Details of the proposals' impact
• The end of one-to-one marketing?
• The proposals at a glance
• How will this impact MY business?
• Details of the proposals' impact
• What other organisations are saying
• Useful links
• DMA research and advice
• Latest updates
Key points about draft EU Data Protection Regulation and its potential impact
The 1995 European Data Protection Directive (implemented into UK by 1998 Data Protection Act) needs to be updated:
- Law doesn't take account of new technologies – and more complex information networks
- Lack of common European law: differences in national implementation impedes marketing
- Consumer concern over privacy – high profile data security breaches, etc. leading to reducing permission to market
The European Commission's (EC) aim to reduce red tape and simplify bureaucracy is a welcome ambition – but these proposals do not achieve that:
- Overly strict, bureaucratic and unworkable
- There needs to be a fair balance between privacy and legitimate business interests
- High cost of compliance and legal ambiguity will stifle innovation, deter investment and place unnecessary obstacles to e-commerce jobs growth
- Will be particularly harmful to SMEs
- Poorly defined rights will raise unrealistic expectations for consumers and possible confusion - in danger of creating a "tick box" culture for consumers
- It is hard to say how the EC's estimate of 2.3 billion euros saving to businesses was calculated. DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales
Specific provisions in the draft regulation
| Opt-in and opt-out consent General rule for direct marketing – "explicit consent by clear statement or affirmative action" |
Explicit consent for personally addressed direct marketing
|
| Definition of personal data Extended so could cover some IP addresses and cookies "a natural person who can be identified, directly or indirectly by means likely to be used by the Data Controller… in particular by reference to an identification number, location data, online identifier…" |
|
| The right to be forgotten "The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data" |
|
| Data breach notification Every organisation that suffers a data security breach would have to notify Information Commissioner's Office and the individuals concerned within 24 hours |
|
| Subject Access Requests Data subjects to be able to request full information on data held on them free of any charge |
|
| Marketing to Children General rule – parental consent required for under 18's Exception for online marketing to children above age of 13 |
|
| Right to data portability |
|
| International transfers of data to countries outside European Economic Area (EEA – 27 Member States of EU plus Iceland, Lichtenstein and Norway) Law would apply to any processing of data of EU citizens |
|
| Increase in fines/sanctions In stages, of up to 2% of global turnover or 1 million euros |
|
| Powers to EU to implement secondary legislation through delegated acts |
|
| Appointment of designated Data Protection Officer for organisations with 250+ staff Accountability/Privacy by Design/Privacy by Default, etc |
|
| Right to compensation Any person who has suffered damage as a result of an unlawful processing operation…shall have the right to receive compensation from the controller or the processor |
|
Please login to comment.
Comments