The expertsâ 10 points to prepare for regulation

Rosemary Smith, director, Opt 4, and Andrew Bridges, data governance manager at Nectar owner AIMIA, talked through their 10 concerns for the coming European data legislation.

Smith said, “I have a strong feeling that the regulation is like the bogeyman under the bed. Three years of waiting, wondering, worrying about what might finally come together. For us in the UK, it means stepping up in terms of compliance. There is no doubt about that. When? That’s above my pay grade, but it will come to us in no short order,” she said.

She and Bridges talked through the following 10 points. For simplicity, we have merged their comments below:

1. Regulation, not directive:

How will each member state take the new regulation into their business? Will it be a pick-n-mix scenario, or will we agree to a specific scenario? You may get the worst of both worlds - an overall blanket but individual differences.

2. Explicit consent – opt in:

Is it opt-in Armageddon? We will all be affected. Advertising is driven by profiling. We should be clear - this is how we process your data. If you don’t like it you can opt out, but it is built on trust. What does the consumer want? If everything is opt-in, it could mean a lot of work for businesses.

3. Specified ‘legitimate interests’:

These include the marketing of similar products and services, postal marketing and B2B. It is a good idea to specify where it will apply. In the spirit of being open and honest, let’s discuss the issue. We have to be clear: look for guidance. If you don’t know, put your hand up.

4. Documentation – proof of consent:

There is a lot of process in the regulation. One aspect is the requirement to document consent. That will be a challenge. Most CRM systems do not have that level of granularity. At the moment we are just yes or no. It’s one of the components that has to be broken-down. Consent by channel, by brand.

5. Mandatory Breach notifications for consumers:

We don’t want to see notification fatigue that undermines faith in the Internet, which is where data is driven. It creates panic. We need to find a fine line.

6. Privacy impact assessments:

This has been best practice for a while. A product or service configuration must come first, and needs to come at the start of the process. The crown jewels - data - have to be protected.

7. Restrictions on profiling/ use of IP addresses:

I believe if we don’t get this right, the whole industry could be affected. To affect targeting would be massive. We would be back to a scattergun approach. People don’t want offers that aren’t relevant for them.

8. Liability – admit fault:

Up to now, processes have been the instruments of the data controller. The Data Processor will share some liability. This could have really big effect - look at the size of potential fines. You need due diligence. At the moment we have a three-month process to find suppliers. Is it too much? Well, it protects our brand. Who, really, is in control of the data?

9. Right to erasure, not just removal:

Are there any issues or is it just a Google issue? It's just Google - just the service provider. We have to keep an eye on this and see how it develops. Expectations may be raised of erasure, but we don’t know where that will land.

10. Data protection office:

We don’t know when they will be required, or what will determine it. Will it be the size of the company, or local law? Where will we find all the people? We have to force that through and train a few people. As a community we need to work on that.