GDPR blog.png

  • The government is betting big on the digital economy, and betting big business will deliver it. But what if it can’t?
  • Consumers neither asked for these rights nor are likely to understand them. So will they benefit?
  • If the media is left to educate the public on GDPR, it will be a victory for sensationalism
  • It remains unclear how the key data changes will be implemented by business

The recent publication of the UK Government’s planned Data Protection Bill filled me with dread.


My first thought was “Oh God, what now!?” but I decided to read the statement of intent before drawing any firm conclusions.


The UK has a booming digital economy and, in a post-Brexit world, it could well be one of our sources of competitive advantage in the global economy too.


The Government quotes data from the Boston Consulting Group that says digital will make up around 12% of our economy — nearly double the rest of the G20, the EU27, the US, India or China.


Getting data governance right, therefore, is a core element in the strategy for both surviving and flourishing in a digital future.


The legislation effectively brings into UK law the impact of the now infamous General Data Protection Regulation (GDPR), DPLED (Data protection in Law Enforcement Directive) and the updated Data Protection Act.


The Bill enshrines three essential objectives: maintain and build consumer trust and power; secure future trade; and enhance law enforcement capabilities.  We’ve already commented at length about the relationship of consent and trust, with consumers twice as likely to share their data with a trusted brand.


Beyond the obvious challenge of gaining consent from consumers who are, in the main, unwilling to give it, there is a fundamental change within the legislation of which businesses  — not least insurers — need to be aware. The government makes a number of profound statements about what it wants to achieve (while avoiding the “chilling effect of over regulation”) but shifts the burden for how this is to be achieved onto business — and to an extent, onto the consumer too. 

Consumer: more power to you

The government wants to give the people the right to take control over their data, to empower them to control who has it and what can they do with it, while ensuring ease of access, adjustment and deletion.

With these incredible rights come responsibilities for consumers. They need to care about their data. They need to understand the contracts, explicit and implicit, they make with service providers. Insurers know only to well how well consumers generally do that.


We undertook research last year where we asked people if they would pay £1 a month for Facebook. The vast majority said no. And yet Facebook in the UK actually has revenue of over £14 a year per user from advertising.

It’s about understanding what you’re worth as well as what you’re prepared to give.


Being educated about rights and responsibilities is crucial for consumers to understand what they are dealing with. If the government isn’t going to directly play a hand in this then it will be left to the media instead — which, ultimately, means a win for sensationalism over rationalism.

Business: it’s your responsibility

Government is speaking softly to business but carrying a very big stick. The statement of intent talks about accountability, but less bureaucracy; the need for impact assessments and simpler rules. With this comes the need for business to appoint a dedicated Data Controller who will be legally responsible for making sure the business is compliant.


The law will require business to “step-up” to create a safe environment for consumers to share and access their data in a conscious, free and easy way.


The fines for falling short are up to £17m or 4% of global turnover, and let’s be clear: it can be the higher of those. At the moment the Information Commissioner is limited to fines of £500,000 and the highest fine they have ever levied is £400,000. While the full extent of the fines will not be brought to bear,  except as a last resort, how many businesses will be prepared to take that risk?


And let us also be clear about what “personal data” is. It’s not just my name. It’s anything you can attribute to me, including my IP address and the machine ID of my computer. It’s all mine. In the case of portability, deletion, or the standard approach of profiling customers for, say, a credit card application, the solutions are complex, and the clock is ticking. It remains largely unclear how they can be delivered at all — let alone in a way that tangibly benefits consumers outside the standard Orwellian narrative. 


What is clear is the Government is trying to make sure that the digital economy is an integral part of our future. By creating this new environment, it also is creating an obligation for businesses to ensure that consumers’ existing rights are protected, while giving them new ones.


There’s also a kicker. The dryness of the topic, and the intangibility of some of the benefits, does leave one wondering “Who cares?”. Consumers didn’t ask for these rights. They probably don’t understand them and will, in all likelihood, have only limited education on the power of their data as a result of a new Act of Parliament.

The UK’s future may well be digital, but it’s crucial that consumers, as well as business and Government, all step up to meet the opportunity. This legislation is only the first step – a canvas at best – and its true impact will only become clear when the rubber hits the road.

GDPR: need to know

Policy goals

The Government wants to achieve 3 things:

       1) Maintaining trust of consumers in how their data is used by
                       a. Making sure data is kept safe and secure
                       b. Making sure it’s handled legally
                       c. Making sure that companies are open and transparent about how they use it
                       d. Bringing in strong penalties for misuse

       2) Secure future trade
                       a. Create the UK as a leading digital economy capable of global digital trade post Brexit                                    and advantageous way

       3) Protect law enforcement activities

Policy changes

      1) Consent: should be unambiguously and explicitly obtained and easy to withdraw
      2) Access: should be free and easy
      3) Portability: people should be able to take their data with them easily — this includes, for                                example,  a change of internet providers. You should be able to take your email and pictures                        with you. This  will be an enormous challenge to deliver.
     4) Right to be forgotten: the right to delete either parts of your ‘data stream’ — or all of it.
     5) Profiling: consumers will have a right not to be processed in an automated way for things like                    Credit Card or Mortgage applications. Again, I can’t see how that will work.

At Consumer Intelligence we want our clients to survive and thrive in the new framework, so here are some things we are doing to help:

  • Collecting compliance statements as part of our market scan so you can verify that you are compliant and also see what best practice looks like;
  • Partnering with companies we believe have the right toolkits to help our customers overcome the repermissioning barriers;
  • Tracking and monitoring consumers and their preferences to get an insight on how their mood is changing;
  • Building a test framework so you can prove that the “right to be forgotten” and “right to transfer” are being properly enforced. We will be able to certify your compliance for the regulator.

To be clear, our research shows that there are some things that brands can do to gain a distinct advantage in this process but not every brand is starting in the same place. Some companies are going to have to work a lot harder and they need to start now.

Delete Day: How GDPR and ePrivacy could be an opportunity or an apocalypse

Data is the lifeblood of the modern insurance industry. It influences everything from pricing to claims, and insurers are constantly searching for the right data on the right customers. Without data, the insurance industry just ceases to operate...

Download GDPR Delete Report


Submit a comment

You may also like

GDPR Count Down: 11 Months Until Delete Day
GDPR Count Down: 11 Months Until Delete Day
22 June, 2017

The deadline is looming on the horizon. It’s 11 months until brands could be forced to delete all the data they hold on ...

GDPR: 365 Days To Save Sales Pipeline, Warns Consumer Intelligence
GDPR: 365 Days To Save Sales Pipeline, Warns Consumer Intelligence
25 May, 2017

Insurance brands will have to delete two thirds of the records they hold on past customers, losing a vital sales pipelin...

GDPR: Legitimate Purpose Is No Excuse For Being Drunk On Data
GDPR: Legitimate Purpose Is No Excuse For Being Drunk On Data
28 September, 2017

Imagine waking up in the middle of the night and finding a drunk stranger at your bedroom door. They have staggered into...