The General Data Protection Regulation was adopted in April 2016 as a means to harmonise and modernise privacy protection laws across the EU. Its predecessor – the 1995 Data Protection Directive – was conceived in a very different era and had become an inadequate tool to police modern data processing practices. It also spawned different data protection rules in different EU countries, which created a legal nightmare for companies trying to do business across the EU.
So what do you marketers need to know about GDPR? We asked Sherree Westell, a solicitor at Woodroffes, who leads Emarketeers’ GDPR training course, and who has been working in the field of data protection for over 20 years.
When will GDPR come into effect? And what impact will Brexit have?
“GDPR comes into force on 25th May, 2018. Brexit or no Brexit, it will happen. We will still be part of the EU on that date and the regulations will take direct effect. And in any event, the UK Government has introduced a data protection bill to ensure that GDPR does come into effect and is preserved regardless of what happens with Brexit.”
Who will be affected?
“It applies to any business that collects and uses data related to any living individual in the EU. It certainly affects any organisation that does any marketing. It’s inconceivable that you could possibly engage in marketing activities without processing personal data in some way.”
Why do marketers need to take it seriously?
“A compelling reason to comply is the potential adverse publicity and damage to reputation and brand that arise as a result of a breach. Another aspect to focus everyone’s minds is that for certain breaches there can be fines of up to €20m, or 4% of total worldwide annual turnover – whichever is the greater. That compares to a maximum possible sanction under the current law of £500,000.”
What do you think is the most important difference from existing regulations that marketers need to be aware of?
“Most marketing activity is undertaken on the basis that the user has consented. The bar for satisfactory consent is being raised under the GDPR. Organisations will need to review their existing consents to ensure they are compliant.
The thrust of the new regulations is there needs to be much more detail in their explanations of why the data is being collected, what it’s going to be used for and who might have access to it. Consent will need to be specific and unambiguous – no more implied opts in and pre-ticked consent boxes.
Marketers will also have to document that consent to a greater extent, and be much more specific about the fact that individuals can withdraw that consent at any time and give them a very simple and straightforward procedure for so doing.”
Surely lots of marketing databases won’t be compliant with these new consent standards. Other than seeking new consents – which we’ll likely make huge swathes of customer data unusable – what can marketers do?
“More and more organisations will rely on the fact that they have what is defined under the regulation as a ‘legitimate interest’ for processing the data. Current guidance does say that direct marketing can be a legitimate interest. However, businesses will need to undertake and document what’s known as a ‘balancing test’ in order to weigh the company’s legitimate interest in using the data in this way against the statutory rights and interests of the individual.
In summary, if you’ve got broad consent for a number of specific marketing purposes from an individual, evidence of that consent and it’s relatively recent – say less than 2 years old – then you could probably come up with a reasonable case for continuing to store and process that data provided you have related compliance notifications in place. Of course, marketers need to also be aware of the ePrivacy Regulations which also require specific consent for certain activities and which are being updated at the same as the GDPR comes into force.”
What would happen under the new regulations in the advent of a data breach, like the one suffered by Uber?
“As things stand, it is good practice to notify the ICO if you have had a significant breach and work with them to reduce the adverse effects of that and make sure individuals’ data is looked after as much as possible. Going forward it’s going to be a legal obligation to notify certain breaches (to the ICO as well as affected individuals) with those potentially huge fines for failure to comply.”
What about anonymous data – such as location or behavioural data captured online. Is that included in the provisions?
“There are lots of misconceptions on what’s anonymous and what isn’t and there’s a raft of guidance on this. The regulations define personal data as all information that can be joined with other information to identify the individual. So, for example, location data that could be used to identify specifically where you Iive, and could be tallied up with billing information that identifies who you are, would be regarded as personal data”.
What else do marketers need to do to prepare for GDPR?
“Certain organisations have to appoint a Data Protection Officer. And the circumstances in which it’s essential for a DPO for be appointed include where certain special categories of data are processed and some of the special categories are in line with personal data that may be captured by marketing professionals. Certainly, any company that’s involved in behavioural advertising or analysis are likely to get caught in this and will need to make sure they hire a DPO.
Another issue for marketers are the new provisions around data processors – for example, a third party who may be used to send out e-newsletters. As things stand, data processors aren’t primarily liable under the Data Protection Act. Under GDPR, data controller and data processors are potentially liable and the contract terms that data controller needs to impose on that data processor are more extensive. Marketers should be reviewing their contract with any third party that has access to their data.”
Do you expect the ICO to flex its muscles and hand out some high profile fines after the new regulations to come into effect?
“In the UK, businesses can be comforted by the fact that the regulator, the ICO, doesn’t fund itself through the imposition of fines. And also the ICO emphasises that it sees its role to assist businesses in their compliance activities not go around enforcing and slapping fines on people.
However, if a business sector is receiving consistent complaints from consumers, the ICO will investigate. A recent investigation into the practices of charities sharing data without explicit consent is a case in point. They will impose fines if companies are found to be in breach of the regulations.”
Is there anything else that you would you advise marketers to do?
“We can’t say for certain how it’s all going to pan out because it’s new law. As long as businesses aren’t doing anything from a marketing perspective which is going to be a surprise to their customers and they’re very responsive if they do get a request for deletion from a database or just a general complaint, that is good way to significantly reduce risk.
Marketers are going to have to document a lot of existing data procedures and processes – what data they hold, what they use it for, what other third parties have access to it, specific consent and when that consent was obtained etc – so that if there is ever a problem, they can demonstrate their compliance by producing the documentation.
Going forward, marketers will need to include discussion on privacy into every campaign they initiate – a concept called privacy by default. They’ll need to conduct a Privacy Impact Assessment from the outset into what data is going to be collected and how that data is going to be used in that campaign and beyond.
There’s no doubt that this will require cultural change from all departments and levels of the business – not just from the marketing department”