2022 marks four years since the General Data Protection Regulation came into effect in the UK, a move which handed organisations specific legal responsibilities around the collection and use of personal data. The anniversary comes at a time when the UK Government is actively mapping out what it sees as the replacement to GDPR in a post-Brexit world. The Data Reform Bill, currently at the draft stage, has emerged as a proposal that it is keen to highlight as a dividend for businesses from the UK’s legal separation from the European Union.
The legal world moves slowly but carefully, and regardless of the individual legislation, the theme is the same - businesses everywhere are having to grapple with a reality where regulators around the world are paying closer attention to how consumer data is collected, stored, and managed. At the same time, technologies are also changing. Support for the third-party cookie is being phased out, for example, meaning marketers are having to build alternative means to understand the journeys their customers and prospects are making. The MarTech world today is a turbulent one.
Demystifying data privacy
Technological advancements, alongside fears and doubts have created misconceptions around what businesses can and cannot do with our personal data. In essence, data protection concerns the rights of an individual to have control over how their personal information is collected and used. GDPR formalised those rights for individuals and also placed an obligation on businesses and organisations by making them data ‘controllers’ under the law. These are decision-makers that exercise control over how personal data is processed and used.
Under GDPR, businesses need to have a clear legal basis for processing personal data and must actively take steps to ensure the eight rights individuals have over their data can be exercised, such as the right to data transparency and the right of access. For all its flaws, the passing of GDPR was a major step forward, because it harmonised all data privacy laws across all the European Union member states. It was also originally designed to afford greater protection to the rights of individuals when it came to their personal data. At the time of introduction, GDPR was one of the most innovative accountability-based pieces of data protection legislation in the world and is considered foundational for future data privacy legislation.
What is next after GDPR
When GDPR was first passed, there was much talk of what businesses needed to do in order to stay compliant. That was by no means a wasted effort - the legislation has been heavily enforced across the European Union. More than 1000 fines have been issued across the EU by the region’s various data protection authorities, since the legislation took effect in May 2018. That is not to mention the shift in the public’s attitude that has come about with the passing of the legislation. Marketers remain under ongoing pressure to not just stay compliant, but actively demonstrate ways they are taking consumer data privacy seriously.
With the coming of the Data Reform Bill, the changes to the UK regulatory landscape are set to be sizeable. However, this needs to be carefully balanced against the fact that any new regulations will still need to fulfil standards set by the European Union on data protection, because the reality is that data flows globally across countries and continents in our digital world. It is worth remembering that businesses today operate in a borderless world, and so however the legislation eventually ends up looking like, the UK cannot afford to risk losing its ‘adequacy’ status with the EU that makes cross-border data sharing possible.
The new proposed legislation will likely remove some of the compliance obligations that are seen by the current Government to create barriers to businesses innovating with data. There will also be further efforts to ‘modernise’ the Information Commissioners’ Office (ICO) and bring it under direct Government control. Cookie banners are set to become a thing of the past, and the UK government has stated it wishes to switch back to an opt out model, once browser-based controls are more widely available.
Data protection in a ‘cookieless’ world
Alongside the broader data protection regime, third-party cookies are another area where major changes are afoot. For decades, these small pieces of data, which are saved on users’ devices as they browse the Web and click on links, have powered much of the AdTech world, and been the primary way brands have been able to understand user behaviours, measure the performance of campaigns, and map the on- and cross-website journeys potential customers are making.
The demise of third party cookies is also a major opportunity; a chance for brands to build trust with consumers in new and more direct ways, while at the same time capturing the information needed to allow every subsequent interaction to become more personalised, meaningful, and useful. Any opportunity to encourage users to share their preferences with an affirmative permission should be seized by brands.
Leveraging first-party data
This is why first-party data takes on added importance. This is data an organisation collects through its own sources, as opposed to third-party data which is typically purchased and obtained through sources like data aggregators or online advertisement platforms. As we move away from third party cookie-based data collection, the insights that marketers are able to collect themselves, alongside what they can glean from the various replacements to third-party cookies that are emerging, will be crucial in maintaining an understanding of their customers and their preferences.
Walking the fine line between data protection and data collection is not simply about building better marketing communications or doing the bare minimum to stay legally compliant. With the Data Reform Bill, the UK Government has rightly recognised just how important personal data is to the economy and technological innovation at large. Close and effective cooperation between marketing services companies, publishers, marketers, and regulators will be the key to not only ensuring the responsible development of emerging technologies such as artificial intelligence, but also to the fundamental future of an ad-supported, free, and open Internet.