After four years of discussions, new EU-wide privacy rules will come into force in 2018, and while there are challenges the overhaul is also a chance to reassess the data value exchange between business and user.
The European Commission today (14 April) approved proposed tougher data privacy laws collectively known as the General Data Protection Regulation (GDPR), and at more than 200 pages long, GDPR is one of the most wide-ranging reforms to be passed in years. GDPR was also recently debated by delegates at a recent Drum-hosted event (see video above).
GDPR formalises concepts such as the ‘right to be forgotten’, data portability, data breach notification and accountability, with those falling foul of the guidelines potentially facing massive fines of €20m, or up to four per cent of global revenues.
But before we get down to business, here’s a quick overview of the main elements of the new regulation; it replaces the EU data protection directive, which was formed in 1995 when the internet was still in its infancy.
Moving forward, companies will need to be more transparent with what they do with personal data, while individuals will have more control of their information. It means marketers (increasingly relying on data to hone their practice) will have to move more deftly post 2018 when the regulation comes into force.
That shifting dynamic, whereby people are starting to take data protection more seriously, is accelerating the arrival of what some experts dub the ‘Me2B economy’.
Post the passing on the guidelines, the implications were discussed at length at an event hosted by the AOP today (14 April). Here is a guide to what the data shake-up means for marketers and how they should adapt accordingly.
Consult your national data protection body
For its part the ICO is poised to host a series of “listening events” with private industries over the following two years in order to gauge the concerns, areas of confusion, as well as the intended compliance strategies of those present. In the interim, it has produced a checklist for marketers and media owners to get started ahead of 2018 (a snapshot is below).
Speaking at the AOP event, Ian Bourne, from the data regulator the Information Commissioner’s Office (ICO), said businesses shouldn't just think about GDPR, but also the European courts, which are looking at privacy issues increasingly.
“We’re in a bit of a difficult time, and the area of behavioural advertising is a particular area of interest. Historically, the ICO has viewed it as a low-risk technology,” said Bourne. “We intend to do this as a partnership.”
For instance, the spread of beacon marketing shows why marketers have to sit back and think about how users will react if they turn such a service on.
Relax, but do pay attention to detail, and communicate effectively
Speakers at the AOP event were also quick to quell any potential over-reaction from advertisers and publishers to the new direction. Simon Morrissey, head of data privacy at legal firm Lewis Silkin LLP, questioned how onerous the new regulations will be compared to existing legislation, but reiterated that clarity and transparency would be key.
He told attendees: “It’s the qualification of existing guidance, plus some additional measures … we’re moving away from ‘personal data’ to ‘regulated data’.”
Zach Thornton, external affairs executive at marketing trade body The Direct Marketing Association, added: “Data is the lifeline of our members. The GDPR will change the way businesses use data. The scale of change is massive, but the two years before the GDPR become law are a great opportunity for marketers to look at what they are doing and make sure they are comfortable with the regulations, and adapt.
“It will also give marketers the chance to explore new ways to use technology, data and creativity to reach potential customers effectively.”
Privacy notices must be: concise; transparent; intelligible; easily accessible, and described in clear and plain language, according to Morrissey.
Internal training and auditing processes will be necessary for media businesses to remain on the right side of the new regulations.
“The key thing is that you are going to have to use a bit more clarification to users that they have these rights [to be ‘forgotten’], and then obtain their consent to use this data for commercial process,” said Morrissey.
Act local, act global
Under the new data protection rule, regulators from elsewhere in the EU could now have a say in the rulings, as well as the fines handed out to UK companies under the guidance of the directive, revealed Bourne who cited earlier European Court interventions into services such as Google Street View, as an example.
Fellow speaker Nick Stringer, a digital media consultant, and ex-head of public policy at the IAB, added: “Although it’s an EU regulation, it will have global significance.”
For instance, if a business offers goods or services in the EU it’s covered by the regulation - it doesn’t matter if the business is based in San Diego. The application of the law is determined by the location of the people it serves.
Key areas of interest to marketers
Commenting on the results, Dr Sachiko Scheuing, European privacy officer at ad tech outfit Acxiom and co-chair of FEDMA, said: “GDPR means that businesses can now effectively plan and prepare for this major initiative to use data in the consumers’ interest and which has important implications for a wide range of business operations, not to mention brands, suppliers and agencies throughout the marketing industry in the UK and Europe. It is imperative now that businesses begin to look at their compliance with this text, as well as the appointment of data protection officers.”
For example, clarification is needed around the status of ‘pseudonymised personal data’, as well as issues around data portability, which mean that consumers can demand that businesses transfer the data they have on that individual (such as payment history) in order to get a better deal from a third party business.
“Provisions of profiling are probably of most interest to people here [publishers],” said the ICO’s Bourne. “One of the things we’ll have to do is come up with a reasonable definition of what is benign profiling. Getting that right is a major priority for us.”
Making sure consumers know when there is a data breach, or the corruption of it, and then having procedures in place that let them know when their private information has been compromised.
For more information on the ICO’s outreach programme follow its latest updates here