On June 23rd the UK will decide its European future in the ‘in-out’ referendum. But first, there’s another important European date. On Wednesday 25th May we’ll see the introduction of the General Data Protection Regulation (GDPR) – the new measures which replace the current EU directive on data protection. Although none of the various data protection legislation relates exclusively to email marketing it still has important implications for data controllers – that’s all of us who collect, store and use the personal information of individuals within the European Union.
The journey to GDPR
The current EU directive, the European Privacy and Electronic Communications (EC Directive) Regulations (officially Directive 95/46/EC, but also referred to as PECR ) was introduced in 2003, itself a refinement of the original EU Data Protection Directive of 1995. It forms part of a wider suite of EU laws on privacy and human rights and umbrella’s the local legislation of the EU member countries. Here in the UK, this is the 1998 Data Protection Act (DPA). Together with other legislation like the Freedom of Information Act (2000) and other guidelines and codes of practice, the Data Protection Act regulates the rights of both organisations and individuals regarding the visibility, storage, protection and use of personal data.
Direct marketing is one of the data applications which is specifically referenced in both the DPA and the PECR.
The first proposals from the European Commission for the new regulation were made in 2012. Agreement was reached on 17 December 2015, with formal approval by the European Parliament in April 2016. The resulting EU General Data Protection Regulation (GDPR) officially becomes EU law next week on 25th May. However there is allowance for some administrative fine tuning and there will also be a 2 year lead in before it finally becomes enforceable on 25 May 2018.
Because it is a regulation (as opposed to a directive) it means that it will be directly applicable to all EU member countries without a need for further legislation at a national level. Locally, the GDPR will supersede national laws of individual members (such as the Data Protection Act in the UK and Northern Ireland), ultimately unifying data protection and rationalising the treatment and status of personal data across all 28 of the EU members.
It’s a wide ranging brief. The overall aim of the new General Data Protection Regulation is to harmonise the various current data protection laws in place across the EU members and to clarify and extend some of the provisions already in place. It relates to all EU members and potentially affects every organisation that processes the personal information of EU residents even if they themselves are not within Europe.
The final approved copy is over 200 pages long. However, here are some of the key changes which the GDPR establishes as law. For us as email marketers much of the interest is around the articles on what constitutes personal data and the transparency and application of the permission process.
Personally Identifiable Data
Firstly, there’s a broader definition of what personal data entails. As in the current PECR this data is referred to as personally identifiable information or PII. The PII concept is now broadened to include any information which is ‘relating’ to an individual and which can potentially be used identify, locate or contact that individual. This includes information such as biometric and genetic data. For marketers, notable inclusion are IP addresses, device IDs and Unique IDs (UID) which are found in the online cookies used to track an individual’s online behaviour.
Another item of particular interest to us as email marketers is refinement to the concept of consent – we know this better as permission. While stopping short of requiring explicit consent in all cases (there are exceptions for certain categories of particularly sensitive data, where this is required) the GDPR still sets a somewhat higher level of expectation when it comes to obtaining and justifying permission. The current European Data Protection Directive defines consent as “any freely given specific and informed indication of (his) wishes by which the data subject signifies (his) agreement to personal data relating to (him) being processed”. The implication is that an individual may indicate their consent other than specifically in writing.
The GDPR gives more emphasis to whether or not consumers understand what they are agreeing to, and attempts to ensure that they are being given a meaningful and unambiguous choice. This has implications for commonly used opt-in mechanisms like the use of tick boxes and consent icons. To paraphrase, the GDPR requires that consent must be given freely, be informed and unambiguous and be specific to the purpose for which the data will be used. Consent can be given either by a statement or a clear affirmative action which signifies agreement.
Organisations collecting and controlling data will also be required to provide clearer evidence of their consent process, a step which may require enhanced record keeping. In practice, although it’s certainly a tightening of the concept of consent, most marketers who are following a robust permission based process will already be broadly compliant with the new requirements of the GDPR.
Responsibilities of data controllers
For data controllers, administration and audit are other key areas of change.
Many data controlling organisations will be required to appoint a Data Protection Officer (DPO), or alternatively to outsource this requirement to a professional third party. One responsibility of the DPO will be to report serious data breaches (that is those likely to represent a risk to the rights and freedoms of the individuals concerned) to their local Data Protection Authority within 72 hours. In the UK this would be to the Information Commissioners Office (ICO). Where the risk of damage to individuals is considered high, then the data subjects themselves will also need to be notified of the breach and its implications.
Raising the profile
Another underlying theme of the GDPR is to raise the profile of data protection within the structure of data controlling organisations. To this end there are moves to require the consideration of data protection into an organisation’s business strategies by ‘design and default’.
Organisations will be required to keep and, on request, provide records and notices about data protection practices and rights. The Privacy Impact Assessment (PIA) is one such document which is intended to demonstrate that an organisation has adequately considered the risks associated with its data practices and has taken reasonable steps to manage them. Building responsible and robust data practices into new business systems is one aspect intended to elevate the issues of data protection to a boardroom level.
For the individual, a new key feature is the steam-lining of the process to examine who is holding and processing their personal data and for what purpose. The upfront fee for Subject Access Requests (SAR) has been removed, a move which is anticipated to bring a significant increase in processing for organisations. Another is the extension of our right as individuals to erasure, the so called ‘right to be forgotten’. Provided these requests are still balanced in terms of other rights and obligations, the circumstances under which these requests can be made have been clarified and extended.
And if you fall foul of the GDPR?
As mentioned above, the GDPR will not become enforceable until 25 May 2018. However, one of the main enforcement changes is the ability of the appropriate Data Protection Authority to levy substantial fines for non-compliance. It’s not necessary to demonstrate that actual harm has been caused in order for the responsible Data Protection Authority to issue a fine, but where significant damage is identified a fine up to 20 million euros or 4% of global turnover can be imposed.
It’s another measure intended to ensure that the subject data protection reaches the radar of board level executives.
What if the UK vote to ‘exit’?
Of course, after 23 June it’s quite possible that the ‘out’ campaigners will prevail and the UK will no longer be subject to the same degree of EU legislation. However, even with an exit result it’s unlikely that existing UK data protection legislation and current obligations under the PECR will be significantly revised. Furthermore, when the GDPR comes into force all organisations that process data relating to EU residents will be required to comply, whether they are themselves based in the EU or not. This also has implications for those who transfer or process EU data outside of the European Union.
There’s lots of online discussion on the definitions and implications of the GDPR. For UK organisations the ICO has set up a 12 point checklist for those wanting official clarification and guidance on how to prepare for the GDPR.