Category Archives: EU Data News

EU DPA Regulation – 7 Key Changes

1 Reply
EU balance

A good balance between business needs and individual rights

Talks on ensuring a high level of data protection across the EU Marketers are now complete and draft text was agreed on Wednesday 16th December 2015.  Marketers are delighted with the “strong compromise” agreed by Parliament and Council negotiators in their last round of talks.

The draft regulation aims to give individuals control over their private data, while also creating clarity and legal certainty for businesses to spur competition in the digital market.  Back in September Angela Merkel appealed to the European parliament to take a business view rather than simply look at the Regulation from a data protection perspective  lest the legislation hold back economic growth in Europe.  At the same time she described data as the “raw material” of the future and expressed her belief that it is fundamental to the digital single market.

The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned.

EU DPA Regulation – 7 Key Changes

  1. 4% Fines:  The Council had called for fines of up to two percent of global turnover, while the Parliament’s version would have increased that to five percent.  In apparent compromise, the figure has been set at four percent, which for global companies could amount to millions.
  2. Data Protection Officers (DPOs):  Companies will have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.  These do not have to be internal or full-time.
  3. Consent:  to marketers’ relief, consent will now have to be ‘unambiguous’ rather than the originally proposed ‘explicit’ which provides a more business-friendly approach to the legislation. In essence this means that direct mail and telephone marketing can still be conducted on an opt-out basis.  Nonetheless, businesses will be obliged to ensure that consumers will have to give their consent by a clear and affirmative action to the use of their data for a specific purpose.
  4. Definition of Personal Data – the definition has been  expanded in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  5. Online identifiers -whether cookies and ISPs are personal data has been the subject of discussion for some months.  James Milligan of the DMA has expressed the view that a compromise has been reached “Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.  This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.”
  6. Profiling – Profiling has now been included under the term ‘automated decision making’.  Individuals have the right not to be subject to the results of automated decision making, so they can opt out of profiling. It will be necessary to implement tick-boxes or similar mechanisms to secure the data subject’s positive indication of consent to specific processing activities related to Profiling.
  7. Parental consent – Member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.

 

Next Steps

The provisional agreements on the package will be put to a confirmation vote in the Civil Liberties Committee today (Thursday 17 December) at 9.30 in Strasbourg.

If the deal is approved in committee it will then be put to a vote by Parliament as whole in the new year, after which member states will have two years to transpose the provisions of the directive into their national laws. The regulation, which will apply directly in all member states, will also take effect after two years.

Written by Michelle Evans, Compliance Director at Data Compliant Ltd.

If you would like further advice on how the EU Regulation will affect your business, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk

 

 

EU Data Protection Laws – why it’s time to get ready

Leave a reply

EU dpaEU Data Protection – Change is Coming

The  new EU data protection law is getting ever closer.  The clock is ticking, with major changes on the horizon relating to the way businesses will be allowed to collect, hold, store and use personal data.

New EU Regulation – what will change?

The changes to the law fall into two main areas

  • Responsibility and Accountability …

    … which will require organisations to demonstrate stringent data governance and robust data protection policies, procedures, processes and training, starting with the Board.

  • Marketing …

    … which will  impact consent (which must be obtained fairly, and be unambiguous and explicit), and will impose restrictions around tracking and profiling.

You’ll find more information about the upcoming DPA changes in relation to marketing and accountability in the guest blog I wrote for All Response Media.

When will the new EU Regulation become Law?

This has been the subject of much discussion. Justice and Home Affairs Ministers agreed amendments to the Commission Text in June, and three-way negotiations are now taking place between the EC, Parliament and Justice and Home Affairs Ministers.

It is expected that this process will be completed by December 2015, in which case the Regulation will be passed in Brussels in early 2016, and become UK law in late 2017 / early 2018.

So why do I need to start now?

While it may seem that a couple of years is plenty of time to get ready, failing to react until the big shake-up actually arrives is likely to cause chaos and confusion throughout all areas of your business.

Responsibility and accountability for the new legal requirements around data protection must lie with the Board in order to be embedded throughout all areas of the business – from sales and marketing to IT, HR to Customer Services. With that in mind, and given the huge emphasis on accountability and governance, preparation and planning are essential, and businesses need to start looking at their data governance, compliance and security measures right now.

How can Data Compliant help?

The protection of the personal data your company holds needs to be of paramount importance – it will no longer be acceptable to fall short in terms of accountability, or responsibility, or to rely on loopholes in the current legislation. So please get in touch if you you would like to discuss the implications of the new legislation, and to understand your obligations around data governance, security and compliance. Have a look at our website, call 01787 277742, or email victoria@datacompliant.co.uk

EU versus Google – £12 million DPA fine

Leave a reply

Google vs EU largerThe pressure on Google over European data privacy issues has been ongoing for several years as EU data protection watchdogs attempt to bring the organisation – and other huge US companies – into line with European data protection principles.

The latest threat to Google comes from Holland, where the Dutch DPA has threatened Google with a fine of up to 15M euros for breaking local laws over how it can use user data.  Google has been given until the end of February 2015 to change the way it handles personal data, before the fine is levied.

Online behaviour used to target advertising

So what has Google done wrong?  The issue is over the way Google uses data about people’s online behaviour to tailor advertisements.  Google builds up a profile for every one of its users based on keywords used in searches, email messages, cookies, location data – even video viewing habits.  However, it does not inform its data subjects that it is collecting and using data in this way, and nor does it obtain consent.

Google’s Data Assets

Google’s data is a core asset for the business, and other businesses like it.  One of Google’s key data privacy issues is that the company has merged all its separate privacy policies into one policy which allows Google to share its user data across all its services – for example, Gmail data and search engine data can be used and combined across the company.  In addition, there is no opt-out for the data subject.

From Google’s point of view, its customer profiling is enhanced considerably by this activity – and advertising to targeted customers is Google’s core revenue stream.  Google also uses customer data to drive new products such as Google now (appointment based app, giving details on how to get to your appointment, where it is, what are the traffic conditions and what time to leave) – a great concept, but one that would be useless without Google’s ability to collect and use data from its users.

It has been clear for some time that the EU is determined to take on the challenge of the giant UK search engines and social media platforms, and curb the way they use data.  Because Google has such a vast share of the market, it, in particular, regularly comes under fire from the EU.

Google Privacy Policy – Fairness and Transparency

The requirement for additional permissions or opt-outs may be more problematic than helpful for Google customers.  But fairness and transparency is an issue that Google could address relatively simply – as a minimum the customer should be informed about the data Google is collecting about him or her, why it is being collected and how it is being used. And a little bit of creativity in the wording would serve to illustrate the benefits to the customer.

The single privacy policy makes such transparency difficult.  So perhaps the simplest solution is to re-establish separate privacy policies for each of its business areas.  That might at least serve to reassure not only the EU, but also the US data protection authorities who have also expressed concerns over Google’s single privacy policy.

Your thoughts and views are always welcome – please add your comments below.  If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services at December 2014

EU Data Protection Regulation – Getting closer?

Leave a reply

EU dpaThe EU Regulation is designed to replace the current multiplicity of EU data protection laws with a single set of rules to be applied throughout all Member States.  Time is moving on so it’s important to keep on top of the discussions and updates being published.

Last month’s proposed revisions to Chapter IV (which deals with data controller and data processor obligations) are summarised below.  However, it is worth remembering that “nothing is agreed until everything is agreed” in relation to the Regulation.

Greater discretion for data controllers – risk-based compliance

Businesses will be relieved to see greater discretion for data controllers in complying with the legislation as recent Chapter IV discussions in Europe have moved towards a risk-based approach to compliance.

A balance between privacy and entrepreneurship

EU balanceThe proposed amendments to Chapter IV suggest that data compliance obligations should be proportional to the organisation’s specific data processing activity and associated risks.

Once these activities and risks have been assessed, appropriate privacy and data protection tools should be instigated by the organisation.

Different activities, even where the same data is involved, may quite often have different consequences, requiring different levels of protection. The risk-based approach allows data controllers a more flexible approach in assessing their data compliance responsibilities within the context of their own particular business.

It appears that most countries welcome the risk-based approach, which they view as providing a good balance between protecting personal data and safeguarding businesses and entrepreneurship.

Chapter IV Proposed Revisions 

Below are some examples of the revisions proposed by the EU Council:

  • Data protection impact assessments are only required where “high” risk (for example identity theft, fraud or financial loss) to the rights and freedoms of individuals is involved
  • The appointment of Data Protection Officers is voluntary (unless individual Member State legislation states otherwise)
  • Only data breaches that are likely to result in “high risk for rights and freedoms of individuals” need be reported
  • If stolen or breached data is encrypted or protected in such a way that the data remains indecipherable, there is no requirement to report the breach.
  • Required levels of security measures will be established by considering multiple factors, including the nature, scope, context and purpose of the data processing to be undertaken, in combination with the cost of implementation and the technology available.
  • Only where a data privacy impact assessment indicates that data processing would result in “high risk” to the rights and freedoms of individuals, the supervisory data protection authority should be consulted prior to the start of such processing

There is also a suggestion that data controllers may use “adherence of the processor to an approved code of conduct or an approved certification mechanism” to demonstrate compliance with the obligations of a controller.  So organisations may find it well worth considering selecting only those data processors who have appropriate data security certification such as ISO 27001 or DMA DataSeal.

If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

More delays to the European Data Protection Regulation?

Leave a reply

European Data Protection RegulationIt is becoming increasingly difficult to say when the European Data Protection Regulation will come into force.  The legislation is currently at the point where three-way negotiations need to take place between the Justice and Home Affairs Ministers, the European Commission and the European Parliament to finalise the text .  It was broadly anticipated that the draft EU Data Protection Regulation would be passed later this year, making it law in the UK by 2016.

However, the recent European elections and new parties now represented in the European Parliament may impact the timescale of the passing of the Regulation and delay it even until early 2015, in which case it would become UK law in 2017.  The new Parliament now needs to elect the MEPs to take part in the three-way negotiations, and reappoint members to its various committees etc to reflect the changes in party strength.

One of the interesting issues is that Viviane Reding has just been elected as MEP.   In her role as Justice Commissioner, she has been an extraordinary force for the development and implementation of the DP Regulation.  But as an MEP she will need to step down from her current role, and there is no guarantee that the new Justice Commissioner will be as driven in terms of getting the legislation passed.

So it is somewhere between difficult and impossible to determine when the European Data Protection Regulation will come into force in the UK, but it is increasingly unlikely to be before early 2017.

What has been clear since March, however, is that the legislation is coming, and businesses will benefit from being ready for the changes that it will bring.  If you’d like any help assessing your readiness for the upcoming legislation, please contact Data Compliant on 01787 277742

EU Parliament votes in favour of Data Protection amendments …

1 Reply
EU Parliament DP regs vote

EU Parliament DP regs vote

The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee.  An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).

What does that mean to UK businesses? 

Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.

However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.

The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.

Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs

BUSINESS ADVANTAGES

While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.

A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws.  According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.

One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates.  The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.

While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country.  The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction.  This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.

Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within.  Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field.  In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.

BUSINESS DISADVANTAGES

However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:

Right to erasure  – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines.  However, the right to erasure does not apply where there is a legitimate reason to keep data within a database.  And the right to erasure may not encroach on the freedom of expression and information of the media.

Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data.  Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.

However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”.  The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data.  If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.

This is likely to have a significant impact businesses – research from fast.map shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out.  Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided.  It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value.  Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.

Profiling – the use of profiling is widespread among UK businesses and direct marketers.  The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling.  There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc).  The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.

Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.

Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue.  Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.

Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape.  Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.

If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.

Delays to the EU Data Protection Regulation …

Leave a reply

iStock_000025602036SmallThere has been little progress on the draft EU Data Protection Regulation since October.  However, the Greek Government took over the Presidency of the Council of the European Union in January 2014, so it is now up to them to progress this legislation.

It is clear that delays are inevitable. Even if the draft is agreed at the Justice and Home Affairs Ministers Council meeting in June, the process then continues with three-party negotiations between Justice and Home Affairs Ministers, the European Commission and the European Parliament.

That process is unlikely to start before the autumn, which would mean that the EU Regulation must be delayed until the end of this year or, more likely, until early 2015.  This will delay the law coming into force until the end of 2016 at the earliest, and more likely in 2017.

Three aspects of the new legislation that we have not covered in previous blogs are:

·         International Data Transfers:  this is a new certification programme which will allow data controllers and processers to apply for certification under The European Data Protection Seal. The certificate will be gained through an audit of data processing activity and certification granted by data protection authorities or accredited third parties.  The European Data Protection Seal will enable legitimate transfers of data outside the EEA to recipients who also hold a Seal.

·         Data Protection Officers:  though still in the draft stage, it is clear that firms will be encouraged or required to appoint data protection officers (DPOs) to ensure an organisation uses, controls and processes data compliantly, nationally and / or globally.  There are 500 million citizens within Europe, and currently, a DPO is to be appointed if an organisation processes data on more than 5,000 individuals per annum.

·         One Stop Shop continues to be a subject of fierce debate.  It is significantly different from current legislation where a business is always subject to the data protection authority in each and every country in which it operates.  Under the new One Stop Shop rule, a business which operates in several of the EU Member states would only be subject to the national data protection authority in the country where its Head Office is based.

The debate relates to citizens’ human rights – any data protection complaint made against a company whose head office location is in a different country, will mean that individuals must complain to their own national data protection authority, who will then pass it onto the authority in the relevant country.  This complexity will make it difficult for individuals to complain simply and effectively, and argument rages over whether and to what extent this might undermine human rights.

If you are concerned about how the new European legislation might affect you or your business, don’t hesitate to get in touch with Victoria or Michelle on 01787 277742.  Or emailvictoria@tuffillverner.co.uk  or michelle@tuffillverner.co.uk

Data Compliance October Round-up

1 Reply

What’s happening in Europe … and beyond?iStock_000025602036Small

Update 28.10.13

The new date for implementation of a proposed new data protection regulation (DPR) – has been pushed back to “by 2015”, thanks in part to David Cameron’s efforts to protect the interests of UK business.  Germany were also supportive though Merkel’s reasoning was slightly different “… to ensure that it can reconcile the existing rights of its citizens.”

23.10.13

On 21st October, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation.  Still a long way from being complete, but the latest from Europe is:

1. Pseudonymous data now has its own definition – currently “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.

2. Data Protection Officers:  a data controller or processor must appoint a Data Protection Officer when processing personal data relation to over 5,000 data subjects in any consecutive 12-month period.  Also where the core processing activities relate to processing location data, children’s data, sensitive personal data, or employees in large scale filing systems.

3.  A new concept has been introduced – a European Data Protection Seal -a certification process which allows international data transfers outside the EEA to recipients that also hold a Seal.

4.  Right to erasure:  the right of data subjects to have their personal data erased if requested is still in the draft (originally “right to be forgotten”).  And it’s been strengthened – if the data subject asks a controller to erase his data, the company should also forward the request to others where the data is replicated.

Pulling NSA’s teeth …

Spheres of monitors with eyeballs in a curved field of blue digiThe Compromise text had some other changes, including new data protection rules designed to curb America’s spying activities.  The intention is to make US secret court orders powerless, and to force companies based outside the EU, like Google and Facebook, to comply with European data protection laws if they operate in Europe.  Powers to levy fines running into billions of Euros are being made available to discourage violation of the new rules.

For example, if a third country’s court, tribunal or other administrative authority requests a company (such as a social network or cloud provider) to disclose personal data processed in the EU, that company must notify the data protection authority and obtain their authorisation before any such data transfer can be made.

This step is largely due to Edward Snowden’s information about the American companies, platforms and social networking sites which have been forced to share substantial volumes of EU citizens’ personal online data (from emails and phone calls to video chats and web searches) with the National Security Agency (the US intelligence organisation which collects, monitors, decodes, translates and analyses foreign intelligence and counterintelligence information and data).

The third country issue has been ongoing since January 2012, when the proposed reform to the law was dropped after intense US lobbying.  It now seems clear that the EU has had enough, particularly since the revelations that the NSA systems collected – in the single month from February 8th to March 8th – 24.8 billion telephone data and 97.1 billion computer data from across the globe – including UK, Germany and France.

In addition the French are aggrieved that, from December 2012 to January 2013, the NSA were reported to have made 70.3 million recordings of French individuals’ telephone data.

While the NSA is known to collect and store all phone records of all American citizens, their profligate global approach to privacy is clearly unacceptable, and Europe has taken steps to limit their – and other agencies and countries’ – powers.

So now it’s just the simple matter of balancing the need to combat terrorism versus people’s protection of the rights to privacy.  Which makes it hardly surprising that this legislation is taking so long with a record-breaking 4,000 amendments so far.  It is thought that there is a less than 50% chance of the new regulations going through in the time-frame, though final legislation is still anticipated before the European elections in May 2014.

India’s Draft Privacy Protection Bill

Abstract internet security illustrationThe issue of data protection in India has been generated for a number of reasons – not least, Europe’s concerns given the sheer volume of personal data that is transferred to India.  Also, within India itself, there is concern among Indian citizens in relation to the combination of the use of personal identifiers (including biometric data) and extensive individual profiles.

India has been holding a set of roundtable talks since April 2013, with the goal of generating recommendations for a privacy regulatory framework.  The last of those talks was held on October 19th between the Center for Internet and Society, the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. Christopher Graham, the UK Information Commissioner, was among the speakers.

We’ll send more updates as they come through – in the meantime, if you have any concerns over how these or the existing DPA and PECR regulations might affect your business, don’t hesitate to contact us.

001
Victoria Tuffill
01787 277742
victoria@tuffillverner.co.uk
Michelle gallery size compressed
Michelle Evans
01206 392909
michelle@tuffillverner.co.uk

Data … big data? Or back to the Dark Ages

Leave a reply

Back in the 80s, there was this thing called “junk mail”.  And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling.  And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer.  A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests.  Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes …. 

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out.  It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings.  Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data.  (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures.  Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

  1. Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action.  In practice this means that where consent is required, organisations must ask for permission to process data.  Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls.  Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.
  2. The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety.  This is entirely impractical.  Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished.  So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.
  3. Profiling or segmentation may not take place without consent.  This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.
  4. List broking is likely to require significant changes to comply with new legislation.
  5. The definition of personal data has been extended to include, potentially, IP addresses and some cookies.  Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity.  The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.
  6. Cost:  DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales.  These costs come, in part, from:
  • Companies with 250 or more employees will need to appoint a data protection officer
  • Under current legislation, subject access requests can be charged at £10 each.  Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests.  In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.
  • Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours
  • Right to compensation from the controller or the processor in the event of processing activity causing damage to a person
  • Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak.  But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement  before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now.  There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd.     So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are.   We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please  just “reply” below. Victoria Tuffill – victoria@tuffillverner.co.uk   01787 277742 or  07967 148398.   Feel free to visit our website.  And yes, we’re on Linked In, and Twitter