Data protection self-defence

If you hadn’t noticed, domestic and international data protection laws are changing, consumers are getting greater protection and some of the proposals are causing concern in some industries.

The European Commission’s draft proposals for modernisation of the 1995 data protection rules are designed to improve trust between consumers and businesses in order to improve trade by building “a new gold standard of data protection” which the Commission hopes will become the international benchmark for data protection.

The draft regulations include:

• Cross-border (international) spam enforcement
• Simplification of rules, bringing together privacy and data-protection
• Greater choice, privacy and protection for consumers
• Strengthening of rules, closing loopholes which have been abused
• Stronger enforcement with easier access to compensation claims

Why you need an international view of consent, privacy and data protection

Every email campaign is a multinational campaign
Many recipients use global ISPs, companies have international offices and hosting centres and email recipients travel. As a result almost every email campaign is a multinational campaign which could be subject to international regulations.

Rules are changing fast across the world
Even if you could map out every regulation for every country you knew you were going to hit, rules and regulations are currently in a state of flux, with changes somewhere every few months.

Look beyond the UK
New international regulations, dedicated enforcement teams and increased cross-border co-operation mean that marketers need to look beyond what is needed to work with the soft-touch enforcement in the UK and look at how to work with some of the more strict international regulations.

Why you need a defensive view of consent, privacy and data protection

Proposed EU regulations in the next couple of years are going to clarify, simplify and consolidate existing rules; but will also introduce a requirement for stronger enforcement AND a means of cross-border enforcement.

In the UK we have a largely self-regulating, laissez faire industry, but this is changing: earlier this year the ICO fined spammers £500,000 and a recent letter from the Information Commissioner to the Secretary of State warns of mandatory fines and suggests that more funding and stronger sanctions are necessary for enforcement.

However, I see biggest potential risk to most companies as professional or opportunistic claimants seeking out sites which have sign-up and marketing processes which are unclear or inadequate.

We need to change our data protection and privacy approach. Instead of making sure consumers rights are fulfilled, we need to be in a position to easily prove that consent has been obtained, so that opportunistic claims can be quashed immediately.

Simple Guidelines for Data Protection and Privacy Compliance

This is where things become simple! Focus on privacy, data protection, choice and transparency for your customers and subscribers and you will be adhering to the principles behind almost all international legislation.

Forget for a moment the legal standards and specific wording and look at these simple, small steps.

• Review your own processes (or get an audit) to see what data you collect, how you collect and store it. Consider whether it is both appropriate and necessary and whether it fits with what your customers would expect.
• Inform customers about what you do and why. Where possible, give them choices.

To review or audit your data collection and storage processes here are some starter questions:

When you collect data:

• What data do you collect, where, when and how?
• Is personal data collected which could be deemed excessive in relation to the purpose for which it was collected?
• Is any personal data kept longer than necessary for the purpose for which it was collected?
• Are your answers consistent with your customers’ expectations?

Once you understand your own data consider the following:

• In your privacy policy include detail of what data you collect, how it is stored, how it is used to benefit your customers and what their options are for deleting their data.
• When you create an account or someone signs up make it clear at that time why you collect information and explain clearly why it benefits them, providing a link to the detailed section in the privacy policy.
• Allow people to purchase without creating an account – but give your customers compelling reasons to create an account by telling them the benefits they will get from having an account with you.
• Provide customers with ‘the right to be forgotten’ by allow customers to delete/obfuscate (replace their customer details with dummy data) their account history – but give them reasons NOT to do this.
• Give your customers a choice to NOT be tracked, recorded and profiled. But give them compelling reasons why trusting you with their data is good thing.

Be defensive by design:

• Keep wording and processes simple and unambiguous
• Collect basic audit information which shows what consent was provided and when
• Where possible and appropriate, start collecting explicit consent where you currently rely on implied consent
• Keep privacy policies up to date, making it easy for customers to see if anything has changed
• Make sure you are in a position to easily prove that consent has been obtained

Links

European Commission data protection proposals 25th Jan 2012

European Commission Working Party update 27th Feb 2013

DMA – How the EU Data Protection Regulation could affect you and your business 30th Jan 2013

ICO Comment on EU data protection reforms 8th Apr 2013