Is the UK missing an opportunity to transform data privacy policy?

Digital Economy10 May 2023

While the UK government develops proposals to reform GDPR, Russell Howe at Ketch, asks: are we missing the bigger data picture?

In post-Brexit Britain there’s been plenty of talk about the future of data privacy regulations. Will the European Union’s General Data Protection Regulation (GDPR) be replaced entirely? How will the UK government demonstrate a commitment to protecting its citizens’ information while pulling away from EU rules and requirements? Will consumer privacy be championed in this new landscape?

We might soon have the answers to some of these questions, because The Data Protection and Digital Information (No.2) Bill is here. The bill is set to replace GDPR and is presented as an evolved, administrative-light approach to the existing regulations that upholds data privacy rights and reduces the burden of paperwork for SMEs. Supporters of the bill say it could even generate billions in revenue for the UK. Sounds great, right?

Not quite. It’s important to remember that this bill is in its early stages, going through readings. Much of the detail is yet to be refined, and there will undoubtedly be changes. It’ll also take time before some of the political spin shrouding this bill and wider discussions about GDPR is cleared. Then we’ll be in a better position to fully understand this bill’s implications for data privacy, consumers, and brands.

While this bill makes its way through parliament, all of us who care about data respect and consumer privacy would do well to think about what really matters here, free from any political grandstanding or complex regulatory frameworks. In an ideal world, what should any reforms to GDPR actually look like? How do we make the case for a privacy-centric future – one in which businesses uphold data dignity as a core business value?

The Bill’s basics

The headline from the The Data Protection and Digital Information (No.2) Bill is that it’ll remove paperwork and increase flexibility for businesses. But at closer inspection, it’s not clear exactly who will benefit from this cutting down of “pointless paperwork.” The bill’s press release also states that the existing GDPR “takes a highly prescriptive, top-down approach to data protection regulation which can limit organisations’ flexibility to manage risks.”

Instead of looking at how to tackle these issues head on, in a way that promotes data privacy and encourages – even incentivises – businesses to make a commitment to respectful data practices, the bill is essentially saying to UK businesses: if you’re small, with a UK customer base only, then you don’t have to worry about that burdensome paperwork. If you’re anybody else, then yes you do.

Some may see this small reduction in red tape as a positive step. But if you’re a small UK business in tech, digital or data, you’re probably going after the global market anyway. You want to expand your customer base outside of the UK. We should be encouraging small British businesses to think bigger and nurture their growth ambitions.

Another key talking point around this bill is how it’ll expand legitimate interest grounds or legitimate areas of activity for brands – the rules dictating when and how brands can obtain their consumers’ data without consent.

While the exact rules around legitimate interest are not categorically defined – although the bill does stipulate that businesses must have a public interest justification to collect data without consent – the discussion around consent, transparency, and legitimate interest is an interesting one for those of us who want to see a business environment where data privacy and respect is taken seriously.

What should we be advocating?

What we want is a future where CMOs, marketing teams, advertisers, and business leaders across the globe are on board with a privacy-centric approach to consumer data.

At present, far too many brands know all the right things to say when it comes to data privacy and how to comply with current regulations. But you only have to scratch the surface of their data practices to find out that they don’t truly take a consumer-first approach at all. We see the same story played out again and again online, with big brands wedded to bad data practices – many of which have become entrenched within their operations.

If these brands behaved the same way in-person as they do online, they wouldn’t get away with it.

Consumers don’t expect to walk into department stores, be assigned their own personal assistant, and then followed around the store while thousands of data points on each and every interaction and movement they make is collected in real-time. They also don’t expect that, at the end of their shopping experience, all that data will be quietly shared with several other brands and businesses.

Worse still, if that consumer wants to delete the data held on them by the department store, it’ll only be deleted in the first instance, and not by the brands and businesses (the third parties) who also hold that data.

When the consumer asks the department store to delete their information, they oblige, because GDPR dictates that they must. But they can wash their hands of the responsibility to delete the third-party data; it’s now up to the consumer to contact each and every third-party brand individually to also request that they delete their data.

Some time in the future, data handling laws and regulations will prevent brands from doing this. This will empower consumers everywhere to dictate, clearly, exactly who holds their data and who they trust to use it responsibly. Many enterprises aren’t ready to deliver on this yet, but that transparent and respectful approach to data practices is coming, and brands will have to adapt.

The UK’s GDPR reform bill does not advocate for this approach. Even when these bills set out how brands can and can’t process data without consent, they’re still only talking about first-party data. Consumers who want full transparency and control over the data stored behind closed doors by third-parties? They can forget about it.

The future is in brands taking the lead

Too many brands and enterprises globally currently see data privacy as a competition-blocking activity. They will comply with the laws in their region where they must, but many still try to skirt around these regulations with workarounds and loopholes.

The dividing line of the future will be between the brands who want to elevate themselves above the letter of the law, who set a de facto standard for building trust with their consumers, and the brands who continue to disregard data privacy as a competition-defining value.

Slowly, though, this space will begin to change for the better. The brands setting a new standard for trust and privacy will have a competitive advantage over their counterparts, because they will develop loyal consumer bases, with consumers choosing to reward them for their dignified data practices.

When brands begin to demonstrate that there’s value in a consumer-first approach to data – and that time is coming – it’ll start setting apart the disrupters from the check-boxers. The disruptors will see how a trust-first approach to everything they do will add value to their brand in the long-term.

There are already brands out there starting from the ground up with trust by design, and they will be leading this new wave of disruption. The brands and marketers who continue to see data privacy as detrimental to their way of working or how they measure business success need to start paying attention.

If they haven’t got their first-party data strategies in place to combat this new disruptive wave of integrity and trust, they better start working on them now.

Russell Howe is VP EMEA at Ketch

Main image courtesy of iStockPhoto.com