The ICO is telling brands to see EU privacy laws as a chance to build trust with consumers

The former is largely in the hands of the UK electorate, but the latter is something that all businesses with access/control of customer data will have to pay attention to as barring a whirlwind exit, they will have to comply with GDPR rules by 25 May 2018 when they come into force.

GDPR has been touted as some of the most wide-ranging reforms to data protection across the 28 member states, and for the first time it harmonises such rules across the union.

Concepts such as the ‘right to be forgotten’, data portability, data breach notification and accountability are all encompassed in the rulings, with those falling foul of the guidelines potentially facing massive fines of €20m, or up to four per cent of global revenue.

Increasing anxieties among business

Such is the level of anxiety caused by the oncoming regulation that certain parties, such as the International Association of Privacy Professionals (IAPP), are forecasting that Europe will collectively need to appoint over 28,000 new data protection officers (DPOs) ahead the enforcement of GDPR.

Add this to the parallel lobbying of online data privacy advocates, whose activities have gained much attention in recent weeks in light of their interjection into the ongoing ad blocking debate, and the issue of data protection/privacy arguably the defining narrative of 2016 (even more than ad blocking).

Privacy as a market advantage

For its part the ICO has already kicked off a series of “listening events” with private industries to sound out areas of confusion over the oncoming legislation, this is in addition to an initial checklist it has produced here (see image below).

Speaking at a recent event hosted by privacy advocates entitled The Privacy Advantage, Steve Wood, ICO, head of policy delivery, opined that the principles of the GDPR are not so far removed from the existing data protection regulations (which date back to the late 1990s).

The GDPR implementation will involve a step change in the way organisations will have to demonstrate how they comply with the law, and make sure they have understood the legal basis of it. This accountability is the important change from the earlier regime, according to Wood.

‘Data protection by design’

“All of these steps will outline the legal things that organisations will have to do, and the legal process of processing data, as well as how they can start communicating privacy information… in very clear plain English,” he said.

On top of this, organisations will have to think about the technical requirements of data protection, the governance involved in this, how to articulate this clearly (such as data breach notifications), as well as “data impact assessments” – an approach he summed up as “data protection by design”.

“You have to ensure that there will be board level commitments to data protection,” he said, echoing the IAPP’s message about the upcoming importance of DPO’s in any outfit that processes consumer data.

Data protection does not have to prevent innovation

Wood later highlighted that over five years ago the ICO produced a document entitled The Privacy Dividend where it first outlined the opportunities for businesses to both attract and retain trust with their customers

“If you take a positive approach of planning early and being active over the key areas to focus on over the two-year implementation period, then you can do something in a way that actually adds value to your particular operation,” he told attendees.

For its part, the ICO is also at pains to point out how this process will not necessarily come at the expense of innovation. “It causes us to think deeply about innovation

“What we’ve been doing at the ICO is trying to listen over the last few months… Our job as a regulator is to listen to industry and start to talk about what the law means, but also to say that we think we have innovative ways that enable us to comply with the law,” explained Wood.

Some areas to ponder

However, for web-based companies there are many areas of focus to look at in the run-up to 2018, some of which include the prospect of age-based consent over how data is used, something that was not covered in earlier iterations of data protection laws in the UK.

Wood explained some of the difficulties that data processors will have to consider when formulating their data protection policies over age-based consent. “At the ICO we’ve always advocated a risk-based approach to the context of such data processing,” he added.

For instance, if a parent gives permission for their child to use the internet on a shared computer at home, what data are they happy for a company to process on said child?

“Also, can verifiable consent from parents be linked to National ID numbers, or other forms of ID [of any/all of the household members]?” he questioned.

“We will need some innovation to make sure we comply with that part of the GDPR,” he said, highlighting one area to seriously consider will be federated ID management.

Regulator to provide some guiding reassurance

However, in the weeks and months ahead, the ICO will soon follow up its ‘listening phase’ and help usher businesses towards compliance with the new regulations, including giving feedback on their intended compliance strategies.

“What we’ll be doing over the coming months is that we’ll be having a series of workshops where we’ll sit down with key people in this area, and they can propose solutions as to how this might work to us, before we write our guidance,” explained Wood.

Speaking at an event hosed last month just after the GDPR regulation was passed, Nick Stringer, a digital media consultant, and ex head of public policy at the IAB, told attendees at an AOP-hosted event that under upcoming guidelines regulators from elsewhere in the EU could now have a say in UK rulings.

He added: “Although it’s an EU regulation, it will have global significance.”

Read more on the implications GDPR will have on marketers here