Protecting the consumer is at the heart of the new data protection regulations proposed by Brussels. Christine Andrews, managing director of DQM Group, wonders whether they could prove to be a significant challenge to existing data management practices.
By the time this publication lands, many of you will already have already studied the implications of the proposed revisions to the Data Protection Directive in detail and will have considered how your company needs to react. Right? Well, probably not, if my straw poll of companies both inside and outside the Direct Marketing Association is any indication.
If you are one of those, by examining some of the possible outcomes outlined here, you can at least consider the ramifications for your company. With the proviso that there is still a way to go before this becomes law, here is a brief resumé of what to expect.
Firstly, the new legislation will take the form of a Regulation, rather than a Directive. This means that, once approved, the legislation will take immediate effect, on a harmonised basis, throughout all 27 Member States of the European Union. So, in simple terms, it will become law. There is little or no opportunity for the UK to apply its own interpretation.
On the plus side, any company operating across multiple Member States should find this aspect of the Legislation, given the current discrepancies between interpretations of the existing data protection laws. On the negative side, penalties for serious violation could be as much as €1 million or 2 per cent of global turnover.
Secondly, a more rigorous opt-in regime for all forms of direct marketing is proposed. The Regulation would prohibit any use of personal data for commercial direct marketing purposes without explicit consent by “clear statement or affirmative action”. Yes, you read that right. As per legislation that has been operating in Germany for some time now, you will only be able to communicate with individuals who have opted-in to receive communications from you.
Such a limitation would obviously seriously affect the ability of businesses to market their products and services to existing customers and new prospects and is not an aspect of the new legislation that the DMA and others would support. In terms of the impact, if this becomes law, you will need to review all the permissions you currently have on your various databases and communicate with individuals to explicitly opt them in.
This will no doubt reduce the size of your customer prospect pools considerably and, in addition, will mean that any offers to existing customers will be put under the same scrutiny. Details of opted-out individuals (unless they are customers for specific transactions) will need to be removed.
Furthermore, the so-called “Transparency Principle” is likely to require data controllers to notify consumers of the source of their personal information. In the online world, this would mean explaining how behavioural advertising works. On the plus side, this could give consumers more information about how the industry works, but it may also increase the number of customers opting-out.
New data rights for consumers
Data subjects are firmly at the heart of this new legislation with the introduction of a new “right to be forgotten” - a right for individuals to have their data deleted when it is no longer needed for legitimate purposes and not even used for the purpose of suppression. This would present a substantial practical challenge. The provision is not limited to online services - it would apply to all businesses. No doubt many would argue that forcing sites like Facebook to withdraw certain undesirable images on request, is a good idea. However this aspect of the legislation may have significant adverse issues for the DM industry.
The data subject’s right to data portability is also introduced. In other words, the right to transfer data from one automated processing system into another without being prevented from doing so by the data controller. It provides the right to obtain from the data controller the data held on the subject in a commonly-used format.
Additional requirements are for a valid consent - the Regulation would not only require businesses to request consent in situations where it is not currently required, but it would also increase the burden to gain and document such a consent. Currently, direct mail is not opted-in, although email and telephone are. Thought as well as budget will need to be given to ensure communication by mail has this permission.
Furthermore, the legislation contains a requirement to obtain consumer consent again for a change in use of data formerly collected for different purposes. The controller bears the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. Good luck with that all, you marketers!
In addition, the Regulation increases protection for individuals under 18, whether or not the transaction is within the minor’s financial means and decision-making abilities. Because of the lack of age verification systems, it could also present risks for businesses that accidently target this age group.
On 24 hours’ notice
As regards data security, the Regulation introduces an obligation to notify personal data breaches. In the case of a breach of security, a data controller (you) will be required to inform the ICO within 24 hours. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject”, the data controller (you again) will be required to notify the data subjects also within the 24 hours after the breach has taken place.
So if you haven’t already written a policy for your company that covers what to do in the event of a breach, then get typing and communicating now. Make sure you are clear how you would go about the communication process in this short timescale with a suitable level of impact and risk assessment.
Profiling would be limited where it could have a significant effect for the individual, be it on performance at work, creditworthiness, financial situation, location, health, personal preferences, reliability or behaviour. In many cases, the individual’s consent would be required to carry out such profiling. But who will judge what constitutes behaviour in this context? This would limit the ability to use scoring or measurement tools. For many marketers, profiling is a widely used and, I would argue, is a legitimate business activity which is to the benefit of consumers.
In a further impact on profiling, web analytics will no longer being available to companies as a result of IP addresses being classified as personal data.
New operations required by law
Still with me and not fallen off your chair yet? Well, If you haven’t got one already, Articles 32 to 34 require the appointment of a Data Protection Officer for the public sector and in the private sector for large enterprises or (and this is important) where the core activities of the controller consist of processing operations that require regular and systematic monitoring. Helpfully, Articles 33 and 34 define the roles, responsibilities and core tasks your newly-appointed Data Protection Officer needs to undertake. I’m guessing that if you’ve read this far in the article, this may be an area when you can actually put a tick in the box.
Greater limitations on data transfers outside the EU will make it more difficult for companies to operate globally and to use services providers outside the EU. The increased level of protection under the Regulation could make it difficult to provide adequate safeguards. Additionally, the Regulation aims for an extraterritorial reach, which would affect any business in the world targeting EU citizens. The Regulation also includes a ban for data transfers based on third-country court decisions or administrative orders, which could lead to conflicting obligations for global organisations.
So if, like many, you hadn’t really studied the impact of this new legislation, now is probably a good time to set up a team within your organisation to do so. Once passed by the European Parliament, the Regulation is likely to come into effect in the early part of 2014.
Of course, just because this Legislation is being proposed doesn’t mean all this will become law. But for several months now, Viviane Reding, the vice-president of the EU Commission, and other representatives of the EU have provided numerous descriptions of their vision of the new regime. It will undoubtedly increase the rights of individuals - which is a good thing - and will harmonise Member States making cross-border legal issues more straightforward.
However, it may also be bad news for consumers as the legislation will make it more difficult for companies to target appropriate offers - an aspect of direct marketing consumers say they like. In addition, it is likely to increase the volume of untargeted, depersonalised mail as companies run scared of the law. This surely is a step back to the dark ages of direct mail which could result in a proliferation of inserts and junk mail, which isn’t green and it isn’t clever.
Maybe the outcome won’t be as dramatic as I have painted. The DMA is doing its part to represent the interests of the industry, having responded to the three European Commission public consultations, UK Ministry of Justice consultations, and participated in stakeholder meetings in Brussels. Working with FEDMA, the European trade body, it has played a full part in lobbying the Commission on the UK direct marketing industry’s behalf and will continue to do so.
But be warned - none of us really acted quickly and vociferously enough when the Cookie law was being drafted and, in the (paraphrased) words of the ICO last year, “the time for lobbying has gone, you are now required to comply”. If the level of panic that is now being witnessed by those with non-compliant web sites is anything to go by, then the introduction of this new Legislation is likely to have a similar effect.
The DMA intends to lead an industry-backed campaign to ensure the European Union institutions consider the needs of the industry when shaping the Regulation and we can all play our part in helping them quantify the possible impacts on our businesses if this Legislation comes in. Even if you’re not a member of the DMA - and many who read this publication won’t be - your views are still important and I’d urge you to make them known to Caroline Roberts, the DMA’s director of legal and public affairs, who chairs FEDMA’s Legal Affairs Committee, which will be co-ordinating the pan-European, industry-wide response to the proposed revisions to the Directive.
My advice would be to conduct a fact find now within your organisation to assess your current exposure now the strategy paper is formally published. Legal advice is clearly essential, but there are also a number of marketing and database practicalities and action plans that will be required. Two years may sound like a long time to implement changes, but in reality, if IT and system changes are required, it’s a relatively short window. We are working with many companies who are making contingency plans now.
So, if ever there was a time when your country needs you to lobby for some leniency in some of these measures - that time is now!