These reforms are part of a journey whereby the UK Government attempts to square the circle of enhanced privacy rights and less bureaucracy. This will be challenging as the EU may withdraw the adequacy decision granted to the UK last year.
We know that the ICO persuaded DCMS to water earlier proposals. Some of these changes will on closer examination not represent any change but others are sensible ideas which the European Data Protection Board may well eventually adopt.
For retailers, I can highlight three changes.
- The major changes will be the cookie pop-up reform. Hopefully, this will make a consumer’s experience of browsing easier. I understand that consumers will be able to use their browsers to set “default” settings for websites they subsequently visit so reach site will not have to use pop-ups. T
- Those retailers who have not organised their on line marketing activities and unlawfully direct market to consumers could face a GDPR fine (upto 4% of turnover). At present the regulation of direct marketing is covered by different legislation and the fine is capped at £500,000. Readers should note that the ICO is clamping down on unlawful direct marketing.
- The need to maintain records of data processing will be replaced by a bespoke risk based approach. Every retailer will have to have a Privacy Management Plan which will replace the current GDPR compliance regime which is seen as too “tick box”.
These reforms appear to be targeted at genuine concerns and not a reform for the sake of reform. For example, the changes to cookie pop ups reflect that people just accept cookies to look at the site and rarely look at the actual cookies they are consenting too. There are other changes which do not directly apply to retail which again are specific to issues that GDPR compliance is seen to obstruct. The key takeaway is that compliance with certain aspects of the Data Reform Act may be little different to compliance with GDPR.