Steve Sullivan

It’s not going to be another GDPR!

Steve Sullivan, Head of Regulatory Compliance, Contact Centre Panel

As stated in the Queen’s Speech earlier this summer, the Government’s new Data Reform Bill promises to “…boost British business, protect consumers and seize the benefits of Brexit”, which all sounds wonderful. However, if you work in contact centres and you were around from 2017 to 2018 when the EU’s General Data Protection Regulation (GDPR) and the last Data Protection Act went live, you may be less excited about the prospect of more change!

Following the previous Bill, millions of working days were spent trying to figure out what it all meant in practical terms; changing processes and procedures; ditching databases; confusing consumers with millions of ‘would you still like to hear from us’? emails; and preparing for a tsunami of data rights request contacts which never really happened.

Well, the good news is that the recently proposed Bill looks a lot more like a sensible tidying up of the rules (and the slightly vague promise of less data protection bureaucracy and admin), rather than a radical overhaul. The fundamentals will remain the same. The post-Brexit UK version of the GDPR will remain in place, alongside the 2018 Data Protection Act. For a business this is doubly reassuring, not only does it suggest fewer revisions and re-work to existing policies and processes, but it also means that it’s less likely that the UK’s rules will deviate so far from the EU’s that we lose our prized ‘adequacy’ status, which allows UK firms to process and transfer personal data with the EU with little friction.

There are many areas covered by the proposed Bill, but for most of us the key elements are:

  • Fines for PECR (Privacy and Electronic Communications Regulations) infringements will increase from a maximum of £500,000 to the GDPR level of up to £17.5m or 4% of global turnover. PECR fines tend to cover contact centres calling without TPS screening their call lists and the sending of ‘spam’ texts and emails without permission.
  • Charities and political parties will get a boost to their fundraising capabilities by being granted the same license to use the ‘soft opt-in’ to send emails and texts messages as private sector firms.
  • The cookie rules will be adjusted so that the need to get consent for the placement of certain non-essential cookies will be waived. This should mean a lot fewer Cookie pop-up banners in future.
  • The government says it will cut the admin burden of the current rules by reducing the need for Data Protection Officers (DPOs), Data Protection Impact Assessments (DPIAs) and Records of Processing Activities. Instead, firms will be required to conduct Privacy Management Programmes. It’s not clear what all this means, but it may offer relief to some firms and contact centres.
  • If you have been inundated by tricky or unreasonable data rights requests there may be a glimmer of good news. The new Bill will change the basis on which you can decline to action a Data Subject Access Request (DSAR) from “manifestly unfounded or excessive” to the slightly less demanding “vexatious or excessive”.

If you would like to discuss these forthcoming changes and review your current approach to ensuring data protection and privacy, please drop us a line.