What Marketers Need to Know About the New European Data Regulation
The new European Data Protection Regulation, which is widely expected to pass, with some amendments, into European law as early as January 2018 has the potential to radically alter the way marketing is done for all kinds of organisations, and not just in Europe.
The current proposal for data breach fines stands at €100Million, or 4% of global revenue, whichever is higher. Clearly, not many of us are in a position to absorb that kind of punishment. Now is the time to begin preparations. So what do you need to know?
The first thing is that you should look for legal advice, specific to your business. At the moment, we can only speculate on the full impact of this Regulation It will be essential to get advice from a legal expert on how it will impact you and your business. But there’s certainly enough information available for you to start making contingency plans.
What Does all of the Jargon Mean?
• This is a Regulation, Not a Directive This will be an update and replacement of the existing European Data Protection Directive. Whereas, the existing legislation is open to interpretation by, and is implemented by, the member states, the new regulation will automatically become law across the entire EU. This means that there will be no room for manoeuvre as each state will be legally required to fully enforce.
• Users The User is the individual to whom the data refers
• Controllers Anyone who uses the data, transfers the data, or stores the data on their hardware
Why Is This Happening? What’s It All About?
As well as being part of a continuing process of standardising individual rights and legal standings across Europe, this is a reinforcement of the existing Directive, which does not fulfil many of the starting objectives. Amongst the founding principles of the Directive, the original legislation looked to enforce what was referred to as the ‘right to be forgotten’, that an individual should have the ability to decide what information could be kept about them and to choose to have it removed.
Transparency is key. The obligation now lies with the Controllers to keep the Users informed about what information they have and what they intend doing with it, obtaining the User’s permission at every stage.
As well as ensuring that no data is kept secretly and no action is taken with the data without express permission of the individual, Controllers will have a strict time window (yet to be firmly established) in which to inform users of any breach of standards or hack of secure data.
The European Parliament lead MEP on the Regulation, Jan Phillip Albrecht said that “companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.”
The 7 Principles For Personal Data Processing (Set Out in the EU Directive 95/46/EC and in the EU Regulation 45/2001)
- Notice – people whose data is being collected, processed and kept should be informed
- Purpose – data collected should be used only for the stated purpose(s) and for no other
- Consent – personal data should not be disclosed or shared with third parties without the consent of the person concerned
- Security – once collected, personal data should be kept safe and secure from potential abuse, theft, or loss
- Disclosure – people whose personal data is being collected should be told which party or parties are doing this
- Access – people should be granted access to their personal data and allowed to correct any inaccuracies
- Accountability – people should be able to hold personal data collectors accountable for following all these principles.
So What Data Will Be Affected?
The Directive talks about personal data in terms of "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" (Article 2a).
So even data that is not immediately identifiable, but is related to an individual, cannot be kept without their express knowledge and consent to the uses you intend.
This will have serious implications for following trends of gender, race, age, job type, location or the like on your customer base or visitors to your site. Any information you request or gather through your marketing or sales process will need to adhere to the strict rules of the Directive.
This includes collecting and storing the IP address of anyone from within the EU who visits your site and will also apply to cookies, phone numbers, usernames, and any information about the people you interact with.
What Are The Rights, Powers And Expectations Of A User?
It is expected, as said above, that you will inform individuals of any data you have collected about them and what you intend doing with it. You can only proceed with that action and retain the information if the User gives their express consent. This is about consent, that you cannot hold data about an individual without them opting in.
However, they will still be able to opt out. A User can request, at any time, that you delete all data relating to them. This will apply to all reiterations and back-ups of that information and it must be permanently deleted.
Failure to comply with the above will lead to the User being in a position to file a compensation claim. As well as their claim and the reputational damage you will suffer, this is where some of the big financial penalties above start to come into play.
How Do I Handle These User Rights?
You need to have fail-safes in place to ensure that any data collected is immediately followed up with a request process. You need to be certain that when you delete someone from your database they truly are removed from your entire system.
Having a robust data management policy will be essential for every business. Having a certified Data Processing Officer might also be your next step. Each business will face its own challenges and we strongly advise that you seek legal counsel and have a trusted source review all of your data collection systems for potential risk.
What About Data We Keep With A Third-party Datacentre?
Controllers include your Cloud or Datacentre provider. They will need to comply with the Regulation and you will need to ensure that all transfer of data to them is compliant and timely. For example, if you delete a User at their request do you know how quickly your Cloud provider will refresh your back-up to reflect that change?
If you are using a third party for any data services then you are legally required to ensure that they are compliant as well. As soon as you understand the law as it applies to you, then you should be reviewing their processes, the standing SLA’s you have with them and your terms and conditions.
What If I store My Data Overseas?
This Regulation applies to any Controller who uses equipment or data within the EU territory. The wording of the Regulation as it stands suggests that transfer of data outside of the EU is ONLY permitted where the overseas Controller is compliant with the Regulation. There are some very strong terms in there, like sanctions and quite how this plays out with breaches taking place in, say, the United States remains to be seen. What is certain is that anyone transferring data to an unsecure, or non-compliant Controller overseas will be found in breach of the Regulation and open to prosecution, as well as compensation claims from Users. Essentially, you need to ensure that any data you collect is kept safely, wherever it is stored, and that any third party you use will adhere to the Regulation.
So Where to Start?
It is yet to be decided how this Regulation will affect legacy data, and how much time will be given to organisations to get their data warehouses in order. Our advice would be to start looking into it now; you might have a lot of work ahead of you.
Use the bar below and subscribe to updates on this and many other important marketing topics.
SEEK LEGAL ADVICE! We are not certified in law and this is a complicated issue with business-critical ramifications. This article is meant as a starting point for discussion and consideration only and does not define the legal responsibilities of the reader.