Counting the cost of EU data reform

This is a crucial year for data professionals and direct marketers as the draft EU Data Protection Regulation will be getting its first reading in the European Parliament this summer. Critics of the draft Regulation say it is too prescriptive and unworkable in its current form and the cost to UK businesses could be has high as £360m according to the Ministry of Justice (MOJ).

While the existing laws need updating for the digital age, the measures proposed will hamper the free flow of data and stifle economic growth. Time is running out for businesses and trade bodies to make their case, as it is likely that the Regulation will be passed by Spring 2014 with implementation by 2016.

To help UK businesses get their voices heard here and in Brussels, the DMA has launched an online Data protection toolkit, with details on the proposals, a guide on how to lobby UK MEPs and what the DMA has done and will do to ensure that the changes are reasonable.

Here I want to focus on some of the clauses that have raised the most concern from the draft Regulation for marketing data professionals, whether they are data brokers, managers or owners, data analytics experts or users. Please note that I am referring to the European Commission’s original proposals published in January 2012 and not the amendments proposed by the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee in January 2013. For more information on these amendments please see MEPs' data protection proposals a threat to direct marketing.

Gaining permissions and consent
The draft Regulation requires businesses to gain explicit consent from individuals to use their data for marketing purposes across all channels. This means that businesses will not be able to take for granted that consumers or employees, in the case of B2B marketing, consent to receiving marketing information even if they have a relationship with them.

Businesses will have to rely on people actively opting in to receive marketing information. There is also confusion about legacy data (data a company already holds on an individual). The draft Regulation isn't clear about whether or not legacy data will be exempt from the new law.

The right to be forgotten
Individuals will be able to request that businesses delete any information they hold on them, and pass the request on to third parties to whom they have passed the data. This will mean additional data processing costs for data users, brokers, managers and owners. An exemption needs to be made for the retention of personal information for suppression purposes.

IP addresses classified as personal data
The draft Regulation treats all data the same, from sensitive personal data to IP addresses and cookies. Businesses will therefore have to gain an individual's consent before carrying out web analytics. Digital marketers will struggle to chart the customer journey or analyse their behaviour online and it will damage the user's experience as their preferences won't be stored.

Profiling will also be more difficult because even if an individual isn't identifiable by the data, businesses will need to gain permissions to access this data.

Personal data vs anonymous data
Not all the data is the same. There needs to be a distinction between personal data, anonymous data and sensitive data and the Regulation needs to reflect this. A proposed solution put forward by the UK data group (a group of trade associations and clients from the advertising and marketing community including the Advertising Association the DMA, and others) is to introduce new definitions of anonymised data. This will allow businesses to use anonymised data for profiling and other data-related activities.

For instance, a supermarket that holds data on a customer through a loyalty scheme could pass on data to an analytics company for profiling as long as the data is scrambled so the analytics company can't trace it back to an individual.

The good news is that UK politicians want to see proportionate rules that reassure and protect consumers without undermining UK businesses in the process. Culture Minister Ed Vaizey and Justice Minister Helen Grant have agreed to raise our industry's concerns in negotiations with Brussels and have offered to meet our EU counterparts. Meanwhile, the House of Commons Justice Select Committee called for the EU data protection proposals to go back to the drawing board in its report, published on 1 November 2012. For more information on this report please see Draft EU Data law criticised in UK and Brussels.

The UK Information Commissioner, Christopher Graham, also updated businesses on the draft Regulation at Data protection 2013 on Friday 8 February, the DMA's annual data conference.

There is still a lot of work to be done and the DMA has called on members to get involved by lobbying their MEPs See Act now: write to your MEP. The DMA will keep members updated through the online data protection toolkit and the monthly legal newsletter (free to DMA members) on progress.

Barry Smith, Senior Consultant, GI Insight