Preparing for the DPR

Negotiations in Brussels are ongoing and while good progress has been made so far there are still some serious hurdles to cross before a final version of the text can be agreed.

The EU hope to have a political agreement between all the institutions – the European Commission, Council and Parliament on the regulation by the end of this year, but in reality it will likely take far longer for formal approval, Q1/Q2 2016 is the best estimate we currently have. This means the regulation will come into effect in Q1/Q2 2018.

With this in mind there is plenty organisations can do to put themselves in the best possible position for when the regulation comes into force.

Firstly, organisations should all meet their current responsibilities under the existing data protection legislation. Secondly, organisations should carry out an audit or review of their data processing activities focussing particularly on the following areas:

Consent

This is one of the more important changes for one-to-one marketers. Definitions for valid consent will tighten for certain. The European Parliament advocates “explicit consent” while the Justice and Home Affairs Ministers ask for “unambiguous consent”. Lawyers can argue till the end of time about the differences between the two definitions, but either way the rules will be stricter.

Organisations should therefore think about how they obtain consent. Are your customers aware of what they’re consenting to and is that consent recent?

Consumers feel concerned that they have lost control over how organisations use their personal information. How much control do you give your customers over their own information? Organisations that give customers more control over how their own personal information will find that those customers will trust them more. They will also be in a good position for when the new regulation comes into force.

Data protection policy and procedures

A big part of the regulation is the principle of accountability - an organisation should be able to demonstrate to regulators and others that it is compliant with the regulation. An organisation that can demonstrate what actions it has taken to mitigate the risk of lost or misused personal information and has a clear and concise privacy policy or data collection statement will be at an advantage.

All organisations should have a member of the senior management team responsible for data protection compliance to ensure accountability. Are staff able to easily find what their organisation’s data protection policy is, and do they know who is responsible for it? Organisations should ask questions like these as part of the audit/review process.

Organisations need to consider the concept of privacy by design - building data protection compliance in from the start of a project or designing a new product or service rather than adding it at the end of the process as an afterthought. Privacy by design may even save an organisation time and money.

Data protection officer

Larger organisations may have to appoint a data protection officer under the regulation, either because they have a large number of staff, they process a great deal of personal information, or because they have risky processing activities.

A data protection officer reports directly into the senior management team, responsible for ensuring data protection compliance. The concept comes from German national law. At a Privacy Laws & Business event in Cambridge this summer, Isabelle Falque-Pierrotin, Chair of the Article 29 Working Party, a grouping of Europe’s various national equivalents of the Information Commissioner’s Office (ICO), said that a data protection officer was not going to be a provision necessary for every business.

She said, “It is not our intention to make the local baker have to employ a data protection officer”. However, all organisations should be thinking about who is trained to deal with data protection issues. Do staff need more training even if they don’t have to appoint a data protection officer?

Service providers

Contact centres, mailing houses and e-mail/SMS broadcasters will be subject to direct enforcement action from the ICO under the regulation and will also be subject to more obligations than now. Organisations in these sectors need to think about their data security practices and what more they can do to improve data security.

Take action now

These are the key points that any one-to-one marketing organisation should be thinking about now.

The two year implementation period will soon be upon you. Use this time to audit or review your organisation’s data protection procedures while the regulation is finalised as this will massively reduce the stress during the two year implementation period.