Two recent events affecting U.K. privacy regulation passed by without too much attention, yet could turn out to be much more significant than it initially seemed. The first is the appointment of John Edwards as the new Information Commissioner, with the second being a report by DCMS published on Sept. 10 called “Data—A new direction.”
As if marketers haven’t been challenged enough in the past 18 months, they now must wonder—what might this new data privacy future hold for them?
Bureaucracy at its best
While the principles of privacy and data protection are generally understood and accepted, the experience of GDPR for anyone working in digital advertising is more likely to be described as baffling and bureaucratic. From integrating CMPs into websites, filling out data protection impact assessments, creating records of processing activities, dealing with subject access requests and debating with DPOs, getting business done is definitely a lot more challenging.
At least we are reassured that consumers are now better informed about how their data is used and no longer have those creepy ads following them around the internet… oh.
Cutting the red tape
The first signs of change were made in The Telegraph on Aug. 25 by then British Digital Secretary Oliver Dowden when he spoke about the “data dividend” of Brexit—one which will spur growth in the increasingly important sphere known as the digital economy. This was then backed up by more detail in the DCMS report published on Sept. 10.
Dowden said: “proposals to reform data rules [to] turbocharge the digital economy and cut red tape”—but what does that actually mean for digital advertising? Will we see an end to cookie banner notices for good? Can we do away with CMPs? Will we still have to fill out data protection impact assessments?
Delving into the DCMS report reveals the main change to be a shift from specific processes outlined in the GDPR to one where companies may establish a “privacy management programme”—which is similar to complying with GDPR but potentially more tailored. How different this is to current GDPR paperwork will depend on each company but the concept does offer companies flexibility in how they meet regulator expectations. This, in turn, opens up the potential for some more specific changes:
- No need for companies to appoint a DPO (maybe)
- No need to fill out data protection impact assessments
- No need to create a register of processing activities
- The introduction of a ‘whitelist’ concept for many processing activities that fall into the legitimate interest category
- Relaxing some rules and definitions for legitimate interest for cookie consent and GDPR purposes
Removing the box-ticking will alleviate headaches for many, but it also removes the processes that many may look to hide behind.
Damon Reeve, CEO of The Ozone Project
Depending on your company this could end up making life easier. For example, establishing a whitelist for common activities (such as site analytics) will remove red tape for many marketing companies. If there are companies out there that are not using site data for marketing (do they exist?) then cookie banner notices may not be needed for their users. For many though, a “privacy management program” will most likely look pretty similar to the current obligations, especially for those that operate across country borders.
Process vs principle
John Edwards, in his final select committee interview with MPs before being appointed as the U.K.’s new Information Commissioner, talked about the need for data regulation to be easy—easy to implement, easy for consumers to exercise choices, and easy to access remedies when things go wrong—and to bring an end to the pointless cookie banner notices that he, along with all of us, clicked away without reading so he can access the content he actually wanted to read (and why do they never seem to remember that I clicked to accept the last time?).
He also made clear that while the processes might change, the essence of privacy and data protection will remain the same. Europe regulates as it sees fit, GDPR seems to fit with their legal traditions and the U.K. will do the same.
The DCMS proposals reflect this. The data protection principles or lawful bases for processing are largely unchanged (whitelists notwithstanding), and other concepts such as the distinction between processors and controllers are also unchanged. Cookie banner notices may go away for some uses of cookies, but not for targeting and marketing.
Beware what you wish for
While obligations on businesses may be lighter, this is likely to be counterbalanced with responsibility, so expect to see a higher level of enforcement for transgressions. Removing the box-ticking will alleviate headaches for many, but it also removes the processes that many may look to hide behind.
It’s highly unlikely a “business friendly” ICO will mean a lowering of standards. Adequacy tests agreed with the EU as part of Brexit will still apply, and will be important to maintain if the U.K. is to gain that lucrative data dividend that Oliver Dowden claimed would come with the removal of privacy-led red tape.
So while we should view the incoming John Edwards and the direction DCMS are pointing towards as a positive move, for most in digital advertising, data regulation will continue on a similar path.
