The latest report on negotiations on the forthcoming EU data law includes the fact that there will be tightening of consumer opt in consent levels, and restrictions on web analytics and profiling.
Based on the new developments the General Data Protection Regulation (GDPR), is now been estimated to cost UK companies £47billion in lost sales, and £2.73 billion in preparation averaging £76,000 per company. However, the averaging of the figures is deceptive because the majority of UK companies are small and many barely be effected, if at all. The cost for those that rely on data will be substantially more than the average figure.
Agencies and third party data processors face a particular problem. With staff training predicted to be £7,500 per person, and the need for anyone involved in the use of data to be familiar with the complexities of GDPR, the costs will be high.
However, there is an added incentive for agencies to get compliance preparation right. The Information Commissioners Office (ICO), which enforces data regulation, has now stated that it will target brands as well as third parties if third parties have been responsible for breaching rules. This means any irregularities that occur within agencies while utilising client data will be considered the responsibility of the client, agency or third party processor, and both will be subject to fines and resulting publicity. Third parties of all descriptions that bring sanctions upon clients, including agencies, may find it difficult to survive the damage to reputation and finances.
The key areas the trilogue –EU Parlaimanet, Commission and Council - have so far tightened up on during recent discussion crucially include the level of consent required to use personal information. Consent is now agreed as having to be: freely given, specific, informed and an explicit indication of a consumer’s wishes. Consent must be given by a statement or clear affirmative action.
The burden of proof to demonstrate consent conditions have been met will be on the brand owner or agency. In any dispute it will not be up to the consumer or ICO to prove negligence. It will be up to data owners and any third parties involved to demonstrate the correct level of consent was correctly obtained.
The amendment to the draft of the law takes opt in conditions from the level of ‘specific’ informed indication of subject’s wishes to a new and higher level.
Another key point being examined, and crucial to digital marketers, is that the definition of personal data could be extended to cover some IP addresses and cookies as ‘online identifiers’. Web analytics and profiling would be made much more difficult, if not impossible if this were to happen.
It is the EU Parliament that is pushing to introduce consent for all profiling, and additionally Justice and Home Affairs Ministers consider pseudonymous data should be treated as a sub set of personal data. If these wishes are applied there will be huge implications involved for digital marketers, the least of which may be having to amend wording on privacy policy and data collection notices.
The rules on data breaches are likely to be changed to informing the Information Commissioners Office of problems within 24 hours, and consumer within 72 hours. The nature of the breach, number of data subjects, categories of data and proposed mitigation will also have to be reported.
Other changes include the need for companies to prepare for members of the public requesting full information held on them. Currently a maximum fee of £10 can be charged for this, which collectively costs £50 million a year, but Subjects Access Requests will be free under the new law, and as this becomes widely known certain sectors, such as finance, should be prepared for requests on a large scale.
The proposed sanctions for breaking the new law includes fines of up to one million euros or two per cent of company turnover. The degree of punishment will be dependent on size of organisation, nature and gravity of breach, whether intentional or negligent, technical and organisational measures, previous history, and cooperation in investigating a breach.
Despite some key subject areas of the law still being debated there are fundamentals that have been established, and brand owners and agencies can prepare for. They are:
- Refreshing consent level on databases by contacting individual consumers to seek the higher level of opt in permission. Without it data will have to be written off.
- Create a system for registering and storing consent approval from consumers.
- Create a clearly identifiable point of contact and method for members of the public to have access to data held on them, and for them to have information on them erased if they request it.
- Create a protocol for reporting and mitigating breaches in data security.
These tasks cannot be planned or implemented quickly, there are no off the shelf answers, and aside from technical IT provision there are almost no consultancy services available to provide assistance in preparation for GDPR. The final details of the new law are due to be published at the end of March next year, and there will be a window of two years to prepare before the introduction of legislation, but for those with large databases time is already starting to run out.
By Dene Walsh, Operations and Compliance Director at Verso Group.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus