EU Data Protection Reform – What you need to know
10 Jun 2014
Within the next 12-24 months there will be a major overhaul of EU data protection laws, so I've aimed to summarise all of the key information you need to know here so you're able to prepare. The changes are being introduced to improve internet consumer data protection, with strict consent requirements backed-up by huge fines and stronger enforcement.
Key points to note:
Happening within 12-24 months (not as long as it seems)
Fines up to €100 million or 5% annual income (whichever is larger)
Individual right to claim compensation
Enforcement régime instead of self-regulation and education
Explicit consent for data collection, data usage and marketing
Huge fines and simple compensation claims
The changes will see high fines of up to 100 million Euro and easy access for individuals to make compensation claims. The risk of fines and compensation claims mean that proving consent should be top priority for businesses. This should be achieved by making the language simple, not hiding information in privacy statements, making the sign-up process clear and saving subscriptions to make them easy to query. The ICO has already warned that it will have to introduce "mandatory fines" and the recent John Lewis case shows that you need to be able to prove consent.
The right to be forgotten
Individuals must be provided with the option to have their data deleted. The recent case against Google, forcing them to provide a way to delete old links shows that there is already a "Right to be forgotten", but the proposals make these rights clearer and more enforceable. If service messages are needed, the customers should be told in advance, should be able to choose the notification method (post, email, SMS, none) and then have their data deleted after those notifications are complete.
What do I need to do?
You'll need to ask for permission to do things which you currently take for granted, such as:
Adding customers to mailing lists and sending them marketing communications
Using your customers’ personal, behavioural, purchase and preference data to tailor the website or send them personalised and targeted emails
Implied consent will not be allowed and consent will only be valid when it's "specific" and "informed" by telling individuals how their data will be used in an easily understood way.
How this applies to your existing customers
The risk of fines means you must be in a position to prove consent, not just for new subscribers but for existing ones too. Because consent is not forever you should also be in a position to show recent consent.
B2B marketing - opt-in consent needed
Names and contact details of individuals are personal data. No distinction is made between whether the contact details relate to a home or a business address: If the information relates to an individual or identifies an individual, processing and marketing need consent.
Third party data
It's only with a clear, informed and explicit action by an individual that you can obtain their consent for processing or direct marketing. It'll be difficult for third party vendors and those who use third party data to meet the new consent standards. The high fines and more effective enforcement mean that anyone purchasing or using third-party data should start reviewing the sources of their data and obtaining proof (rather than assurances) about the opt-in status of the individuals on those lists.
In a nutshell...
2 years isn't a long time to change how you work, to replace data, to change websites and to change contracts, terms and conditions and privacy policies. Early action will give you a competitive advantage for when these rules are implemented. Take the time now to understand the changes which are underway and how they'll affect how you work