The EU Data Protection Regulation: changing how you hold and process customer data The aim of the Regulation is to harmonise the current data protection laws across the EU member states. Businesses which are based outside the EU but target EU citizens will also be affected (such as US based companies). It would appear that the current situation is “monitor” but don’t panic. Originally due to come in mid-way through 2014, the rules will not now come into place until 2015 at the earliest.
T
here is a hype cycle around changes to legislation, particularly anything that affects businesses. The draft legislation is announced; experts and vested interests start scare stories, everyone panics. There is then a long period of negotiation and when the final legislation is in place, it is not as bad as we KIRAN KAPUR were led to believe. If you remember the hype around the so called “Cookie Law” (part of The Privacy and Electronic Communications Regulations), you will remember that when the regulations were first discussed, there were warnings about the end of online marketing. The rules have been in place for a while now and are embedded. Consumers are used to a cookie statement on a website and marketers still use cookies to collect information. The EU Data Protection Regulation has been through a prolonged hype stage of the cycle. It has gone from hype to quiet. The original EU proposals were set out in 2012 and caused consternation. The then Justice Minister Helen Grant said that the annual cost of complying with the draft rules would be between £100m and £360m for UK businesses, public sector organisations and charities. Organisations, such as the DMA (Direct Marketing Association), led calls for amendments to the draft (my favourite was their eye-catching “Data Protection 2013 - 180 days to save your industry”). The proposals were amended by the EU in October 2013 and a new draft created. Partly due to the efforts of lobbying groups such as the DMA, the amended proposals are more workable and less exciting. Much less has been written about these. A brief internet search will uncover plenty of scare stories about the earlier proposals and lots of advice (some now unnecessary) on how to prepare your business for these major changes. Very little is available on the new draft. If you do any research on this, note very carefully the date the article was written. As with all EU legislation, there is a long process of negotiation and much changes between drafts and the final text. Will it affect me? Yes, if you hold customer and enquirer data. However, the legislation will not come into force before 2015.
14
CAMBRIDGE MARKETING REVIEW - ISSUE 8 Q2 2014
If you are designing a new CRM system or any other system of storing customer data, design these changes in so that you do not have to make expensive changes later to the way your customers’ data is stored. How will it work? There are a number of key issues and note that the fines are draconian. The fines in fact have increased between the first and second drafts (possibly as a reaction to the “Snowden” leaks). The fines for breach are up to a maximum of the greater of 100m Euros or 5% of global turnover (this was 1m Euros or 2% of turnover in the first draft). Some key issues: This article is based on the draft proposals published in October 2013. There will be further amendments. There are many issues around the draft and these are the ones that caught my eye. 1 Being accountable: this will entail establishing a culture of monitoring, reviewing and assessing your data processing procedures. The aim is to minimise data processing and retention, and build in safeguards to all data processing activities. 2 Explicit consent: organisations will have to obtain explicit, freely given, specific and informed consent from the individuals whose data it is holding. Consent must be obtained through a statement or “clear affirmative action”. Consent cannot be given through silence or inactivity on the part of individual. Consent is also not given just by using a service. Consent is purpose-limited. Once the purpose ceases, consent no longer exists. There has been much concern about whether this would affect marketing profiling information, The new draft suggests that it is possible that profiling for marketing purposes may not require full prior explicit consent. However, more clarification is needed. The intention of this consent is best understood in the words of the EU commissioner, Viviane Reding: “People need to be
CHANGING CUSTOMERS
In the language of the EU, there is a huge difference between a “directive” and a “regulation”. • A Directive sets out a goal that all EU countries must achieve but each country can decide how to implement it into their own legislation – thus inevitably delaying the implementation and giving businesses plenty of warning. • A Regulation means it will be directly applicable to all EU member states. It must be applied in its entirety across the EU without any changes.
“MONITOR BUT DON’T PANIC.” informed about the processing of their data in a simple clear language they can understand. Internet users must be told which data is collected, for what purpose, how long and how it will be stored. They need to know how it might be used by third parties, they must know their rights and to whom they can address if they think their rights have been violated.” The October 2013 draft also introduces an interesting idea of using standard symbols to explain what happens to data. I understand that this idea may not be taken forward into the Regulation, but it shows the level of clarity the EU is aiming for. Here are some examples given in the draft: 3 “Privacy by design” requirement: this means that when you are designing new systems for holding data (such as a new CRM system) or modifying your current system, you must consider how to minimise the impact on an individual’s privacy. Privacy settings should be the default position. It is not clear if this will be a requirement to change current CRM systems. 4 Data Protection Officer: any company processing personal data of more than 5,000 individuals must appoint a Data Protection Officer. The exact role of this DPO is not defined. 5 Right of erasure: this was originally drafted as a “right to be forgotten”. Generally, this means an individual can ask an organisation to delete personal data stored about them “without delay”. There is a right for organisations to claim that they have a legitimate, legally justified reason to keep the data in their database, but this would be for very specific purposes, such as the archives of a newspaper.
“people need to be informed about the processing of their data: which data is collected, for what purpose, how long and how it will be stored.” CAMBRIDGE MARKETING REVIEW - ISSUE 8 Q2 2014
15
No personal data is collected beyond the minimum necessary for each specific purpose of the processing.
No personal data is disseminated to commercial third parties.
No personal data is sold or rented.
€
6
Intra-group international data transfers: this means transferring data held on EU citizens outside the EU, perhaps for storage or data processing. If your business wishes to do this, you must have a legitimate and justifiable basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. There is concern that this will affect holding data in the Cloud, depending on where that data is stored. 7 The new “European Data Protection Board”: will be tasked with producing guidelines on a wide range of areas such as methods of verifying consent when processing children’s personal data. What should you do now? The UK Information Commissioner’s Office recommends that you start to review 3 areas of your data in preparation of the full changes:
(1) Consent Whatever is finally in the wording of the Regulation, it is clear that organisations will need to ensure they have explicit consent. So the ancient rule of “qui tacet consentire videtur” meaning “s/he who is
16
silent consents” does not apply to holding data. So, start reviewing: 1. What do you do with data that you hold? 2. Do you have explicit, informed consent from your customers and enquirers to carry out your answer to Q1? 3. Can you prove this explicit, informed consent? If the answer to 2 or 3 is no, then start sorting this out now. In the words of the ICO, “In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this.” Right of Erasure If an individual revokes their consent, or if you did not have their consent in the first place, then you need to be able to erase personal data if you are asked to do so. Make sure that your systems can do this. (2) Breach Notification It may become compulsory to notify the Data Commissioner if there is a breach of data security. Start preparing by making sure you know what information on individuals is stored where. Then if there is a security breach, you will know who is affected and what data may have been compromised or lost.
CAMBRIDGE MARKETING REVIEW - ISSUE 8 Q2 2014
Be Aware Many in the marketing industry are worried about the implications of the Regulation and many issues are still unclear. The legislation will be subject to more changes before it is finally implemented. Be aware that you will be hearing a lot more about the Regulation between now and 2015.
“Will it affect me? Yes, if you hold customer and enquirer data.” References Proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Available from http:// ec.europa.eu/justice/dataprotection/law/index_en.htm http://ico.org.uk/news/
get-new-rules-right-says-expert/
blog/2013/one-small-step-foreu-parliament accessed 14 February 2014 http://www.itlawgroup.com/
http://www.marketinglaw.
resources/articles/212-draft-eu-
February 2014
privacy-regulation-amendmentsapproved accessed 13 February 2014
CHANGING CUSTOMERS
(3) Privacy by Design The Data Commissioner says “this sounds scary” but it is not very clear what it actually means. For the moment, when you are designing new systems for holding data (such as a new CRM system) or modifying your current system, you need to minimise the impact on an individual’s privacy.
Cambridge Marketing Handbook: Law Marketing and the Law by Kiran Kapur (2013), published by Kogan Page. Marketers should be aware that there is a large amount of regulation and legislation that is relevant to their work, and that ignorance of the law is never an excuse. However, many feel very unsure how the various rules and regulations affect them. This handbook is an essential and uniquely accessible guide to the key legal issues all marketers need to know about and navigate. Written by a marketer, rather than a lawyer, it is designed to give practical guidance on all the necessary aspects. It examines the key issues that affect marketers in marketing communications, including both traditional media such as advertisements and social media. Legal language is very precise, and often complicated, so this handbook uses colloquial language for clarity. Each chapter includes clear summaries, examples and flow diagrams to help marketers understand how to comply with the law.
accessed 13 February 2014 http://www.europarl.europa. eu/news/en/news-room/ content/20130502BKG07917/ html/QA-on-EU-data-protectionreform accessed 12 February 2014
co.uk/article-preview/one-stepforward,-two-steps-back-foreu-data-reforms accessed 11
http://searchcloudsecurity. techtarget.com/tip/Theproposed-EU-data-protection-
http://www.out-law.com/en/
regulation-and-its-impact-on-
articles/2013/October/data-
cloud-users 7th February 2014
protection-reforms-delayed-but2015-deadline-gives-time-to-
Disclaimer Kiran Kapur is the author of The Marketing Handbook – Law, published by Kogan Page (2013). I am a marketer not a lawyer. This article is not intended to provide legal advice or to be a substitute for legal advice but to give general information.
Kiran has worked predominately in Financial Services with expertise in customer relationship marketing and customer communications. As a consultant, she has worked as project manager for companies including Liverpool Victoria, Barclays, London Life and Cazenove. Kiran has taught a wide variety of courses at the College in Cambridge since 1999 and is the Distance Learning & Overseas Course Director, and a CIM examiner.
CAMBRIDGE MARKETING REVIEW - ISSUE 8 Q2 2014
17