We all love a bit of legislation, especially when it’s contained in a 204 page directive from the EU. In the spirit of customer service, here’s a summary of the reforms to save you endless nights of tedious bedtime reading. We aim to please.
The 1985 Data Protection Act Directive and the 1998 Data Protection Act
Just to bring us up to speed. In the latter part of the 20th century it became apparent that most companies and organisations – individuals too – were storing and processing personal information on computers. While this has many advantages as far as speed and efficiency goes, it leaves us vulnerable because this data may be accessed by others without our knowledge or permission. Unscrupulous people could misuse it – use it for commercial advantage, identity theft for criminal purposes or sell it on to a third party for financial gain.
The 1985 Data Protection Directive was created to control the way such information is handled and to give some legal rights to people who have information stored about them. It was implemented into UK law by the 1998 Data Protection Act. The problem with the 1995 Data Protection Directive was that each Member State could implement it into their own national law in a slightly different way so each Member State had their own set of rules and since people often have data stored in many countries, as they say, things got complicated…
So now the 2016 EU Legislation
Designed to establish one set of rules across Europe, with a European Data Protection Board to ensure a common interpretation across all the national data protection authorities, it should make it more straightforward for everyone to do business outside their home country. It heralds the arrival of an era of renewed accountability and transparency, which can only be applauded.
It consists of two parts:
The General Data Protection Regulation (GDPR) – allowing individuals to have more control over their personal data, reducing regulation and enhancing trust so everyone can make the most of the opportunities afforded by the Digital Single Market.
The Criminal Justice Directive – concerned with Europe-wide cooperation with criminal investigations and law enforcement, leading to more effective anti-crime and anti-terrorism.
Political agreement on the test has been reached; it will become law very shortly; enforcement will start in 2018. It’s something for which you must prepare because penalties for breaches will be HUGE – figures flying about are fines of €20 million or 4% of a business’s global gross revenue. Ouch!
What it means for you – in a nutshell
N.B. This is not comprehensive. It covers the aspects that we consider have most bearing on the direct marketing aspect of your business.
• The definition of personal data – any information which allows anyone to identify a person, so aside from the obvious name, address andn ID numbers, this now includes such things as cookies and IP addresses if they lead back to a person.
• Consent – agreeing to data collection and use doesn’t need to be explicit but it must be unambiguous – a subtle distinction? It must be clear why you require the data. Your privacy notices and policies must be tip-top, accessible and transparent. Consent must be acquired by a “clear affirmative action.” No action, silence and use of pre-ticked boxes will not count as consent. Withdrawing consent should be just as easy as giving it.
• Profiling – that’s to say, using the data to determine particular criteria about individuals – like personal preferences or location. This is an important tool in DM. It looks as though consent must have been obtained in the first instance.
• Legitimate Interest – use of data for DM is considered to be legitimate (phew!) – that is, unless what you intend to do breaches the fundamentals human rights and freedoms of the subject, particularly in the case of children.
• Data Protection Officer – it will be mandatory to appoint one if your organisation is engaged in regular and systematic monitoring of data subjects on a large scale or processing sensitive personal data. We will have to find out what this means from the guidance which will be issued in the next two years. At one point in the discussions, this ruling was only applicable to companies with more than 250 employees, now it’s any organisation which meets the above criteria. The appointed person must know about data protection law and practices to a level suitable for the role within a particular company. Even if your organisation does not have to appoint one compulsorily, it may decide to appoint one anyway.
• Privacy Risk Impact Assessments – data controllers must take robust precautions before embarking on higher-risk data-processing activities to minimise the risk to their data subjects. This might include encryption, establishing resilient systems and regular evaluation to ensure security is fit for purpose.
• Notification of breaches – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” If the breach is going to impact on the rights and freedoms of individuals then ‘the appropriate supervisory authority’ must be notified within 72 hours, and the data subjects must be told, ‘without undue delay.’ Data processors and must inform data controllers are both obliged to notify
• Liability of data processors – data processors will have direct obligations under the Regulation and will not be able to hide behind data controllers.
Have you lost the will to live now? Our apologies. The trouble is, it IS something we all have to grasp before it’s too late. These are regulations we will be implementing at Mailing Expert – for YOUR protection as well as ours.
Deep breaths, everyone!