How to navigate the Data Reform Bill

At last there’s more detail from the UK Government on plans to reform UK data protection law post-Brexit. Here’s what you need to know, and what you can do.

Although the proposed changes will require legislation to pass before they come into effect, it’s important to understand the direction the UK is heading, explains Katie Eyton, Chief Ethics and Compliance Officer at OMG UK…

After much anticipation, more detail has recently been unveiled by the UK Government on its new Data Reform Bill. It includes a clearly stated intention to unburden businesses by relaxing a number of current requirements, including cookie consent. Now, as brands await the details of the final legislation when the Bill becomes an Act, there are a number of things they can do to prepare. 

The eight most significant changes for marketers:

1) Cookie consent

Apart from websites likely to be accessed by children, the government intends to move to an opt-out model for cookies – but only once the technology is widely available to help users manage online preferences.

Consent requirement is also to be removed for web analytics, but only where information is processed for “aggregate statistical information”, and “not for more intrusive purposes”.

However, given that many commercial analytics solutions use the same cookies for multiple purposes, careful consideration of your web analytics set-up is required to ascertain whether you can benefit from this change.

2) Accountability and risk assessment

Many of the current UK GDPR accountability obligations will be replaced by a more flexible requirement for companies to have a privacy management programme.

Data Protection Impact Assessments (DPIAs) are no longer mandated, but companies will still be expected to have solutions in place to identify and address data protection risks.

Meanwhile, the requirement to appoint a Data Protection Officer (DPO) will be replaced with a requirement to nominate a “senior responsible individual” to oversee the company’s privacy management programme. The main difference in practice is that the person overseeing this can also fulfil other roles within the business, rather than having to maintain strict independence as in the case of a DPO. For organisations that process large volumes of highly sensitive data, DPOs may continue to be appropriate.

It will also no longer be mandatory to consult the ICO prior to any high-risk processing activity.

3) Dealing with complaints

Individuals will now be required to try to resolve any data protection complaints directly with the data controller at the business in question before taking unresolved complaints to the Information Commissioner’s Office (ICO).

As such, there will also be new requirements for data controllers to put in place a simple and transparent handling process to deal with data subject complaints, and companies will have a set time period in which to resolve them. 

For many marketers, this will likely require new or enhanced processes and data subject request handling procedures to be put in place. There will also need to be greater collaboration between marketing and legal teams.

4) Data anonymisation

The government will introduce legislation to clarify when data would be regarded as anonymous and therefore outside the scope of data protection legislation.

Depending on the details, this could be beneficial for a number of marketing use cases, especially insights and measurement related purposes.

5) Direct marketing

Soft opt-in for direct marketing is to be extended to non-commercial organisations such as charities. These organisations will be subject to “exactly the same rules as commercial ones in terms of respecting a person’s right to opt-out and making it easy for them to do so.”

6) Legal basis

During the consultation, the Government proposes to create a limited, exhaustive list of legitimate interests, for which a balancing test is not required.

The Government will proceed with this proposal, but it will initially be limited to a small number of “carefully defined processing activities” (such as crime prevention).

The list is not likely to include marketing use cases, for which data controllers should continue to carry out a balancing test.

7) International data transfers

The Government has reaffirmed its desire to create an autonomous framework for international data transfers that “reflects the UK’s independent approach to data protection”, as well as relaxing the current requirements to review adequacy regulations every four years.

For businesses struggling with the current risk assessment process for SCCs and other transfer mechanisms, there will be “reforms which ensure that data exporters can act pragmatically and proportionally when using alternative transfer mechanisms”, although it is not yet clear what form these will take in practice. 

For companies processing the data of EU residents, this could create more complexity as both EU and UK regimes would need to be considered, while many companies will be concerned that the proposed changes could impact on the UK’s adequacy status with the EU.

8) Fines and enforcement

There was a general feeling amongst respondents to the Government’s consultation that the current enforcement regime was “not dissuasive enough”.

Among other initiatives to address this, the Government plans to bring fines for non-compliance with the Privacy and Electronic Communications Regulations (PECR – informally known as ‘the cookie law’) in line with the UK GDPR. This means the ICO will be able to levy fines of up to £17.5m or four per cent of a business’s global turnover (whichever is higher).

It goes without saying that the risk to business for failing to comply with current and future regulations represents a significant legal and business risk.

And eight practical steps you can take:

1) Meet with legal

Marketing teams should meet with their legal and privacy counterparts to discuss the potential impact of the changes on current marketing processes (eg: complaints handling, DPIAs etc).

2) Take stock

Brand privacy teams should take the time to understand current marketing activity so they can better gauge which activity will be affected and whether any changes to current practice are required.

3) Age check

Find out and document the percentage of your current site and app visitors who are under 18. This is already a requirement under the Age Appropriate Design Code, but will also help you to understand how the proposed changes will affect you.

4) Assess PECR

Review your marketing practices for PECR compliance, paying particular attention to recent enforcement action and the consistent themes running through these decisions, bearing in mind that further review will be needed if browser level user controls become available.

5) Check your web-analytics

Review your current web analytics set-up. Make sure you’re clear how analytics data is being used and whether you can separate consent for these different use cases.

6) Get technical

Speak to your technical teams to better understand what may be required for you to honour a cookie opt-out from a browser mechanism. Consider the likely impact on data volumes, and don’t forget to factor in children’s data rules.

7) Think about complaint handling

Consider your process for handling data subject complaints. Is it clear who consumers should contact if they have concerns? If not, this is something you will want to address with your legal teams.

8) Review your record-keeping

Think about what processes you have in place for responding to any complaints regarding marketing activities such as email marketing, collection and use of data for digital targeting, data sharing with social media platforms. Do you know who in the organisation you would go to for this information in the event of a complaint? Do you keep clear records of how individuals’ data has been used? If not, now would be a good time to start building out clear processes and lines of responsibility.

By Katie Eyton 

Chief Ethics and Compliance Officer