be the last ones for a while.
“Everyone in our industry is keen to avoid constant changes to the rules,” says Amanda Walls, founder and director of Manchester-based agency Cedarwood Digital. “Each time the rules change, we go through our own consultation process with experts to then roll out the required changes across our websites and those of our clients. This process is not only costly; it’s also incredibly time-consuming. Any move to ‘simplify’ data regulation has to be a final one for at least the foreseeable future.”
Such simplification needs to work for all concerned. British consumers and their representatives aren’t likely to favour much in the way of deregulation, because they gained a set of significant legal protections in 2018. An international survey of 2,600 consumers published by Cisco Systems last year found that 18% of UK respondents had approached an organisation to enquire about having the personal data it had obtained on them amended or erased – one of the important rights granted to them by the GDPR.
Tech firms, for their part, will generally lobby for deregulation. For instance, they’re likely to be concerned about how the long-planned Digital Markets Unit within the Competition and Markets Authority is being beefed up with greater powers to clamp down on bad actors, although nothing substantial is likely to happen in this department before the end of the 2022-23 parliamentary session.
It all leads to plenty of uncertainty for marketing chiefs as they try to formulate their medium-term business plans. This is a headache that doesn’t have an easy remedy at present.
If there’s one thing that the entire industry would like to obtain from the forthcoming legislation, it’s clarity.
“There would need to be a clear distinction and understanding here of how our own data protection guidelines would work with this, without creating the complexity of having to operate within different data rules depending on which organisation’s products we’re working with,” says Walls, who fears that such an outcome “would not only be incredibly time-consuming; it could also increase the risk of error”.