@DMA_UK #dma General Data Protection Regulation – what the future holds Zach Thornton, External Affairs Manager, DMA
EU Data Protection reform – where are we? • Dec 2015 Political agreement reached on text • Apr 2016 Justice and Home Ministers sign off • Apr 2016 European Parliament signs off • 25 May 2016 Regulation becomes law • Oct/Nov 2016 UK issues Art 50 notice to EU • 25 May 2018 Regulation comes into force • Oct/Nov 2018 UK ceases to be EU Member State What kind of UK- EU trade deal?
Will Brexit change anything ? • No • Any free trade arrangement with EU will require equivalent data protection legislation • Data protection now a global issue so any free trade agreement with other countries will require equivalent data protection legislation
ICO Referendum result response • Data Protection Act 1998 remains UK law irrespective of the vote to leave the EU • UK will want to have access to EU Single Market in goods and services therefore at minimum would need to have equivalent data protection laws to EU in order for Brussels to grant UK at minimum Adequacy Status under GDPR • Organisations operating across UK, EU and other countries international consistency around data protection laws and individual rights is crucial. Need to comply with GDPR • Organisations operating in UK only – possibility of GDPR lite version only • ICO will lobbying UK government for reform of UK data protection law • DMA stance same as ICO • UK DMA will work with FEDMA at European level
Information Commissioner and Minister’s views • Limit business costs while respecting individual’s data protection rights • Implementation of text will be complex and demanding • Support organisations to make changes • Powerful driver to good practice in treating consumers well • Building long term business rather than quick buck • ICO will deal with rogues and use fining powers proportionately and appropriately • ICO and Article 29 Working Party (senior representatives from other EU Member States) will issue Guidance Notes – ICO published draft timetable • New ICO Elizabeth Denham from Canada familiar with GDPR plus ICO will have GDPR change management unit
Albrecht Statement • "The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European 'yes' to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share". • "The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition"
Headline proposed changes • Expanded definitions: “personal data” and “data subject” • Changes to information requirements • Right to be forgotten • Greater emphasis on accountability • Notification of data security breaches • More onerous sanctions for breach • Data processors directly covered
Consent Consent: Current Consent: GDPR Position Position (1995 Directive) - Freely given, specific, -Freely given, specific, informed informed indication of the and unambiguous indication of data subject’s wishes data subject’s wishes - Explicit consent required -Given either by a statement or a for sensitive personal clear affirmative action data only - Data controller / data subject relationship to be taken into account - Burden of proof on controller to demonstrate consent
Consent (Recital 32) • Practical difference between “explicit "and “unambiguous” consent • Written, including electronic or oral statement • Includes • Ticking a box when visiting an internet website • Choosing technical settings • By any other statement or conduct which clearly indicates acceptance • Does Not include • Silence • Pre- ticked boxes • Inactivity
Effect of change • Existing rules for post and telephone remain the same for first and third party marketing • Email and SMS marketing - rules in Privacy and Electronic Communications Directive remain the same for first party and third party marketing • NB Changes to information requirements you have to provide individuals • Remember that if you are outsourcing processing to a bureau, that bureau is not a third party • Hopefully brands will be able to grandfather existing marketing permissions obtained in compliance with existing law to new GDPR without having to go through a re-permissioning exercise. • Ned to comply with other GDPR provisions, for example information requirements
Legitimate interests of data controller (Recital 47) • Alternative legal basis for processing personal data • Direct marketing recognised as a legitimate interest in text of Regulation • Cannot use it where fundamental rights and freedoms of individuals override rights of organisations • Need for balancing test • Provision of unsubscribe/.opt-out normally satisfies test • Cannot use it for processing personal data about children
Information requirements in privacy policies (Article 13 and 14) • Name and contact details of data controller • Used for direct marketing purposes • Third parties to which information passed on • Transfers to countries outside Europe • Length of time for which information kept for • Data subject’s rights • Information about profiling
Introduction of new rules on consent/legitimate interests • Review whether going to use consent or legitimate interests as basis for direct marketing activities • Do people understand what they are agreeing to? – nation of liars • Need for clear and transparent information about what direct marketing customers and registered prospects will receive • How will you demonstrate proof of consent • Legitimate interest route – opt out /unsubscribe must be clear and easy to use • Preference centre – by brand/ channel?
IP addresses and cookies • Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers” (Article 4 (1) • But IP addresses identify a device not an individual + some IPs are general • Huge implications for digital marketers • Web analytics & profiling made much more difficult, if not impossible • Interaction with new cookie rules problematic
IP addresses and cookies • Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers • Pseudonymous/anonymous data – will you be able to take advantage of exceptions? • Justice and Home Affairs Ministers – pseudonymous data is a subset of personal data • Amend wording on privacy policies/data collection notices to take account of new rules on profiling.
Profiling (Articles 21 and 22) • Right to unsubscribe/opt-out from decision based on profiling, which produces legal effects concerning the individual or similarly significantly affects the individual. The right to unsubscribe/opt-out does not apply if the decision • a) is necessary for entering into or the performance of a contract between the individual and the data controller – an example of this would be credit-scoring if an individual applied for a new credit card or an increase in their credit limit • b) is based on the individual’s explicit consent • c) is authorised under EU or Member State Law – unlikely to apply to direct marketing
Profiling (Articles 21 and 22) • In the case of a) or c) individual the right to ask the organisation • for a human to intervene in the profiling, • the right for the individual to express their point of view and the right to contest decision • Profiling for direct marketing purposes – right to object at any time under general right to object principle • Need to explain in data collection notice/privacy policy • whether or not the organisation uses automated decision making and profiling • meaningful information about how the automated decision making/profiling works • how the automated decision making/profiling will affect the individual.
Data Breach Notification (Articles 33 and 34) • Any data security breach to be notified to ICO within /72 hours/undue delay • Report to cover: • nature of breach • number of data subjects • categories of data • proposed mitigation • Not always obvious if there has been a breach or how extensive it is • No need to notify if breach is unlikely to result in risk for rights and freedoms of individuals • Notification to affected individuals only if breach likely to result in high risk to rights and freedoms of individuals
Data security breach notification • Introduce breach notification detection procedures • Think about how you will notify data protection authorities and affected individuals within timescale is agreed • Develop/review your data breach response plan • Guidance needed on high risk
Recommend
More recommend