Recently I took part in an online professional development webinar hosted by the Chartered Institute of Marketing which looked at the impact of the vast amounts of personal data about people that is available to organisations and changes in the law to protect their privacy. It was a wake-up call to think twice about why we collect personal data and what we are going to do with it. While the following information is a bit dry it is very important to be aware of!
The General Data Protection Regulation (GDPR) will come into force in 2018. It was approved by the EU Commission on 14 April 2016. The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR but currently it still stands.
The EU data protection directive, which the new laws will replace, was written in 1995 and our own Data Protection Act 1998 (DPA) are essentially relics of the pre-internet age and not fit for purpose now we have social media, cloud computing and the Internet of Things.
Marketers are getting extremely good at targeting individuals. For example, when you click on those games on Facebook such as those that tell you which fictional character you are, you are unknowingly giving away personal data to other companies. This is then used to determine which adverts you may be receptive to and is why you seem to get so many adverts that reflect what you have been thinking about.
More than 200 pages of major reforms will introduce concepts such as the individual’s ‘right to be forgotten’, raise levels of verification for opt-in consent, demand that companies store consent permissions, and make unapproved data unusable. Companies that don’t comply could be fined up to 4% of their global turnover, or €20m.
One implication is that we have to think carefully about opt-in and opt-out procedures. We will no longer be able to assume that an unticked opt-out box means we have permission to use people’s data. We have to gain specific opt-in permission in order to store and use their data. Informed consent must be freely given with an unambiguous indication that signifies agreement to their personal data being used for a specific purpose. Implied consent from an unticked box doesn’t count.
Six principles of the GDPR
Article 5 of the GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals; This is a key difference to the DPA. We have to tell people what we are doing with their data and they have to understand this in order to give consent;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Also there is a new accountability requirement:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
What to do about it
The main principles of consent are:
Control: Individuals have to be in control so that consent is freely given.
Transparency: We have to tell individuals everything we are going to do with the information – specific and informed.
Notification: Individuals have given clear indication of their permission.
Verifiable: We have to be able to prove that we have done all the above.
To achieve this, information supplied to individuals about how their data will be processed must be:
- intelligible and easy to access
- in plain language
- free of charge.
If consent is sought for a number of matters then each one must be separated so that it is easy to distinguish between them and individuals can choose which ones to opt into and out of.
Example – use of ‘free’ Wi-Fi in a coffee shop that necessitates you giving all sorts of personal details eg name, address, date of birth, gender and has a hidden term and condition about them using your data for marketing. The GDPR requires that consent is sought separately for each personal detail requested along with an explanation of why it is needed. Hidden terms and conditions are no longer compliant.
By protecting individuals in this way it will be much harder to gather data from them. The benefits of opting in have to be sold to people whose data you want. Trust has to be built by being open and transparent.
In addition, we also have to put service providers under the microscope to ensure that they do not contravene the GDPR on our behalf. The Information Commissioner’s Office has a tool to help ensure organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. This will be useful in allowing organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.