The New Data Protection Bill Brings Post-Brexit UK Firmly in Line with the GDPR

For those wondering how Brexit would affect the UK's adoption of the upcoming General Data Protection Regulation (GDPR), here's your answer: it won't. This week the UK government announced the Data Protection Bill (DPB), which is designed to align with the GDPR, which comes into force in May 2018, when the UK will still officially be an EU member.

The GDPR comprises a host of consumer-focused data protection laws, which the DPB is designed to emulate. The introduction of the DPB will also ensure that UK companies operating within the EU, and counting EU data subjects as customers, will be able to continue with the exchanging and handling of data across EU borders.

This should hopefully come as no surprise to businesses operating in the digital advertising ecosystem, of which data is a fundamental part, and will just ensure that GDPR-compliance measures that have been carried out to date will be able to be applied to the DPB, once the UK leaves the EU.

ExchangeWire asks industry thought leaders to weigh in on what the DPB will mean for data handling and processing in the UK:

DPB encourages new approaches to customer consent management

“The government’s new Data Protection Bill is a wake-up call for all companies which collect and process personal data. Because it transfers the EU’s General Data Protection Regulation into UK law, there really is no excuse for non-compliance, as it’s clearer than ever that companies who don't comply risk fines of up to £17m or 4% of global turnover. No one is really ready and there is not much time to make the changes in gathering consent and processing personal information.

“As well as considering the penalties that encourage alignment, I’d also urge companies to think about the benefits of a more forward-looking approach to customer consent management. Starting an open dialogue with consumers about how their data is used can help companies position themselves as responsible and trustworthy.

“The changes also require a whole new approach to data processing by first-party data providers. For example, mobile data is activated via Android device IDs and the equivalent Apple Identifiers for Advertisers (IDFAs), which are themselves classified as personal information under the GDPR. New, dynamic de-identification technologies offer a solution by converting consumer identities into a randomised string of characters (a token) that protects the data as it can only be used once, for its intended purpose.

“Technology like this will ensure that, following the changes, the ad tech industry still has access to the intelligence in data that fuels its engine – and that this data remains of the highest quality.”

Tobin Ireland, CEO & Co-Founder, Smartpipe

Noncompliance isn't an option, but change should be embraced

“This is hardly a surprise – the updating of current data protection laws is long overdue. Using insights gleaned from customer data to deliver targeted, engaging, and personalised marketing is a privilege – not a right. Customers’ right to privacy must be front and centre, and new legislation will set out how marketers should collect and govern data in today’s data-driven world. However, that doesn’t necessarily mean everyone is ready for it.

“There is no grey area here – companies must get their house in order to comply, but this doesn’t have to mean a complete tech overhaul. Conducting audit data flows and assessing what data you currently have, and where, is the first step on the road to compliance. Instead of burying heads in the sand, organisations should embrace change. The new Data Protection Bill and GDPR will create transparency between brand and customer and, rightfully, hand back control to the user. Marketers must view this an opportunity to win back trust and rebuild the value exchange.”

Lindsay McEwan, Vice President & Managing Director, EMEA, Tealium

An opportunity for consumer education

"Consumer fear around the way companies use their data is at an all time high – amplified by the barrage of news stories about big businesses misusing or losing data to hackers. Therefore, it's no wonder that the government has outlined these plans to help implement the GDPR into UK law, in response to public demand.

"The brands and advertisers quaking at the prospect of more robust data laws, that require consumers to give explicit consent, are fed up with trying to understand what is happening to their own, and their consumers' data, within the opaque digital ecosystem. The industry should see this as an opportunity to better inform and educate consumers about how and why they are using their data. Consumers need to feel emboldened, not anxious. If brands want to prevent consumers from blocking their ads, then they need to do a better job of explaining that the exchange of anonymous data funds the content that customers read and consume."

Andrew Bloom, General Manager, EMEA, Sizmek

A foundation to ensure UK digital commerce can continue to flourish

“While I’m not a UK attorney, as a privacy wonk I am overjoyed whenever new privacy or data protection laws are proposed. Ostensibly, the proposal would accomplish two objectives: 1) to give UK residents more control over their personal data; and 2) to align the UK’s data protection regime with the GDPR.

“The proposed UK legislation will obviate Brexit-related fears that the data spigot will be turned off because the UK’s data protection law doesn’t offer the same level of protection as the GDPR.

“Once the bill becomes law, it will endow the UK resident with new and codified rights, such as the right to access and correct data, and the right to delete it. Likewise, UK organisations will be obligated to create new processes to honour those new rights and be expected to have a comprehensive understanding and control over all of their data practices. They will also need to communicate their data policy clearly and simply to consumers and provide the ability to control their personal data.

“The legislative process needs to be completed, and there will surely be many modifications that make their way into the final legislation, but it’s great to see the foundation being laid in the UK that will allow digital commerce to continue unabated.”

Todd Ruback, Chief Privacy Officer & VP of Legal Affairs, Evidon