GDPR celebrated its sixth birthday in May – But privacy laws are still evolving

The 25th of May marked six years since the General Data Protection Regulation (GDPR) came into effect, forever changing the way sales and marketing operate.

As a result of Brexit, the UK stopped being part of the EU and therefore the EU GDPR ceased to protect the rights and freedoms of the UK citizens regarding their personal data. The Data Protection Act 2018, is the UK’s implementation of the EU GDPR and was formally incorporated in UK domestic law and came into effect on the 1st of January, 2021.

The anniversary also came as legislation to enhance it – the Data Protection and Digital Information Bill (DPDI) – was due to enter the report stage in the House of Lords, signalling the latest evolution of the UK’s data protection regime.

While legislative changes may make marketers nervous, compliance carries with it a silver lining. Teams that embrace the trust and transparency requirements can leverage it to build better relationships with clients and improve conversion rates.

GDPR, regarded as the gold standard for data protection legislation across the world, standardised existing regulations and focused on transparency and governance. It required companies to be clearer about what data they collect, take responsibility for what was done with it, and restricted marketers’ ability to communicate with leads.

Serious breaches could result in fines of up to £17.5 million or 4% of a company’s annual worldwide turnover – whichever was higher – ushering in a new era of accountability that wasn’t just a scare tactic. Meta, Facebook’s parent company, was fined £1.2 billion in May, 2023, and Amazon was hit with a £613 million penalty in 2021, according to a list of the 61 biggest fines and penalties so far from February 2024. And, according to Enforcement Tracker, more than 10,000 fines have been issued this year, May 2024, totaling £4.5 billion.

Before 2018, the way marketers obtained consent to personal information, both within direct and digital marketing was a grey area with the laws at that time – the Data Protection Act 1998 largely concerning a person’s right to know what information was held on them and their ability to access it. That Act was superseded by the Data Protection Act 2018 (DPA 2018) which supplements GDPR.

Now, not only do marketers have to contend with complying with DPA 2018, but also the ePrivacy Directive which regulates marketing calls, emails, texts, cookies and operates alongside existing laws (DPA 2018 and GDPR). The DPDI Bill will update all current data privacy regulations.

Leaving the EU and their regulations

Post Brexit, the UK withdrew from the European Union and EU GDPR no longer applied to UK citizens. The Data Protection Act 2018 is the UK’s implementation of the GDPR which was formally incorporated in UK domestic law and came into effect on 1 January 2021. Eight months later, the Government proposed new legislation to simplify the UK’s data protection framework and reduce the compliance burden, and in October 2022 announced plans to replace GDPR with a British system of data protection, the DPDI Bill.

Like Brexit, the DPDI Bill moved slowly. It was first introduced in the 2022-2023 parliamentary session but was carried over into 2024 and was progressing through the Committee Stage in the House of Lords until Prime Minister Rishi Sunak announced a General Election would take place on 4 July. As a result, on 30 May, Parliament was dissolved, leading to concerns that the DPDI Bill may be “parked” or suffer significant changes under a new government.

The Data & Marketing Association has collaborated with the government for three years on DPDI and believes that key reforms in the legislation are vital to address issues slowing growth and customer experiences, like cookie pop-up banners.

What the DPDI bill means for marketers

The DPDI Bill aims to modernise the UK’s data protection regulations by striking a balance between protecting individual privacy and enabling businesses to leverage data responsibly for legitimate purposes, including marketing.

While the DPDI Bill emphasises stricter data regulations, it also aims to make it easier to ensure compliance and avoid costly errors, so businesses can focus on optimising and executing campaigns rather than regulations. Stricter data collection rules are expected to lead to a greater emphasis on high-quality, opt-in consent from users, in turn creating more focused and personalised targeting and, potentially, higher conversion rates.

The Bill also clarifies legitimate interest, making it easier to demonstrate that direct marketing is “necessary” for your business, meaning marketers can use customer data more confidently for targeted campaigns as long as user privacy is prioritised.

While consent remains a key element to data collection, the DPDI Bill recognises transparency is equally important. Users must be provided with clear and easily accessible information on how their data is collected, stored and used. By building trust through transparency, marketers can still achieve successful outcomes even if a user doesn’t explicitly opt-in for every communication.

While the future of the DPDI Bill hangs in the balance, data protection isn’t going away so businesses must act to position themselves for the best possible outcomes.

Build better data practices to get better results

B2B marketers must champion a culture of privacy within their organisations by adopting robust data protection measures, implementing secure data storage and transmission protocols, and ensuring compliance with all relevant data protection regulations. By demonstrating a commitment to safeguarding customer data, businesses can differentiate themselves as trustworthy and reliable partners. This, in turn, can enhance brand loyalty, foster stronger customer relationships, and drive sustainable growth.

One way to get all of this right, is to leverage the right technology. By using lead-generation providers, like Pipeline360, who focus on data privacy and security, marketers can get on with the job knowing that’s taken care of.

The regulatory road ahead

Data quality is critical to support your buyers across all channels and paves the way for everything from building a great customer experience and driving loyalty to developing strong strategies.

Pipeline360 has significantly invested in a dedicated team of legal, privacy and data security professionals committed to researching, monitoring, auditing and managing data privacy and compliance and have achieved ISO certifications in Information Security Management Systems and Privacy Information Management Systems.

New regulations don’t have to be another roadblock in an already complex buyer’s journey. Savvy teams that comply and adapt their processes can turn these changes into a competitive advantage. Customers value businesses they can trust, so businesses should focus on becoming more trustworthy and transparent.

These are the tools that will help you turn potential customers into clients – and keep you way from hefty fines.

Get the latest insights delivered to your inbox

Name