The UK’s GDPR Overhaul: 5 Things to Be Aware Of

The British Government plans to make changes to data governance having left the EU


As the United Kingdom (U.K.) evolves in a post-Brexit world, one of the areas that digital marketers will be keeping a close eye on will be the forecasted updates to data legislation. There is plenty of speculation on what form these changes may take, whether that be abolishing the barrage of cookie consent mechanics as users land on-site or the simplification of the legislation overall, making it easier for businesses to understand and apply.

Whatever the U.K. government has planned for the new legislation, there are some fundamentals that must not be ignored:

User (not business) centric

A lot of the headlines we’ve seen in the U.K. have focused on the financial upside for businesses through simplification of data legislation. While we should all be for increasing business opportunities, this should not be done at the expense of the critical driver of GDPR—making consumer data more secure and putting the user first.

The worry is that the U.K. simply isn’t a significant enough market to make it worth the friction.

Pete Wallace, MD for GumGum EMEA

Something we’ve heard being debated is the possibility of getting rid of cookie notifications. There is obviously a strong argument for doing this because of how disruptive these notifications are for the user experience. But we will still need to make sure there is a mechanism that allows users to clearly dictate what they want to opt into and what they opt-out of. Ultimately, the legislation will need to be about empowering consumers and not be geared solely towards the financial benefits of businesses.

Come down hard on data breaches

It has also been proposed that the complainant will now need to take up issues directly with the business that might have caused a data breach. In a world where even complaints from high-level organizations can be wrapped in red tape—we all know how difficult it is to make a complaint to a telco or broadband provider—do we really expect the tech giants to be forthcoming in resolutions with individual consumers?

It seems unlikely. So, there needs to be a clear escalation process to avoid this and make sure complaints around data breaches are resolved. At the same time, any legislation will need to stipulate significant penalties for violations.

Under GDPR, companies can be fined up to $23 million (20 million Euros) or 4% of global annual turnover. The government may be tempted to go for less financially crippling fines. But ministers should avoid going too soft or risk-reducing the incentive for brands to stick to the rules.

Leave no grey areas

As GDPR loomed, there was still mass confusion and mild hysteria around the industry—rules were unclear and ultimately, we ended up in a farcical scenario where many businesses leaned on the concept of Legitimate Interest to continue to operate in the same way as pre-GDPR. Naturally, things have evolved since, but there is arguably still some sense of confusion away from the very distinct breaches in guidelines.

Any U.K.-specific legislation needs to leave no room for confusion—with clear identification of what is and what is not allowed. There should be no ambiguity as to whether a data breach occurs.

Don’t make the U.K. a data island 

Data legislation is set to impact the vast majority of the globe over the coming years. As the U.K. is just one small portion of the data economy, it would be remiss for this country to steer too wildly away from other key markets. Yes, simplify things but don’t make it difficult for businesses to adapt to this simplification or we’ll end up in instances where businesses consider it too challenging or unique to operate within the U.K. market.

Start preparing now

Whatever the final changes that occur, advertisers need to act now and be ready for the future. It was clear that we weren’t ready for GDPR and, arguably, we’re still not ready for the abolition of the cookie. The brands that will benefit are those that prioritize data legislation/privacy and act now to ensure readiness for what the future might hold.

The best way digital advertisers can protect themselves and ensure they’re targeting safely across all markets is by adopting cookie-less solutions and placing methodologies central to their targeting strategy which do not require any use of personally identifiable information. Whether it’s first or third-party data, user ID’s or cohort-based targeting, there will always be the potential for data breaches.

Final thoughts

The level of concern advertisers should have will depend on how far the U.K. plans to deviate from the EU’s data privacy rules. Most large brands are used to operating across the bulk of Europe following one set of rules. If the U.K. becomes a significant outlier to GDPR, it could make cross-border business much more complex.

The worry is that the U.K. simply isn’t a significant enough market to make it worth the friction and brands may choose to cut their U.K. ad spend.

Sometimes, when it comes to the flow of data, it pays to stay close to your nearest and largest market. Switzerland offers a lesson here. While the country is outside the EU and isn’t covered by GDPR, its data legislation regime mirrors the EU’s in many ways and is often described as “GDPR-light.”

Yes, the U.K. is a much larger market than Switzerland, but the same rules apply. Even California has arguably followed GDPR’s lead with its own regulations (CPRA). There’s good reason for the U.K. to consider doing the same.