How DPDI delivers more legal certainty for UK organisations

Almost six years after GDPR came into force, most of us have become comfortable with its requirements. For businesses, correctly gaining consent and putting Data Protection Impact Assessments (DPIAs) in place is now almost instinctive. Meanwhile, it’s second nature for our customers to click away cookie pop-ups whenever they open a browser.

It’s no surprise, then, that the idea of any changes to privacy and data protection are concerning. With GDPR embedded in our organisations, how will the UK Data Protection and Digital Information (DPDI) bill change things and how will we need to adapt?

DPDI is new UK legislation designed to strengthen privacy and data protection following our departure from the EU. It will also help free up restrictions that hinder legitimate business and economic growth. It is currently being finalised through the House of Lords. This new standard is very much an evolution of GDPR which, if you serve customers outside the UK, will continue to be enforced alongside it. However, DPDI simultaneously keeps consumer data safe while providing new opportunities for UK organisations.

To help you stay ahead of DPDI as it makes its way into law, we’ve launched the Paragon DPDI Pocket Guide: a practical, at-a-glance look at what you need to know about DPDI, to get you ahead of the competition so you can take advantage of the opportunities it presents.

Read our pocket guide

Find out more

Work from a foundation of certainty

The endless think-pieces and guides to GDPR reflected legislation that was open to a great deal of interpretation. In a climate of uncertainty, decisions were made with an abundance of caution. We saw many organisations dramatically shift how they capture and use customer data, from stopping all cold direct mail to long, complex privacy statements.

At the heart of GDPR were its six lawful bases for processing data:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

Of these, ‘legitimate interests’ was perhaps the most widely misunderstood. DPDI cements this area with illustrative examples and a clarified definition in the main text of the bill. These recognised legitimate interests specifically include direct mail, as well as data sharing for admin or using data to secure systems.

Data protection and a computer

How DPDI may affect marketers

For marketers, the DPDI bill provides increased clarity and additional pro-growth opportunities, according to the Data & Marketing Association (DMA). Perhaps the most impactful of these is a chance to reignite direct marketing, including direct mail as a clearly identified legitimate interest.

In the coming months, we expect to see marketers resume large-scale efforts around direct mail. This critical part of the marketing mix offers unique advantages to complement your digital marketing, including improved engagement and longer, more uninterrupted attention (according to JICMAIL data).

DPDI also clarifies expectations around digital experiences and removes the need for intrusive cookie pop-ups when first-party data is only used for analytics. This will allow marketers to improve their digital touchpoints, removing a leading cause of user fatigue while enhancing reporting and measurement efforts. Of course, those organisations with customers in the EU will still need to ensure continued compliance with GDPR.

Throughout 2024, Google will continue the process of disabling third-party cookies in Google Chrome. These cookies are frequently used to track users across the internet and a key driver of the need for cookie pop-ups. As technology leaders give consumers new ways to limit or prevent third-party cookies, first-party data collection will become a vital tool in understanding and improving customer journeys online.

How DPDI may affect charities and non-profits

Charities and non-profits will similarly benefit from clarifications around direct mail. Crucially, a return to direct mail will enable charities to reach vital (often older) supporters who are difficult to engage digitally. An effective direct mail campaign can dramatically increase your reach, while enabling a bridge to your digital fundraising efforts for those audiences through QR codes.

However, the new bill also includes an extension of the soft opt-in rule for charities and non-profits. Under the UK Privacy and Electronic Communications Regulations (PECR), organisations can send marketing to existing customers using data captured when a customer made a purchase.. Crucially, this marketing must be relevant to the original product or service, the customer must have been given an option to opt-out, and the idea of soft opt-in only applies to commercial promotions. With DPDI, this rule is extended to charities and non-profits, allowing them to contact people for fundraising campaigns providing they have expressed interest in a similar activity.

This change has the potential to significantly expand the scope and scale of fundraising campaigns, helping organisations raise funds from a far larger group of supporters than was previously allowed. .

Practical advice as DPDI comes into effect

Currently, the bill is moving through the House of Lords and Royal Assent is anticipated by May 2024. There will then be an implementation phase with some aspects becoming law immediately, the majority arriving after six months, and some final pieces 12 months later. Now is the ideal time to start preparing — whether you’re rethinking your digital analytics or rebuilding the skills and capacity to launch large-scale direct mail.

Through it all, Paragon will continue to work closely with industry partners and keep you up to date with the latest developments and last-minute refinements.

Start preparing for DPDI now - get your pocket guide to learn: 

  • Which changes will affect you
  • How DPDI compares to GDPR
  • Six key steps to check your readiness