Post Brexit

The New Data Protection Bill Brings Post-Brexit UK Firmly in Line with the GDPR


For those wondering how Brexit would affect the UK’s adoption of the upcoming General Data Protection Regulation (GDPR), here’s your answer: it won’t. This week the UK government announced the Data Protection Bill (DPB), which is designed to align with the GDPR, which comes into force in May 2018, when the UK will still officially be an EU member.

The GDPR comprises a host of consumer-focused data protection laws, which the DPB is designed to emulate. The introduction of the DPB will also ensure that UK companies operating within the EU, and counting EU data subjects as customers, will be able to continue with the exchanging and handling of data across EU borders.

This should hopefully come as no surprise to businesses operating in the digital advertising ecosystem, of which data is a fundamental part, and will just ensure that GDPR-compliance measures that have been carried out to date will be able to be applied to the DPB, once the UK leaves the EU.

Spearhead asks industry thought leaders to weigh in on what the DPB will mean for data handling and processing in the UK:

“The government’s new Data Protection Bill is a wake-up call for all companies which collect and process personal data. Because it transfers the EU’s General Data Protection Regulation into UK law, there really is no excuse for non-compliance, as it’s clearer than ever that companies who don’t comply risk fines of up to £17m or 4% of global turnover. No one is really ready and there is not much time to make the changes in gathering consent and processing personal information.

“As well as considering the penalties that encourage alignment, I’d also urge companies to think about the benefits of a more forward-looking approach to customer consent management. Starting an open dialogue with consumers about how their data is used can help companies position themselves as responsible and trustworthy.

“The changes also require a whole new approach to data processing by first-party data providers. For example, mobile data is activated via Android device IDs and the equivalent Apple Identifiers for Advertisers (IDFAs), which are themselves classified as personal information under the GDPR. New, dynamic de-identification technologies offer a solution by converting consumer identities into a randomised string of characters (a token) that protects the data as it can only be used once, for its intended purpose.

“Technology like this will ensure that, following the changes, the ad tech industry still has access to the intelligence in data that fuels its engine – and that this data remains of the highest quality.” ICA Academic