Is your business prepared if the European Data Protection Regulation gets passed into law? Whatever its final shape, assessing the impact it would have on your processes and revenues now makes sense. Christine Andrews of DQM Group reviews a new survey into the state of readiness across UK plc.
It is 2014. Europe’s Parliament has voted in favour of the Data Protection Regulation and it has been passed into law. The new rules uphold Commissioner Viviane Reding’s original view - that consumers have a right to privacy, they should have access to information held on them by companies, they have to have provided their consent to be contacted and they also have the right to demand that data is removed.
In the UK, the Information Commissioner, despite not having adequate resources, has given businesses 12 months to comply. So, do you feel ready? Two years out from this scenario, do you understand how the changes would affect you and your relationship with customers?
To find out, DQM Group conducted an online survey of over 250 companies, spread evenly across all sizes of business, from the public and private sector. A range of practitioners responded, from functions as diverse as CTOs and CMOs to compliance, security and CRM managers. The survey asked about the various articles proposed in the legislation to build a comprehensive picture of the preparedness of UK businesses and the potential impact some of its proposals might have.
One of the biggest challenges created is the requirement for organisations to obtain explicit consent from consumers by “clear statement or affirmative action” to use their data for marketing purposes. Gone will be the days when implied consent would be enough. While this does not necessarily mean customers having to tick opt-in boxes, an organisation will no longer be able to take for granted that a consumer has given consent to receive marketing information, even if they have had previous interactions and were existing customers.
According to the survey, this may prove less of an issue than the industry has previously supposed. A considerable 84% of respondents said they always made sure they had an individual’s consent to use their data and an impressive 85.6% said they explained why they were collecting data and what it would be used for. (It is worth noting that this reflects current consent standards, including implied consent, and also that 15% appear not to be in compliance with the existing Data Protection Directive.)
In addition, practitioners are clearly thinking ahead in terms of providing permission audit trails - 54.8% are already keeping records of when consent was provided, something which companies like Royal Mail have embraced with its Single Permission View for Change of Address information, for example.
Consumers already have the right to view and correct the information companies hold about them under the provisions for a Subject Access Request (SAR). Organisations are clearly becoming more compliant with the need to respond to SARs: 50% have a defined written process; a further 21% say they have a process, although it is not written down; and an impressive 73.5% say they would be able to comply with a request within 20 working days of receipt.
However, this still left 16.5% saying they lacked any process at all and a number of companies acknowledged it would take longer than 20 days to comply. What remains to be tested is the full impact of the proposed removal of the £10 fee companies can currently charge for SARs. The Ministry of Justice has estimated that UK businesses already spend £50 million a year fulfilling these requests - the survey suggests that charging no fee would open the flood gates to requests thereby having a further unbudgeted impact on the UK economy.
A right to be forgotten - but how?
The thorny area of data retention is a real cause for concern. Only one quarter of organisations say they have explained to consumers and prospects how long their data will be retained for. Equally worrying is the fact that over a third of organisations never delete data or don’t know if they delete data.
Following the potential deluge from SARs, consumers could be very surprised to find out what information - some of it probably out-of-date - is held about them. This is particularly an issue for sectors that retain data across very long lifetimes, even literal lifetimes in the case of charities that retain data for legacy purposes.
The new regulation proposes to give individuals the right to be forgotten - in other words, a company will need to delete any personal information that is held on them. This aspect of the act has clearly been designed with social media networks in mind and there is considerable merit in this right. However, the requirement has consequences far beyond this. Those who responded to our survey were clearly concerned about the impact of its intended scope and the ability to enforce it.
Comments in the survey ranged from “major impact” to “this would be extremely demanding on resources” and “impossible”. Furthermore, this new regulation would mean that anyone who passes data to a third party would not only have to delete the information, but would have to ensure third parties do, too. For list brokers and resellers this is a pretty major, if not impossible ask!
Other areas where the impact of the regulation would be significant relate to the requirement to employ a Data Protection Officer (DPO) if the business has over 250 employees or if a significant amount of revenue is derived from data processing (for example database bureaux). This proposal seems highly likely to make it into the final regulation.
Most respondents said they either already had a DPO or could promote someone, although interestingly nearly 30% said they’d need to find one or thought it would be difficult to recruit one. The relevant skill sets may prove to be scarce, so consider what needs to be done right now in order to hold onto these key staff.
The thorny bit here is that the DPO’s role must report directly into management, must be well skilled and they must have no other role that could conflict with their duties. Allocating this responsibility to someone “who could step in” will be very hard in practice.
Once more into the breaches
Data breaches would need to be reported to the ICO within 24 hours according to the proposals. In addition, if the breach is “likely to affect the protection of the personal data or the privacy of the data subject”, the data controller will be required to notify the data subject within 24 hours.
This clearly needs some more strategic thinking by UK organisations as only 35% said they would be able to notify within 24 hours, with most saying they would take considerably longer. Many companies commented that this was “a daunting prospect”, with “24 hours not being a very long time as it assumes full knowledge of what data is currently held where.”
Many companies are clearly playing a dangerous game - 55% said they wouldn’t notify the ICO at all, unless the breach was made public. Even more alarming was the fact that 11% of respondents said they would not know how to identify a breach. A small number of companies (19%) had a written data breach plan and could notify individuals and another 19% said they had a plan, but it wasn’t documented.
Does that even constitute a plan? Rather a lot intend to muddle through or simply haven’t considered the requirement to notify those impacted by a data breach. A budget to support data breach notification was absent in 65% of companies - it can only be assumed this means using internal resources or making budget available in the event that something happens.
If data portability remains within the statute then many companies are certainly not prepared. This would mean making available to the data subject information contained on them in a commonly-used, electronic, transferable format. Only a quarter said they would be able to support this request with the rest being unwilling or unable to help. So this aspect of the legislation looks like it could present considerable challenges for practitioners.
Where does all this leave UK businesses? While it is to be hoped that some of the more extreme aspects of the regulation do not come about, companies can not just bury their heads in the sand and hope it is not going to happen, like many did with the Cookies Law. Much of what is proposed will pass into law. Companies need to develop a strategy to prepare for these eventualities now. They need to stay appraised of what changes are being lobbied for, mindful of the fact that the European Commission, while seeking industry views, has a very clear direction in mind.
My advice would be to review honestly how well equipped your organisation is. Ask yourself the questions we asked the 250 companies in our survey and see how you measure up. And good luck!
(The author would like to thank the DMA and members of the DMA Future Proofing Committee for their help in writing this article.)