General enquiries :
+44 (0)20 7602 6000

GDPR: A Gold Plated Regulation

Thursday 21 December 2017 GDPR


Paul Winters's picture
By Paul Winters
When GDPR was published in May 2016, we at CACI welcomed it as a long overdue updating of data protection laws for the digital age.  We thought the final text struck a good balance between strengthening and extending the rights of individuals and allowing business to continue to process personal data in the interests of both consumer choice and economic growth.
Of course, the devil is in the detail, so we were keen to see guidance from the Information Commissioner’s Office (ICO), as the UK regulator, on how they intended to interpret GDPR in practice.   In March 2017, the ICO published its draft guidance on one very important part of GDPR, the legal ground of consent.  And that was when I started to worry.
Now let me be clear.  I’ve been in the data business for 30 years and I work with consumer data every day.  I’ve been a very active and involved member of the Direct Marketing Association’s Data Council and help draft best practice in the use of data. I believe very strongly in business looking after the interests of consumers and ensuring not only that personal data is processed fairly and legally but that we adhere to best practice that goes beyond the bare minimum set by law. But when I read the draft guidance, I’ve got to admit that my heart sank a little.  I felt that the ICO was going beyond the text of GDPR and that wasn’t good for business or for consumers.
For example, does GDPR really ban opt-out boxes as a means of gaining consent?   Is it really necessary to name every organisation (as opposed to category of organisation) that will rely on consent at the point consent is captured?  Do organisations really need to obtain separate consent for different processing operations (as opposed to different purposes).  The more I read the draft guidance, the more I felt that the ICO was “gold plating” the Regulation in a way that would negatively impact the direct marketing industry’s ability to offer services that benefit both the economy and the consumer.  Was the careful balance struck in Brussels between the interests of consumers and business about to be compromised by an overly strict ICO interpretation of GDPR?
With the uncertainty created by Brexit, it will be important for the UK to exploit its strengths to foster strong economic growth.  The direct marketing industry and data driven marketing more generally is one of the UK’s great successes.  We lead the world in the application of Big Data analytics.  A recent report (Tech Nation 2016) has estimated the UK’s data driven economy to be £160 billion and growing much faster than the rest of the UK economy.   
If, as I believe, the ICO guidance on consent is an over-interpretation of GDPR in some important respects, what might the impact be on the availability of data for legitimate direct marketing applications as well as on jobs and profits?  We decided to try and find out, therefore CACI commissioned and supported the experts at leading GDPR policy and economics research consultancy London Economics to carry out an economic impact assessment and examine the potential economic impact of the General Data Protection Regulation (GDPR). Next week I will publish another blog and I will elaborate on the results of the London Economics study.

On paper General Data Protection Regulation (GDPR) is a long overdue reboot of our existing data protection laws. A re-evaluation that would strengthen the rights of individuals, while still allowing businesses to use data for commercial use – but as the date for the enforcement of GDPR gets closer, confidence in the outcome has decreased.Read on to find out…

GDPR: A Gold Plated Regulation


Add new comment