Data is a four-letter word. Literally. But it’s also way up at the top of the list when it comes to a marketer’s pains points. Hygiene, management, suppression, etc. are all set to try us - and that’s without factoring in the big data challenges we know are waiting just around the corner. To top it off, we keep hearing about the General Data Protection Regulation (GDPR) which is on its way, with the intention of “unifying and simplifying data protection across the 28 member countries of the European Union.”
Though it’s still not finalised, everyone is getting twitchy and those in the know are advising business to be prepared. We’ve been genning up on the latest draft and, while we don’t profess to be legal eagles, here’s our heads up on what it may mean to businesses generally and to marketing specifically;
- The new regulation is being crafted to ensure that personal data is kept safe and treated consistently across all EU countries.
- That personal data will mean any information relating to an individual (aside from employee data which may be excepted) from a name to a photo, an email address, bank details, posts on social media, medical information even a computer's IP address.
- A patchwork of legislation, directives and best practice currently exists across the member states of EU. That can make it tricky even for businesses who are keen to stick to the rules and “play nicely”.
- There’s been no major changes to data protection law in the UK since 1995. Since then how it’s stored, and how and for what it is used - think amongst other things the advent and popularity of social networks, cloud computing, secure file transfer, the “right to be forgotten”, etc. - has changed significantly. In that regard there’s widespread agreement that the new regulation is well overdue.
- Currently in the UK the Information Commissioner's Office (ICO) is our Data Protection authority. Once GDPR comes in to force a Single Data Protection Authority (DPA) will be responsible for each company, depending on where that company is based, and who breaches will have to be reported to.
- It will also have an impact on non-European companies that operate in the EU reflecting, that in today's age, businesses are increasingly globalised and trading has become borderless.
- All organisations are going to have to review every aspect of their data management and handling from collecting, gaining consent, through processing, storing and fully documenting any breach or suspected breach.
- The regulation is serious stuff and potentially a huge issue from a business continuity perspective. Those that fail to comply or breach its rules will risk severe penalties which includes fines of up to 100M euros or 5% of worldwide turnover.
And the implications for us marketers? Well, plenty, but these are the 4 key ways we think it’ll impact:-
1. Consent – there’s emphasis that an individual’s consent for use of his personal data must be “freely given” and that this consent must be “unambiguous” and given to processing “for one or more specific purposes”. It’s not as restrictive as the “explicit” wording used in earlier drafts but it is going to impact on how we acquire data in the first instance, what campaigns it can be used for and how we manage and maintain that consent going forward. Sounds tricky!
2. Profiling – seems that profiling will only be allowed for marketing/ targeting purposes where the data subject has given their explicit consent for it to happen. Also data controllers will have to inform the individual about the existence of any profiling and the likely consequences of it. There is even mention of a “data protection impact assessment” being required in some circumstances.
There’s some chance that, where it can be demonstrated it’s necessary in connection with entering into / performance of a contract this might be relaxed, but quite how that could pan out for pre-sales activities is confusing.
3. Right to be forgotten - a debate rages about this with 7 EU states (UK being one of them) arguing that it should be removed because it is more about privacy than protection. Currently it’s still included so we’ll have to wait and see.
4. Notification of any breach - the current time limit for notification of any serious breach (there’s a whole list of what a serious breach might be but, in essence, is one that is likely to result in a high risk for the right and freedoms of individuals) is only 72 hours. Some believe that over-notification is going to become an issue and would like this to be negated where steps and measures have been taken to eliminate any risk.
Interesting times ahead then. While it’s unlikely that the draft GDPR will be agreed and become a reality before the end of 2015, our advice is to make like Scar in the Lion King, and every good boy scout, and “be prepared”!