Download to read offline
Uploaded byNick Banbury
Tangible Data Protection White Paper
The document outlines upcoming changes to EU data protection legislation, including the General Data Protection Regulation (GDPR) likely being passed in 2016. Key changes include consumers having the right to access all data companies hold on them for free, requiring explicit opt-in consent for data usage and marketing, the right to have all personal data deleted, and stricter rules around user profiling and data sharing with third parties. Fines for non-compliance will be up to 4% of global annual turnover or €100 million. Companies need to overhaul how they acquire and manage customer data to prioritize consent, trust, and data protection.
More Related Content
Tangible Data Protection White Paper
- 1. Data Protection: Outlining the forthcomingchanges in EU Data Protection legislation February 2014
- 2. 2 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation By 2016, the European Parliament is likely to pass the General Data Protection Regulation (GDPR) into law. This will have a profound effect on the way you can • Speak to consumers • Gather data from them • Retain and use this data for commercial purposes Recent news stories about data breaches, data theft, and the abuse of personal data has led to a shift in consumer attitudes towards privacy. Consumers are much more protective of their personal data, and are much less likely to provide it to companies they don’t trust. The effect of this is that the new regulations will be very much driven by the consumer’s need, with the key implication being that you will need to explicitly ask for permission to use someone’s data for all marketing purposes. To help companies understand what the impact of the legislation might be, Tangible have created a table which summarises the current and proposed regulations, along with suggestions for future-proofing your approach to data collection.
- 3. 3 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation Current Legislation Proposed Legislation Action Consumers are able to request to see the data that is being held about them, but will be charged for doing so. A standard charge in the industry is usually £10, which mostly acts to deter ‘time-wasting’. A consumer can request a copy of the information being held about them. Companies should send the information electronically, at the most possible convenience to the consumer and free of charge. Lower the charge for consumers to view information. Begin devising an efficient, cost-effective process for responding to these requests going forward. CONSUMER REQUESTS TO ACCESS DATA Current Legislation Proposed Legislation Action Consumers must be given the option to ‘opt out’ if they do not want their data to be used for marketing purposes. If a consumer hasn’t explicitly opted out, companies are able to assume consent has been given. Consumers must be given the option to explicitly ‘opt in’ to their data being captured and processed. If challenged, companies must be able to prove that explicit consent has been gathered. Consumers can withdraw their consent at any time. Change wording now to explicitly offer consumers the opportunity to ‘opt in’ to all future communications. Clearly explain the purpose(s) for which their data will be used. CONSENT – FROM OPT OUT TO OPT IN
- 4. 4 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation Current Legislation Proposed Legislation Action Consumers can request that their data is no longer used for marketing purposes. Upon receipt of such a request, companies are obliged to flag the data as “Do Not Contact” to ensure it is not used for future communications. Consumers can request that their data is completely deleted from a database as opposed to being suppressed. A business can dispute the deletion of data if they believe the retention of data is in the business’ interest. Legitimate business interests include Direct Marketing, donation collection, selling related services and B2B marketing. Data must also be deleted if the information is no longer necessary, or if the original purpose for data collection is no longer valid. Devise a procedure so that consumers can apply for erasure as quickly as possible. Plan and trial a practice where data can be erased with minimal impact to your database and at minimal cost. RIGHT TO ERASURE Current Legislation Proposed Legislation Action Companies can combine as much data as a subject is willing to allow, building a ‘profile’ of a person, and then segmenting and categorising based on that. Data can include personal information about a subject, such as race, religion, sexuality and health. Any information about a consumer processed for profiling is illegal, unless the consumer has given clear and explicit permission that it can happen. Profiling cannot be applied to create what may be considered as “sensitive data”, just as beliefs, activities, and health, without permission. Make sure that any profiling carried out is done with the explicit permission of the consumer. Test clear and understandable privacy policies that explain why profiling should occur, and the benefits of profiling data. PERMISSION TO UNDERTAKE PROFILING
- 5. 5 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation Current Legislation Proposed Legislation Action Third parties can buy data from companies without the consumer knowing who they are. These third parties can then contact them, as long as the consumer has given permission. Third parties must be identified to the consumer, and data protection must be secure. Third Parties must also inform the consumer of their legitimate interests. If a consumer requests their data to be erased, third parties must do so swiftly and free of charge. Construct and carry out due diligence on any third party who may have a business interest in your customers’ data. Test the effectiveness of statements inviting customers to opt in to receiving communication from third parties. THIRD PARTIES USING YOUR DATA Current Legislation Proposed Legislation Action Businesses are subject to the laws of the consumer’s nationality. For example, Google were fined in January for altering the privacy policies for sixty services, affecting all internet users in France. As a result, it was fined €150,000 by the French Data Protection Authority. Fines will be dependent on the size of the corporation accountable for the data breach, as well as the extent of the breach itself. When a breach is first identified, the level of punishment escalates as follows: 1) A written warning for a first, or unintended offence. 2) Regular audits for repeated offenders 3) A fine of up to €100m, or 5% of annual global turnover (whichever is greater), for a serious breach, or repeated breaches. Encourage an atmosphere of “Privacy by design”, which, by default, offers consumers the maximum level of protection available. Look to acquire data in a safe environment, and with explicit and informed consent from the consumer. FINES
- 6. 6 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation Current Legislation Proposed Legislation Action At their own discretion, companies can choose to employ a Data Protection Officer to ensure that best practice is upheld. Varying privacy policies between states and companies means that the standard of Data Protection varies. Companies who process data in a way which is not completely risk-averse will have to carry out a Data Protection Impact Assessment in order to ensure their procedures are legal. Data Protection Officers, which are a legal necessity for companies with more than 5,000 records, must ensure compliance. Train all employees who are involved in processing data to make them aware that they should be practising ‘privacy by design’. Train a designated employee to become a Data Protection Officer, or, in the event of a large number of consumers, employ one specifically. Trial and implement a procedure that will allow for speedy notifications of a data breach, should one happen. ACCOUNTABILITY
- 7. 7 Data Protection: Outliningthe forthcoming changes in EU Data Protection legislation Changing the way we think about data The EU legislation will not just bring about a practical change to data protection, it will also require a fundamental shift in the way businesses think about acquiring and handling customer’s data. Consent is key to unlocking the future of data management. Without it, businesses will be forced into a position where their communications, even with the warmest of consumers, will be impersonal, and risk irrelevance. This can be avoided if a little more time is taken to gain the trust of the customer, and provide a genuine value exchange for their data. Once that data is acquired effectively, and value is given to the customer as well as the business, it is the responsibility of the business to ensure that it is protected, to the highest-level possible to continue the level of trust between a subject and business. It would be unwise to wait until the laws come into effect before considering a new approach to permission marketing and data acquisition. The earlier businesses embrace change, the better prepared they will be when the legislation comes into effect, minimising impact, and improving the relationship it has with both existing and potential customers. For further information please contact Nick Banbury on: Mobile: 07834 518783 Direct Line: 0131 526 3069 Email: [email protected] www.tangible.uk.com