Details of the proposals' impact | Details of the proposals' impact | DMA

Filter By

Show All
X

Connect to

X

Details of the proposals' impact

The end of one-to-one marketing?
The proposals at a glance
How will this impact MY business?
Details of the proposals' impact
What other organisations are saying
Useful links
DMA research and advice
Latest updates


Key points about draft EU Data Protection Regulation and its potential impact

The 1995 European Data Protection Directive (implemented into UK by 1998 Data Protection Act) needs to be updated:

  • Law doesn't take account of new technologies – and more complex information networks
  • Lack of common European law: differences in national implementation impedes marketing
  • Consumer concern over privacy – high profile data security breaches, etc. leading to reducing permission to market

The European Commission's (EC) aim to reduce red tape and simplify bureaucracy is a welcome ambition – but these proposals do not achieve that:

  • Overly strict, bureaucratic and unworkable
  • There needs to be a fair balance between privacy and legitimate business interests
  • High cost of compliance and legal ambiguity will stifle innovation, deter investment and place unnecessary obstacles to e-commerce jobs growth
  • Will be particularly harmful to SMEs
  • Poorly defined rights will raise unrealistic expectations for consumers and possible confusion - in danger of creating a "tick box" culture for consumers
  • It is hard to say how the EC's estimate of 2.3 billion euros saving to businesses was calculated. DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales

Specific provisions in the draft regulation

Opt-in and opt-out consent

General rule for direct marketing –
"explicit consent by clear statement or affirmative action"
Explicit consent for personally addressed direct marketing
  • Would decimate prospect lists and the data industry
  • Severely reduces brand-permissioned customer data
  • If could not prove that there was consent, could mean scrapping whole databases
  • Impacts growth by putting up the cost of customer acquisition
  • Legacy databases – what about data collected under current law?
  • Could create a 'tick box' culture if explicit consent needed every time – consumers could be put off or not take sufficient notice
  • At odds with existing rules on voice calls, email and SMS marketing, which has 'existing customer' rule
  • 'Balance of interests' exemption needs to be clarified
Definition of personal data

Extended so could cover some IP addresses and cookies

"a natural person who can be identified, directly or indirectly by means likely to be used by the Data Controller… in particular by reference to an identification number, location data, online identifier…"
  • Makes no distinction between data which is not directly identifiable and data which is, e.g. name and address
  • IP addresses identify a device not an individual – and a device could be shared
  • Web analytics and profiling made much more difficult, if not impossible
  • Profiling is a legitimate business activity which benefits consumers, giving them more targeted and relevant marketing communications
  • Huge implications for digital marketers – would limit commercial development
  • Interaction with new cookie rules problematic
The right to be forgotten

"The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data"
  • Paradox with need to keep details of anyone requesting deletion so that an organisation can "remember to forget"
  • Problem of responsibility for information which has already been passed on to third parties
  • Possibility of misleading consumers by raising unrealistic expectations – for example, some data (e.g. financial services) has to be kept for specific period
  • Increased costs for data processing
  • Use of suppression files?
  • Drafted with social media in mind – but the proposals go beyond this and need clearer boundaries
Data breach notification

Every organisation that suffers a data security breach would have to notify Information Commissioner's Office and the individuals concerned within 24 hours
  • Not always obvious if there has been a breach, how extensive it is, or which individuals are affected
  • Problem of notification fatigue – with danger that no action is taken when there really is a problem
  • No threshold level specified – some breaches are limited and relatively insignificant
  • Unlikely that UK Information Commissioner's Office and national data protection authorities in other Member States could cope with the huge increase in workload
Subject Access Requests

Data subjects to be able to request full information on data held on them free of any charge
  • Organisations can currently can levy a £10 fee – which doesn't cover costs but can deter time-wasters and frivolous or vexatious requests
  • Costs organisations £50 million p.a. now to meet SARs – this would increase
  • Proposal that can provide data in electronic form if data subject agrees to this – this is welcome
Marketing to Children

General rule – parental consent required for under 18's
Exception for online marketing to children above age of 13
  • No flexibility – a risk-based approach would be better
  • Verifiable parental consent already problematic
Right to data portability
  • Meant to help consumers but could be unworkable
  • Could deter investment in innovative products and services
  • Extra costs to business to modify IT systems
  • Implications for competition
International transfers of data to countries outside European Economic Area (EEA – 27 Member States of EU plus Iceland, Lichtenstein and Norway)

Law would apply to any processing of data of EU citizens
  • Problems in applying rules beyond EEA
  • Disincentive for non-EU firms to serve EU consumers
  • In digital world, nationality not always obvious
  • Doesn't reflect reality of 21st century global data world
Increase in fines/sanctions In stages, of up to 2% of global turnover or 1 million euros
  • Disproportionately high
  • Could lead to organisations taking their business offshore or restructuring to avoid larger penalties
Powers to EU to implement secondary legislation through delegated acts
  • Over 40 proposed implementing and delegated acts
  • These cover a lot of crucial detail which would not be clear until the Regulation was in force – the Commission could amend law without consultation
  • Would lead to greater industry uncertainty
  • Lack of democratic accountability – transferring power from national governments to European Commission
Appointment of designated Data Protection Officer for organisations with 250+ staff

Accountability/Privacy by Design/Privacy by Default, etc
  • Expensive – proposal takes no account of nature of an organisation's business or how much/little data is handled
  • High cost of compliance – including revision and issue of new T&Cs, employee guidance, staff training and increased documentation of all data processing
Right to compensation

Any person who has suffered
damage as a result of an unlawful
processing operation…shall have
the right to receive compensation
from the controller or the
processor
  • Increased burdens on business
  • Processors in the UK will be liable for ex EEA controllers' mistakes
  • Risks creating a claims culture
  • Some mail handling operations will have to close

Hear more from the DMA

Please login to comment.

Comments

Related Articles

A new government brings new legislation, and in the world of marketing, data protection is always on the front line. We dissect the implications of these legislative changes, providing you with insights to navigate this regulatory landscape.

what uk marketers need to know DMA.png

This article is written by MBA Group Ltd.

priscilla-du-preez-tAnrp8P51tY-unsplash.jpg

Companies are re-evaluating their packaging to better serve their disabled customers. This article explores the latest innovations in accessible packaging.

burger package.jpg

Businesses must be ethical in their telemarketing practices to protect customers from unwanted, intrusive, or deceptive calls, ensuring their privacy and well-being are respected. Read how

Depositphotos_718680692_S.jpg