The EU’s long awaited General Data Protection Regulation (GDPR) was supposed to have passed into law by now, but European legislators have not yet even agreed on the final text of the bill, let alone how individual cases should be policed.
In the meantime, however, there has been plenty of progress in the European courts on issues such as the ‘right to be forgotten’, requiring search engines to delete results that link to pages with out-of-date or incomplete information on individuals (see box, below).
The UK parliament has also changed the law to make it easier to prosecute direct marketers who bombard consumers with nuisance telephone calls and text messages. Companies can now be fined up to £500,000 and the Information Commissioner’s Officer, which enforces the rules, only has to prove “nuisance, annoyance, inconvenience or anxiety” have been caused, rather than “substantial distress or substantial damage” as before.
Marketers may not know where to begin with preparing themselves for potentially drastic upheavals in data processing, but according to Information Commissioner Christopher Graham, clear new legal principles have already emerged from the courts in spite of the slow pace of EU legislation. Speaking at the Direct Marketing Association’s (DMA) recent data protection conference, he said: “The consistent theme is the greater control of individuals over their data.”
Yet he believes that many UK companies are still not doing enough to meet requirements of data and privacy laws. “A lot of people pay lip service to data protection and privacy policies, just assuming [consumers] will say yes.”
So what exactly should marketers be doing to adapt, when it is not yet clear what will be required of them when the GDPR comes into force, which is now expected to happen in 2017?
According to Andrew Bridges, data governance manager at Aimia, which owns the Nectar loyalty brand, there are basic principles that any brand can build their data policies around, which are likely to be codified in the GDPR but which are already recognised as best practice today.
“Brands need to be transparent with consumers about what they propose to do with the data they collect. Relationships are built on trust so you should record any agreement you have with the customer and also make it easy for them to opt out if they do not agree with the way their data is used.”
She told the DMA conference: “Data protection has gone mainstream. I’m not a compliance person, I’m not a data protection expert, but I do need to know how to use data to do my job properly. I consider data protection to be as big a responsibility for me as I do for our data protection team.”
As a result, she advises businesses to simplify and explain policies clearly so that practitioners, customers and third parties are all on the same page.
“The first thing we learned [from surveying readers] was that data means different things to different people, which may seem obvious but…people interpret data in different ways. One of the things that has come out of this project is that we need to get better at creating one version of the truth.”
GNM’s audience research revealed that 31% don’t want any data collected at all, while 16% are unconcerned by their data being collected and 53% will think about sharing it if they understand why it is wanted and what is going to be done with it.
Despite the growing burden on businesses to demonstrate that they comply with data laws, at the DMA conference Information Commissioner Graham reassured those taking proactive steps to meet existing and future requirements. He distinguished them from “the cowboys” and advised that his preferred approach to legal enforcement is to “keep the big stick in the cupboard for the people who need spanking”.
He argued that “if you’re following good practice you do not have too much to worry about” from the forthcoming EU Regulation. Yet even the ICO will be at the mercy of EU parliamentarians as they continue to debate what penalties companies should face and when – a debate that may not be resolved before the end of this year.
What to watch out for
Brands still have a right to process personal data for the purposes of ‘legitimate interests’ such as advertising, but in future the brand’s interests will be balanced against consumer rights that could include the following.
The ‘right to be forgotten’
The European Court of Justice judged in 2014 that search engine results linking to incomplete or out-of-date personal information must be removed at the person’s request. Meanwhile, the current text of the EU’s General Data Protection Regulation (GDPR) – adopted by the European Parliament last year but still yet to become law – suggests that brands could become responsible for deleting personal data that they hold or have passed to third parties if a consumer withdraws consent for processing it.
Information Commissioner Christopher Graham says: “I want it to be absolutely clear that only marketing that has been specifically requested can be considered solicited. That’s going to become even more important under the [forthcoming] Regulation.” The GDPR as it stands could spell the end of tick-boxes asking consumers to opt out of marketing and data processing – instead they may have to be asked to opt in.
Brands are awaiting clarity on whether profiling, which could include behavioural analysis for the purposes of targeted advertising, will require a consumer’s consent, but the GDPR’s current text suggests this is possible. Aimia data governance manager Andrew Bridges warns: “A move to consent-based profiling could present a profound challenge to advertisers when it comes to implementation.”
The GDPR is likely to offer brands protection in the processing of ‘pseudonymous’ data, where personal identifiers such as names are replaced with a randomly generated ID key. As long as an individual can’t be identified, pseudonymous data processing would be assumed not to affect a consumer’s rights.