Are UK businesses walking a tightrope with GDPR & data inadequacy?

It has been more than four years since the General Data Protection Regulation (GDPR) was introduced in the UK (which then became UK GDPR in this country post-Brexit). Despite this, recent research from Making Science has revealed that 16% of marketing professionals – across retail/ecommerce, travel and financial verticals – are still unsure if the regulations apply to them, have not heard of the regulations at all, or are fully aware and choose to ignore them.

As the UK announces plans to replace GDPR with its own set of regulations, marketers face further uncertainty as they continue to operate under the UK GDPR, but with expectations of change ahead; all while trying to implement the best privacy-friendly data strategies to maintain customer relationships in a challenging economic environment.

However, despite the anticipated reviews to UK privacy regulation, businesses must remain vigilant and ensure they are meeting data handling laws. In fact, Making Science has previously found that businesses that fail to adapt to a security-centric strategy risk losing up to 25% of their data. For those unable to manage their data strategy and reach current compliance, privacy friendly analytics tools should be considered to ensure that compliant, granular audience information is still available to continue effective marketing practices. 
 

Where we are now

Regardless of any updated UK regulations, British businesses will still need to adhere to GDPR when selling to customers in the European Economic Area. If the aim of scrapping GDPR for UK-specific laws is to reduce red tape, then there are real question marks for businesses that operate under both EU and UK data privacy laws; these companies will need to ensure double compliance.

Another point on the UK diverging from GDPR concerns the country maintaining data adequacy with the EU. If new UK regulations stray too far from those set by the EU, it could invalidate the part of the Brexit agreement which satisfies data adequacy, increasing data privacy documentation and creating an admin burden for the same companies the revised regulations are meant to benefit. 

It’s also worth noting the US-EU data sharing agreement or ‘The Trans-Atlantic Data Privacy Framework’ between the US and the EU Commission. Although an agreement has been made in principle, the Framework is yet to be ratified, and the US has long been skirting with data inadequacy with the EU. If the UK does fall short of EU standards, the process of regaining that data adequacy with our European neighbours - almost repeating the actions of the Brexit agreement - could be lengthy.

This is to say nothing of the investment most UK firms have already made and continue to make in GDPR practices, or the view of consumers who are becoming increasingly savvy around cybersecurity and consented first-party data. The ramifications of non-compliance are more than just legal, it’s business critical. 
 

What is coming?

Post-Brexit, the UK Government has been keen to explore alternatives to GDPR (an EU law) and ran a consultation called ‘Data: a new direction’, which concluded in June this year. 

The aim of the consultation was to “inform [Government’s] development of proposals to reform the UK’s data protection laws, to secure a pro-growth and trusted data regime as part of the UK’s National Data Strategy.” The idea behind the reform is to create a data protection system that is less bureaucratic and based on common sense with less “box ticking.”

In theory, the intention is sound. Any new UK regulations will make sure data protection laws are more appropriate - smaller businesses, such as a local dry cleaner, are not subject to the same processes as a large tech conglomerate. However, the reality isn’t so straight forward.

Businesses will still need to be compliant and, even if the regulation is changing, managing how they handle their data securely will remain important. 
 

Cross-sector issues

The data privacy landscape paints a rather uncertain picture, but what is clear is the need for companies to fully understand the data they collect and how it can be used. However, our research has highlighted that in the UK, companies across various sectors are struggling with the current iteration of UK GDPR.

Businesses in the travel sector are the most uncertain about whether it applies to them or not, with 5% not even having heard of regulations. It is also the sector that utilises external expertise in GDPR compliance the most, which is significant given the wider data privacy landscape. As the stakes are raised with ongoing legal grey areas, an over-reliance on consultancy could prove costly.

The research also revealed that one in eight retail companies do not look to ensure data quality - significantly higher than other sectors. This is worrying for an industry that is already highly sensitive to economic fluctuations. Data integrity, completeness, accuracy, and consistency are all cornerstones of GDPR and retail marketers who do not ensure the quality of the data they collect are playing a risky game.

For businesses that are struggling to handle their data inline with regulation, a simple solution is using analytics tools effectively. 
 

Actions for marketers today

As we hurtle towards the first-party future, privacy-friendly analytics tools that provide insightful audience information - such as Google’s GA4 and Meta's Conversion API (CAPI) - or other techniques such as server-side tracking, will be essential for marketers. Utilising these will provide them with granular audience information that meets the requirements of tighter privacy regulations, while identifying how to effectively reach consumers across multiple devices and platforms. 

However, to ensure future opportunities are not missed and marketing activities are optimised, marketers should also look beyond general activation solutions. There are analytical tools that offer a basic level of analysis, but do not examine full, large-scale data sets. Instead, they extrapolate information from a smaller sample to draw a representation. By embracing advanced solutions that securely assess large amounts of data to produce minutia detail and in-depth insights, such as AI technology, marketers can be safe in the knowledge that they are offering privacy-friendly targeted advertising initiatives.

So, with the need for a better grasp of data privacy and the implications of not complying with data protection laws - whether that be GDPR or a reformed UK version - UK businesses will be wise to look for firmer ground instead of walking a regulation tightrope. Although, as marketers prioritise adhering to a privacy-centric strategy, they must not lose sight of continuing to deliver the personalised experiences which consumers both expect and deserve.