EU Data law gets tough
EU data law will be much stricter while the ICO is to hold brand owners directly responsible for agency behavior
The latest reports on negotiations of the forthcoming EU data law strongly indicates bigger challenges lie ahead than was previously thought in becoming compliant, plus there is likely to be a loss of key practices. It includes the fact that there will be greater tightening of consumer opt-in consent levels, and restrictions on web analytics and profiling.
ICO will target brands and hold them to account
However, there is an added incentive for agencies to get compliance preparation right. The Information Commissioners Office (ICO), which enforces data regulation, has now stated that it will target brands as well as third parties if third parties have been responsible for breaching rules. This means any irregularities that occur within agencies while utilising client data will be considered the responsibility of the client, agency or third party processor, and all will be subject to fines and resulting publicity.
Third parties of all descriptions that bring sanctions upon clients, including agencies, may find it difficult to survive the damage to reputation and finances.
The key areas the trialogue –EU Parlaimanet, Commission and Council – have so far tightened up on during recent discussion crucially include the level of consent required to use personal information. Consent is now agreed as having to be: freely given, specific, informed and an explicit indication of a consumer’s wishes. Consent must be given by a statement or clear affirmative action.
Also there will be no continuation of the current ‘soft opt in’ categorisation that allows communication with consumers that have made a purchase. They will have to be asked for consent or no marketing communication will be allowed. It also means upgrading consent on all existing databases.
The burden proof will be on the brand
The burden of proof to demonstrate consent conditions have been met will be on the brand owner or agency. In any dispute it will not be up to the consumer or ICO to prove negligence. It will be up to data owners and any third parties involved to demonstrate the correct level of consent was correctly obtained.
The amendment to the draft of the law takes opt-in conditions from the level of ‘specific’ informed indication of subject’s wishes to a new and higher level.
Another key point being examined, and crucial to digital marketers, is that the definition of personal data could be extended to cover some IP addresses and cookies as ‘online identifiers’. Web analytics and profiling would be made much more difficult, if not impossible if this were to happen.
It is the EU Parliament that is pushing to introduce consent for all profiling, and additionally Justice and Home Affairs Ministers consider pseudonymous data should be treated as a sub-set of personal data. If these wishes are applied there will be huge implications involved for digital marketers, the least of which may be having to amend wording on privacy policy and data collection notices.
Change to law regarding data breaches
The rules on data breaches are likely to be changed to informing the Information Commissioners Office of problems within 24 hours, and consumer within 72 hours. The nature of the breach, number of data subjects, categories of data and proposed mitigation will also have to be reported.
Other changes include the need for companies to prepare for members of the public requesting full information held on them. Currently a maximum fee of £10 can be charged for this, which collectively costs £50 million a year, but Subjects Access Requests will be free under the new law, and as this becomes widely known certain sectors, such as finance, should be prepared for requests on a large scale.
The proposed sanctions for breaking the new law includes fines of up to one million euros or two per cent of company turnover. The degree of punishment will be dependent on size of organisation, nature and gravity of breach, whether intentional or negligent, technical and organisational measures, previous history, and cooperation in investigating a breach.
The fundamentals:
Despite some key subject areas of the law still being debated there are fundamentals that have been established, and brand owners and agencies can prepare for. They are:
- Refreshing consent level on databases by contacting individual consumers to seek the higher level of opt in permission. Without it data will have to be written off.
- Create a system for registering and storing consent approval from consumers.
- Create a clearly identifiable point of contact and method for members of the public to have access to data held on them, and for them to have information on them erased if they request it.
- Create a protocol for reporting and mitigating breaches in data security.
These tasks cannot be planned or implemented quickly, there are no off the shelf answers, and aside from technical IT provision there are almost no consultancy services available to provide assistance in preparation for GDPR. The final details of the new law are due to be published at the end of March next year, and there will be a window of two years to prepare before the introduction of legislation, but for those with large databases time is already starting to run out.
[Editor’s note: The UK DMA has just issued these 5 guidelines on the GDPR for marketers on 17/12/2015 from their solicitors which we recommend]
Thanks to Dene Walsh for sharing their advice and opinions in this post. Dene Walsh is Operations and Compliance Director at Verso Group. He is also a member of the Direct Marketing Association’s Contact Centre and Telemarketing Council on which he is head of the Enforcement and Regulation Hub. Dene Walsh has worked within consumer data companies for more than 15 years as a specialist in regulation compliance.
Image credits: Nicolas Raymond
From our sponsors: EU Data law gets tough