The Drum | On the 5th anniversary of the GDPR, how concerned should UK marketers be about the digital divergence from the EU?

However, since the GDPR came into force, there have been changes to the status and standing of the UK in relation to the rest of Europe. After Brexit, the UK effectively copied the existing GDPR rules that ensured the free flow of data between the UK and the rest of the world, with the adequacy of this decision being confirmed by the EU in June 2021.

However, the European Commission has until the end of 2024 to decide whether to extend the adequacy decisions for the United Kingdom for a further maximum period of four years. If the extension is not granted, it will expire on June 27, 2025.

Karl Weaver, Medialink’s senior vice president of consulting for EMEA, believes it is a marketer’s duty to stay abreast of these potential changes: “It’s a dynamic space. So when you comply with the GDPR, you have to constantly look ahead and assess what is going to happen. Not only is it now a responsibility to comply with current legislation, but you also have to be more forward-thinking about what’s going to happen and how you’re going to use the data.”

He points out that with digital marketing increasingly reliant on personalization – which requires accurate data to be effective – any inability to collect and process data could potentially derail the entire industry.

The government estimates that simplifying or changing some of the rules surrounding the GDPR could save UK businesses £4.7 billion over the next decade. This is despite the fact that companies wishing to do business in the EU must also comply with the rules of the GDPR.

Deviation from the GDPR

Speaking at an event at the Westminster eForum on the future of data and privacy, Ashley Winton, fintech and privacy partner at Mischon De Raya, explained that while the UK intends to increase the number of countries it has free-flowing post-Brexit deals with data, there are questions about the feasibility of this two-pronged approach.

Speaking specifically about the Privacy and Digital Information Act and its implications for online privacy, he said: “There’s a real risk that this could impact privacy, either industry, (or) country, or not, or as Part of a sector perhaps related to immigration. And I think this could well be high on Bruno’s (Gencarelli, Head of International Data Flow at the European Commission) list of concerns when assessing adequacy in the UK.

“Unlike all other adequacy agreements – despite the fact that many are obsolete, pre-GDPR etc etc – this agreement has a sunset clause as it expires but they do not. Ours expires in June 2025. So this review is definitely coming and needs to be completed by that date. And I think that’s a risk.”

The risk is also related to ongoing tensions between the EU and other territories. Regardless of whether the UK joins one or the other – with APEC seen by experts as a likely target for alignment – the problem is compounded by the lack of a global agreement on data protection issues.

Isabel Simpson is a data protection specialist at KPMG Law. She says: “If the global solution is for everyone to agree with the UK or the EU view, then that is not realistic.” But I think there could be a lot of progress towards understanding the global principles around the world access data protection. I would be happy if this global solution existed. But I would have concerns that this ambition is too big.”

AI and other developments

Aside from the possible divergence between the new UK data legislation and the GDPR, some marketers also believe that the use of AI tools – which train themselves on user data – will need regulation sooner rather than later to comply with GDPR rules.

Chris Hogg is Lotame’s Chief Revenue Officer. He says: “The maturity of the privacy-centric data market in Europe puts it well-placed to answer complex questions about the provenance and ownership of the data used by Generative AI. Regulators are already comparing bark to bite – as evidenced by the temporary ban on ChatGPT in Italy – and I expect AI legislation to take shape by the end of the year.”

In principle, the UK still adheres to the GDPR, even if it tries to replace it domestically. With GDPR five years behind us, the marketing industry needs to keep up with the complex rules of the different territories in which it operates and perhaps prepare for more when the UK becomes more compliant with GDPR when the time is up in 2025 deviates.