David Cameron’s Great Euro Address resonated with all of us following with trepidation EU plans for new data protection regulation when he spoke of “a crisis of European competitiveness driven by a self inflicted plague of excessive regulation”.
Make no mistake, if implemented as currently proposed the new Regulation will have a profound impact on all businesses trading in Europe and their ability to win new business. Most of all it will have a catastrophic impact on the vibrant media, direct and digital marketing industry which is flourishing from the increasingly intelligent use of Big Data.
But who is to blame for this self inflicted plague of excessive regulation?
The obvious targets are the Euro bureaucrats behind the legislation. Their main target it seems is to save us from Google, Facebook and the other social service providers who seem to pay such little regard to privacy and whose approach certainly isn’t helping.
But does some of the blame rest with the marketing industry? I include Marketing Services Providers (MSP’s), agencies, call centres and other data processors who are working under ever fiercer time and cost pressures – are they paying enough attention to protecting their clients’ valuable data?
At DQM Group we undertake data security and commercial audits on dozens of data processors every year. Despite data management being at the heart of what they do, only a minority has bothered to achieve the international standard for data security, ISO27001. A quick analysis yesterday by one of our auditors found that of the twenty leading bureaux under 50% had qualified for ISO 27001. Amazing.
More amazing is the fact that the marketing professionals within our leading brands are trusting such ‘unqualified’ third parties to manage and look after their precious customer data. It must be ignorance – do they realise that as the Data Controller it is they, rather than the Data Processor, that the law finds liable in the event of a breach?
Is it this, or the low chance of a fine that explains why they and their Data Processors aren’t bothered about security? In reality, they face little risk of prosecution from our under -funded and public sector focused Regulator. Even when presented with a strong case of negligence, as with Sony’s 2011 loss of personal data including credit card details on 73M customers, the ICO levies only a fraction of the maximum permitted fine.
One organisation you can’t blame is our industry body, the Direct Marketing Association (DMA). The DMA is doing a great job lobbying against the proposed new EU Data Protection Regulation. What’s more, in recognition of the need to drive up data processing standards within the marketing industry the DMA developed a new, more achievable, affordable and faster data security standard - DataSeal. Yet since its launch in 2010 only 16 companies have achieved DataSeal accreditation – and 6 of these already had ISO27001, so qualified automatically.
At a crucial time when regulation is being reviewed the number of data breaches, largely from negligence and poor process (rather than dishonesty or poor technical infrastructure), continues at a pace.
High profile reporting of such data breaches will keep the subject high on the agenda of legislators and help make the case for more rigorous regulation.
What You should Do Today
Firstly, you really need to understand the impact of the proposed changes to EU Data Regulation. Make sure you book a place at the DMA’s half day Data Protection Conference on the 8th February 2013. If you can’t make this event, come to the DQM Group & Experian QAS Breakfast Briefing from leading Data Protection lawyers Osborne Clark on 21st February (go to www.dqmgroup.com/events for more information).
Secondly, if you’re:
Unless we in the industry get our act together and voluntarily raise standards in all aspects of data management, we cannot blame the bureaucrats for removing our opportunity to use data and all the potential it offers for transforming business performance.