Ann-Maree Blake, Partner
As we enter 2022, many marketing teams around the UK will be feverishly thinking about their priorities, plans, and strategy for the year ahead. As part of this process, consideration must be given to the impact of expected changes to the data protection regulations, both in the UK and the EU. Some of the changes to data protection regulation are all but certain, whereas others are speculative at this stage. Nevertheless, by planning ahead, marketing departments can ensure they are ready to reflect any changes in their strategies, and ultimately their operational processes.
Data protection regulation changes expected in the UK for 2022
In August 2022, the Government announced plans to consult on its post-Brexit data protection regime. The consultation, entitled “Data: A New Direction’ was published in early September and has now closed to responses. As Digital Secretary Oliver Dowden stated, the proposed regime involves “reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation”.
The consultation looked at a range of data protection areas, including innovation, compliance burden, electronic marketing, data transfers and barriers to trade, and reform of the ICO.
Given the rather bold name of the consultation, divergence away from the UK GDPR may emerge in the coming year. If this does happen, changes to our data protection laws will need to be balanced with preserving the new EU-UK adequacy arrangement, which allows data to flow in both directions between the UK and the EU. This was granted on the basis that the UK’s data protection rules mirror those of the EU.
Some of the suggested changes to the data protection regulations in the consultation include:
- Data subject rights – to introduce a fee regime for data subject access requests similar to the Freedom of Information Act 2000
- Accountability framework – this includes a range of measures, including requiring organisations to put in place a privacy management programme to reflect their individual processing activities. The stated aim of this is to make sure data privacy management is “embraced holistically rather than just as a ‘box-ticking’ exercise.”
- Reducing barriers to data flows – this will allow organisations to “create or identify their own alternative transfer mechanisms.”
- Online privacy –a range of possible measures, including allowing organisations to use analytics cookies and similar technologies without the consent of users.
Potential developments in EU GDPR for 2022
Marketing departments in the UK will also need to keep an eye on developments in relation to the EU GDPR planned for 2022. This will mainly affect UK organisations that operate, offer goods or services, or monitor the behaviour of individuals based in the European Economic Area. Some of the expected EU GDPR developments for 2022 include:
- A likely increase in enforcement action for breaches of the GDPR
- Improvements in consent requirements – this may include requiring organisations to provide clearer information to users on how their data will be used and to give them choices when opting in and selecting their level of consent.
- New EU Artificial Intelligence Act (AI Act) – the AI Act is currently being drafted but proposes to introduce rules which vary depending on the level of AI risk. This may have substantial impacts on organisations that are heavily reliant on AI for various layers of their marketing strategy.
- New EU ePrivacy regulations – while this is not yet in place, it is expected to introduce new rules to protect end-user privacy and confidentiality during marketing communications and also the integrity of their personal devices. This will encompass communication technologies such as instant messaging, Voice over Internet Protocol (VoIP), and machine-to-machine communication.
Transition to new Standard Contractual Clauses SCCs
Another key development for 2022 is the transition to a new set of Standard Contractual Clauses (SCCs). This phasing out of the old SCCs will be a significant change given the number of organisations reliant on SCCs for international transfers. SCCs are model contract clauses that have been approved by the European Commission for use by organisations transferring data between EU the third-countries. These were updated on 4th July 2021, and while organisations can continue to use the old clauses for contracts drawn up before 27th September 2021 until 27th December 2022, all new contracts must use the new SCCs. Any existing contracts using the old SCCs will need to be updated by the deadline of 27th December 2022.
Some of the changes to data protection regulations listed above may have substantial impacts on affected organisations and their marketing departments. We recommend adding these to your existing risk register and managing each as early as possible as legislation are published. By acting early, you will be able to put in place the necessary contractual, IT, process, documentation, and training changes required to support your marketing efforts.
To find out how we can help you with data protection and privacy law matters, please contact Ann-Maree Blake (firstname.lastname@example.org), Partner in our Corporate/Commercial Team who specialises in Data Protection & Privacy.
Please note – this article does not constitute legal advice.