Key Differences Between GDPR and DPDI2
At the time of writing, the bill is at the report stage in the House of Commons, so we don’t know exactly what will stay in and what may fall by the wayside.
However, while DPDI2 retains many core principles of GDPR (they can’t change too much as many companies work across Europe and the EU requires a level of parity), some notable proposed differences include:
- Giving organisations greater confidence about the when they can process Personal Identifiable Information (PII) without consent. Largely confirming what we always knew – Direct Mail can use Legitimate Interest and doesn’t need consent.
- Allow charities and public sector to use soft opt in, the same as commercial companies, and send on related subjects without specific consent.
- Enable companies to do away with cookie pop-ups if only first party data is collected and not third party for re-marketing. This could have a beneficial effect on Google Analytics tracking.
- Reduce the amount of paperwork that organisations need to complete to demonstrate compliance, along with lower compliance costs, and amend the requirement to keep data processing logs, unless there is a high risk to individuals. Also, smaller companies are likely to not need a Data Protection Officer (DPO).
- Simplify the rules around the use of personal data for scientific research and technological development in the public interest, with new allowances for the use of personal data to develop certain AI systems without needing a lawful basis like consent.
- Create grounds for organisations to reject ‘vexatious or excessive’ requests or charge a reasonable fee for such requests. Individuals will have to give specific reasons when objecting to data use, whereas GDPR has no such requirement.
- Require public electronic communication service and network providers to report unlawful direct marketing activity and establish a monetary penalty for non-compliance.
- Replace the Information Commissioner’s Office (ICO) with the Information Commission and enable the regulator to take stronger action against organisations which breach data rules. More fines, though possibly lower ones!
Planning for DPDI2
When the new DPDI2 legislation is finalised, you’ll need to understand how this will affect your organisation. But, you can start planning and looking at this now.
You’ll need to review your current data policies and procedures to identify any changes required for UK audiences. Records of Processing Activities (ROPAs), Balancing Assessments, lawful basis documentation privacy statements and other external facing privacy communications, retention policies, data minimisation principles, opt-out and objections mechanisms, should all be revisited and given a fresh coat of paint. And make sure to adjust your practices to make sure everything is compliant with the new rules.
You’ll also need to communicate the changes to your staff. Indeed, it’s been a while since GDPR, so some staff may need general data refreshers, too.
Make sure your vendors are doing the right thing. Closer oversight will be required to ensure ad tech, data brokers, and other marketing vendors, adhere to revised UK data regulations, and you’re documenting new elements in your vendor contracts to ensure they align.
Global marketers will need to tailor certain data practices, consent procedures, and privacy communication, specifically for UK versus EU audiences.
It’s absolutely worth talking with experts like DCX and getting your ‘data ducks in a row’ in preparation.
But remember, that whilst DPDI2 aims to ease the burden on British businesses post Brexit and encourage innovation, marketers must be mindful of consumer rights and attitudes as regulations shift, and keep the end customer firmly in mind to make sure you are doing right by them– ensure you’re using data ethically and sensibly, as well as legally.