Is GDPR still a thing?

Is GDPR still a thing?

Why is today important?

On 25th May 2018, we as individuals regained some power over the use of our personally identifiable data and a few weeks ago, Merewyn invited me to write a guest blog about GDPR because today is the 4th birthday of its implementation.

Interestingly, as part of a blog series and white paper, Merewyn published an article on 22nd May 2018 titled “GDPR and managing a ‘do not contact list”. To this day, this is still appearing in her Google Analytics.

So hello, from Bryan Altmis at Riverside Court Consulting – I hope you enjoy reading what I share below.

So why are we still concerned about GDPR now that we have left the EU?

The General Data Protection Regulation was an EU regulation and the reason we are still worried about it is because the UK contributed enormously to the content of the GDPR, it does what it was designed to do (mostly) and was incorporated into UK law as the UK GDPR 2021, tailored by the Data Protection Act 2018.

The Privacy and Electronic Communications Regulations (PECR) 2003 sit alongside the GDPR giving people specific privacy rights in relation to electronic communications.

The PECR rules apply and use the UK GDPR standard of consent. This means that if you send electronic marketing and / or use cookies or similar technology you must comply with both the UK GDPR and the PECR.

What are you consenting to?

Consent is one of the lawful bases for processing personally identifiable data. To comply with the UK GDPR it must be a positive opt-in. For example (from the ICO website):

A beauty spa gives a form to its customers on arrival which includes the following:

Skin type and details of any skin conditions (optional)

I consent to you using this information to recommend appropriate beauty products

The consent here is explicit, the person filling the form knows exactly what is going to happen with their information.

Read the small print to understand what you are consenting to!

One company collected first name and email address to get access to an online course and said “by signing up for this course you will also receive our occasionally issued newsletter”. One person who signed up for the course questioned why they had received the newsletter. The answer – because they had signed up for it.

Fortunately, this company had also made it easy to unsubscribe from future newsletters with an unsubscribe link to the administrator of their emailing list thus complying with the GDPR, making it as easy to withdraw consent as it is to give consent.

The big news about UK GDPR!

In the Queen’s Speech on 10th May 2022, it was announced that the UK’s data protection regime will be reformed to create an ambitious, pro-growth and innovation friendly data protection regime.

At this stage we do not know how far the Government is planning to deviate from the EU GDPR. The Queen’s Speech Briefing Notes provide some of the proposals.

  • Removing compliance obligations that are seen as box ticking. This is possibly the removal of cookie consent for some relatively benign uses of personal data such as website analytics;
  • Being allowed to use personal data for the purposes of innovation and research, hopefully clarifying when personal data can be processed for research purposes;
  • Facilitating the sharing of personal data across government departments to improve the delivery of services;
  • Reforming the role of the ICO to strengthen its enforcement powers and ensure it is more accountable to the public and government.

The proposal is part of the Government’s legal separation from the EU following BREXIT and probably part of a strategy of chasing a trade agreement with the USA.

What could the impact be on UK business?

Following BREXIT the UK won adequacy status with the EU meaning that data could flow between the EU and the UK as it had when we were in the EU.

Adequacy status means that our data protection regulations offer roughly similar levels of protection to personal data as the EU GDPR.

Of course it does! The UK GDPR is the EU GDPR copied and pasted with any EU terms edited to be UK focussed.

The extent of the deviation from the EU GDPR could put in jeopardy the adequacy status for the UK meaning UK business would have to rely on the EU standard contractual clauses as USA businesses do to trade with the EU. This is messy and an ineffective regulatory regime.

SME’s trading solely in the UK, public sector organisations and those organisations looking to use personal data for scientific research could be the big beneficiaries.

Some think the reforming of our data protection regime means deregulation where we return to the pre-GDPR days of business doing what it likes with our personal data and the individual having no say about what is done with our personal data.

No-one thought the GDPR was the final regulation to be issued on data protection but let’s hope that any any reform is in favour of the individual and their rights and not a political whim chasing a distant trade relationship.

If you would like a conversation with Sayers Solutions and/or Riverside Court Consulting please complete your details here –

Bryan Altimas of Riverside Court Consulting Ltd has over 25 years experience in data protection and advises businesses of all sizes on data protection regulation around the world.

Riverside Court Consulting is offering a 20% discount on fees if you quote DPREFORM when contacting us until the end of June 2022.

Sayers Solutions hopes you have found this article informative and interesting, as well as thought provoking.

If you are an expert in what you do and think you would compliment the offering provided by Sayers Solutions please register your interest in becoming a partner and let’s arrange to chat.