The EU General Data Protection Regulation (GDPR) due to be finalised April 2016, paves the way for a transformed digital age. Aimed at providing a more harmonised approach to the current data protection laws, GDPR provides for (amongst other things) greater data protection to individuals. It is a regulation instead of a directive which means it will be applicable to all EU states without the need for national legislation.
There are so many rules and regulations around today it’s hard to know where to start and what applies to your business. We felt it might be useful to provide a map of the background of where Data Protection started and where we are today with GDPR.
Navigate the Data Protection Road Map to GDPR
The office of the Data Protection Commissioner in Ireland was established in 1989 under the 1988 Data Protection Act. The 1988 Act was amended by the Data Protection (Amended ) Act 2003 web version. Initially the law applied to personal data held in computerised form but following the 2003 Act, Irish data protection law covered all personal data held on individuals, be it in automated or manual form, ranging from files to phone call records to CCTV footage.
It is the responsibility of the Data Protection Commissioner to uphold and protect your privacy rights when it comes to data being held about you. The Data Protection Commissioner has summarised the eight “Rules” which must be adhered to:
- Obtain and process the information fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
Electronic Privacy Regulations
The Privacy and Electronic Communications (EC Directive) Regulations 2003 exists in conjunction with the Data Protection Act 2003. It is designed to complement Data Protection Regulation by setting out further specific privacy rights on electronic communications. It takes account of the growing use of internet and mobiles networks providing new possibilities for businesses and users but also new risks to privacy.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
Currently the ePrivacy Regulations 2011 (informal consolidated version) are in effect (although there have been other amendments in the interim). The 2011 regulations apply to telecommunication providers, Internet Service Providers and to any entity using electronic communication with their customers.
New requirements concern compulsory notification of data breach, user consent for cookie placement, direct marketing phone calls and sending of the electronic marketing messages.
Reform – GDPR
In January 2012, the EU commission put forward its EU Data Protection Reform to make Europe fit for the digital age.
The core aims of the General Data Protection Regulation (GDPR) are to simplify doing business in a single digital economy and strengthen the rights of citizens in this digital age.
In December 2015, agreement was reached on the data protection framework and is expected to be finalised early 2016. Following formal adoption, companies will then have 2 years (expected 2018) to comply with the directive. The GDPR regulation is wide ranging and an excellent synopsis of the requirements is available on the UK Information Commissioners Office (ICO): http://dpreform.org.uk/preparing-for-the-gdpr-12-steps-to-take-now/.
Here are some of the key highlights and considerations for Digital Marketeers
Personal Data – any information relating to a person who can be identified, directly or indirectly by name, identification number, location data or other factors including physical, economic or cultural. Online identifies such as IP address, cookies etc could now be regarded as personal data.
Personal data applies whether as an individual, public or work role.
Consent – According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”
You will need to show how consent was obtained and when.
Withdrawing of consent should be simple to achieve
Transparency – Information being provided will need to be “collected for specified, explicit and legitimate purposes”
Children and consent – online, parental prior consent required for use of site by an under 13 year old.
Right to be Forgotten – Once data is no longer required for the reasons it was collected then it must be erased.
Profiling and Automated Decision Making – Individuals have the right not to be subject to the results of automated decision making including profiling.
Steps to Consider
Whether you have a new business and starting out or well established, now is the time to take on board the current Data Protection Regulations and plan for the future requirements.
- Review the data you currently collect
- Understand why you are collecting the data
- Tell your customer what you are collecting and why
- Ask your customer for permission
- Provide your customer with the opportunity to remove themselves.
- Plan customer privacy as a default into new products and services.
- Integrate data protection into all sales and marketing processes
- Educate staff in all aspects of data protection.
We are likely to see a plethora of “big hype” articles in the media about the massive cost of implementing GDPR to industry, some of it will be legitimate and some will be hype. Many out there are clearly seeing this as a business opportunity and there will be no shortage of consultancy firms willing and able to provide you with advice, guidance, audits and education.
Already, the UK Data Protection Office (ICO.org) has published considerable information and launched a dedicated website to provide information on GDPR http://dpreform.org.uk/.
Unfortunately, the office of the Data Protection Commissioner in Ireland has yet to publish any information regarding GDPR. It should however be noted that in a speech at the 8th Annual National Data Protection Conference, Jan 2016, Minister of State for European Affairs and Data Protection, Dara Murphy confirmed that the Commission’s budget has been increased from €1.89m in 2014 to €4.8 in 2016, there is to be a 100% increase in staff numbers and new premises have been secured. Commissioner, Helen Dixon has expanded her team, recruiting lawyers, technologists, investigators and communications experts. It is likely we will see guidance from the Irish Data Protection commission in the coming months.