The DPDI contains amendments to three pieces of existing legislation:
- UK GDPR
- The Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
These amendments have been designed to:
- Provide greater clarity on what represent legitimate interests, encouraging businesses to utilise this on a lawful basis for data processing.
- Expand the range of exemptions for consent cookies, reducing consent banners for ecommerce and charitable websites that do not run advertising.
- Extend the soft opt-in for email to non-commercial organisations, enabling charities to communicate with donors and volunteers more readily.
- Expand enforcement powers to match UK GDPR – this includes fines for rogue callers being increased from a maximum of £500,000 to £20 million, or 4% of turnover in a bid to deter rogue cold callers.
Clarity of interests
Recent complaints from businesses have centred on the fact that there has been little confidence in being able to rely on legitimate interest as the main legal basis for marketing data collection. The new amendments have improved clarity and are hoped to increase the opportunities for data collection.
Additionally, the changes should encourage more businesses to use this improved definition of legitimate interest as a lawful basis for appropriate data collection.
Businesses can now clearly identify attracting and retaining customers and donors as a legitimate interest, but customers retain the right to object to marketing from specific businesses if they so choose.
Impacts on marketing
The changes to DPDI will impact marketeers for the better. The clarification of direct marketing as a legitimate interest marketers should greater confidence to rely on the legitimate interests legal basis, rather than the more onerous and costly opt-in consent.
In particular, organisations not undertaking high risk processing will welcome the reduced documentary requirements introduced by the Bill, lessening the burden on administration.
The expanded exemptions for cookies are slated to improve customer experience by reducing the number of consent banners required as well as limiting red tape that can affect website functionality. Despite this attempt at reduction of banners, in practice there will likely still be the need for consent banners regarding personalised tracking. Commercially this means tracking cookies and cookies used to build first party profiles will still require a banner that needs to be interacted with.
Finally, the extension to soft opt-in emails for non-commercial organisations means charities and similar organisations can better communicate with their existing donors and volunteers. This, it is hoped, will improve the functionality of charities and increase the impact they can have on their specific focuses.
Any issues?
We are in the early stages of the DPDI Bill, so it remains to be seen whether it can live up to the goal of allowing businesses to continue using their existing international data transfer options. If this is not possible, perhaps due to incompatibility with GDPR, companies that also handle the data of EU citizens will incur increased costs by ensuring compliance with both sets of legislation.
Additionally, businesses have raised questions about how the Bill will be enforced. There are still underlying concerns about the methods being used to ensure protection for customers, but also how far the “cutting of red tape” – a government statement that is frequently touted alongside “introducing common sense” – will go, and to what cost for accountability. It is widely acknowledged that GDPR improved privacy for users and increased accountability for businesses, but will making drastic changes to the established system introduce more risks or reduce accountability?
“Sadly, I see these changes as relatively minor tweaks for most commercial organisations, with the exception of a reduced documentary load for some,” said Peter Galdies, director, DataIQ. “It doesn’t really free-up or encourage better use of data for many. But perhaps this is a small first step on the road…”
There have already been issues regarding clarity and the use of the terms red tape and common sense as these require a strong legal definition, particularly for such a delicate issue. Once the Bill has had time to settle into the real world, there will likely be new observations about how it is being implemented, monitored and the true impact different businesses will be experiencing.
To speak with Peter about the impact and importance of the DPDI, please contact your account manager or use this contact form to arrange a meeting.
Sign up for the DataIQ 100 Discussion in July to examine these types of topics with data peers.
