How can brands prepare for changes to the EU data privacy law?by
The current data privacy law is set for a major overhaul. The present law allows businesses to send customers communications based on a purchase having been made. But this is set to change, and reports on the negotiations over the EU data law indicate that brands and retailers will face major compliance challenges to continue to use existing and new customer data.
With discussions now entering the final phase, feedback from authority sources on talks by the organisations responsible for the new regulation – the EU Parliament, Council and Commission – indicates agreement has been reached on introducing strict consumer opt-in consent levels.
Consent is now reportedly agreed as having to be: freely given, specific, informed and an explicit indication of a consumer’s wishes. Consent must be given by a statement or clear affirmative action.
The burden of proof to demonstrate consent conditions have been met will be on the brand owner or agency. In a dispute it will not be up to the consumer to prove anything.
Retailers and brand owners will have to ask both existing and new customers for consent to communicate based on an explicit description of both the subject matter and communications format. It means contacting every individual on databases to ask for opt-in permission that matches the new consent criteria.
Full details of the new law, the General Data Protection Regulation (GDPR), will be published in March, and will come into effect two years later. Because negotiations are at such a late stage it is believed there is little opportunity to change the agreed consent terms through lobbying.
Loyalty consultancy agencies and other third parties that handle data on behalf of clients face another major problem. With staff training predicted to be £7,500 per person, and the need for anyone involved in the use of data to be familiar with the complexities of GDPR, the costs will be high.
However, there is an added incentive for agencies to get compliance preparation right. The Information Commissioners Office (ICO), which enforces data regulation, recently stated that it will target retailers and brands as well as agencies or other third parties if it suspects a data breach by third parties. This means any irregularities that occur within agencies while utilising client data will be considered the responsibility of the client who will be liable for fines and resulting publicity.
Agencies may have considered they could make provision for their own mistakes such as through insurance, but if errors cost clients sanctions that can run to eight figures, plus associated coverage in the press, agency reputation will be severely damaged.
The rules on reporting data breaches are likely to be changed to informing the Information Commissioners Office of problems within 24 hours, and consumer within 72 hours. The nature of the breach, number of data subjects, categories of data and proposed mitigation will also have to be reported.
Other changes include the need for companies to prepare for members of the public requesting full information held on them. Currently a fee of £10 can be charged, which currently collectively costs £50 million a year, but Subjects Access Requests will be free under the new law, and as this becomes widely known certain sectors, such as finance, should be prepared for requests on a large scale.
The proposed sanctions for breaking the new law includes fines of up to one million euros or 2% of company turnover. The degree of punishment will be dependent on size of organisation, nature and gravity of breach, whether intentional or negligent, technical and organisational measures, previous history, and cooperation in investigating a breach.
Despite some key subject areas of the law still being debated there are fundamentals that have been established, and brand owners, retailers and agencies can prepare for. They are:
- Refreshing consent level on databases by contacting individual consumers to seek the higher level of opt in permission. Without it, data will have to be written off.
- Create a system for registering and storing consent approval from consumers.
- Create a protocol for members of the public to have access to data held on them, and for them to have information on them erased if they request it.
- Create a protocol for reporting and mitigating breaches in data security.
These tasks cannot be planned or implemented quickly, there are no off the shelf answers, and aside from technical IT provision there are almost no consultancy services available to provide assistance in preparation for GDPR.
The final details of the new law are due to be published at the end of March next year, and there will be a window of two years to prepare before the introduction of legislation, but for those with large databases time may already be starting to run out.
Dene Walsh is operations and compliance director at Verso Group. Dene Walsh is also a member of the Contact Centre and Telemarketing Council at the Direct Marketing Association.