As GDPR turns 5, how worried should UK marketers be about digital dealignment from EU?

Since GDPR has been in effect, however, changes to the UK’s status and standing with regard to the rest of Europe have changed. Following Brexit, the UK effectively copy-pasted the existing GDPR rules which ensured a free flow of data between the UK and the rest of the world, with the adequacy of that decision affirmed by the EU in June 2021.

However, the European Commission has until late 2024 to decide whether to extend the adequacy decisions for the UK for a further period up to a maximum of another four years. If the extension is not granted, then it will expire on June 27, 2025.

Karl Weaver, SVP business advisory EMEA at Medialink, believes it is incumbent upon marketers to stay abreast of those potential changes: “It’s a dynamic space. Therefore, if you’re complying with GDPR you’ve constantly got to be looking ahead and working out what’s going to happen. It’s not just the responsibility now to work to the legislation as it stands, but you have to anticipate more about what’s going to happen and how you’re going to use data.”

He points out that as digital marketing is increasingly predicated upon personalization – which requires accurate data to do effectively – any inability to gather and process data could potentially derail the entire industry.

The government’s assessment claims that simplifying or amending some of the rules surrounding GDPR could save British businesses £4.7bn in the next decade. That is despite the fact that businesses looking to operate in the EU will also have to abide by the rules of GDPR.

Divergence from GDPR

Speaking at a Westminster eForum event looking at the future of data and privacy Ashley Winton, fintech and privacy partner at Mischon De Raya, explained that while the UK aims to expand the number of countries with whom it has free-flowing data agreements post-Brexit, there are issues around the viability of that two-track approach.

Speaking specifically about the Data Protection and Digital Information bill and its impact on privacy online, he said: “There’s a real risk that this might frustrate privacy, either sector-, [or] country-wide, or not, or as part of a sector perhaps in relation to immigration. And I think that may well become the top of Bruno [Gencarelli, head of international data flows at the European Commission]’s list of concerns for assessing adequacy in the UK.

“Unlike all of the other adequacy agreements – despite the fact that many are ancient, predate the GDPR, etc, etc. – this one’s got a sunset clause, as expires, those don’t expire. Ours will expire in June 2025. So this assessment is definitely coming and needs to be completed by that date. And I think that is a risk.”

The risk is also related to the ongoing strains between the EU and other territories. Whether the UK chooses to align with one or other – with APEC seen as a likely target for alignment by experts – the issue is compounded by a lack of global agreement on issues of privacy.

Isabel Simpson is a data protection expert at KPMG Law. She says: “If the global solution is the two, for everybody to agree with the UK view or the EU view, then it'’s not realistic. But I think that there could be huge steps forward in coming to an understanding of global principles around data protection. I would love for there to be that global solution. But I would be concerned that that ambition is too great.”

AI and other developments

Beyond the potential divergence between the new UK-specific data legislation and GDPR, some marketers also expect that the deployment of AI tools – which train themselves upon user data – will require regulation sooner rather than later to meet GDPR rules.

Chris Hogg is chief revenue officer at Lotame. He says: “The maturity of the privacy-first data market in Europe makes it well positioned to handle complex questions being raised over the provenance and ownership of data used by generative AI. Regulators are already matching bark with bite — as seen in the temporary ban of ChatGPT in Italy — and I expect there will be AI legislation taking shape by the year’s end”.

Fundamentally the UK is still aligned with GDPR even as it seeks to supplant it domestically. With five years of GDPR behind us, the marketing industry needs to keep abreast of the complex set of rules of different territories in which it operates, and perhaps prepare for more if the UK diverges more fully from GDPR once time is up in 2025.