The biggest change to data protection and privacy is lurking around the corner in the form of the EU General Data Protection Regulation (GDPR) and this is the biggest challenge to business continuity for more than a decade.
Any minute now – likely early June – the EU’s Council of Ministers will declare its position on this new regulation and if the EU Parliament is comfortable with this version, GDPR could become a reality this year.
In a recent address to delegates at a City seminar organised by the Worshipful Company of Marketors and the Financial Services Forum held at Cass Business School, London the ‘next-in-line’ Lord Mayor of London and multi-millionaire entrepreneur Sir Paul Judge remarked: “I want to stress how important it is that the City keeps on top of the changes that are taking place in the way we collect, store, transfer and use data. It’s vitally important that everyone is fully prepared for the biggest shake up in data protection and privacy for a decade and taking steps now to safeguard business continuity will ensure that your firms continue to grow and prosper.”
Today, European regulators, MEPs and the judiciary are united in the need to revise data protection and privacy laws created in the last century. These regulations and laws were conceived before Facebook, Google and Twitter had dramatically changed the way we now interact with the internet and each other in such a fundamental way, and the Internet of Things was still on the drawing board.
We are now living with the legacy of the law failing to keep pace with technological development.
GDPR is meant to bring us into the twenty-first century, with Data Protection Authorities (DPAs) virtually holding hands in order to create a ‘one-stop-shop’ for complainants irrespective of where the data breach occurred within the EU.
The proposed EU Regulation also effectively replaces the Data Protection Directive 95/46/EC as well as the Data Protection Act 1998 by removing the patchwork approach to data protection and privacy that exists at present. GDPR also places the same legal duties and obligations for data protection and privacy on outsourcing providers (data processors) as well as financial services firms (data controllers).
This time next spring, or earlier, there’s likely to be a mad panic within sales and marketing departments as companies struggle to beat the deadline for making significant changes to data protection and security or risk facing punitive fines equivalent to up to 5% of global turnover or €100m.
Ahead of the GDPR, sales and marketing professionals should follow these top ten steps to ensure that their future marketing efforts within the EU will be compliant.
#1: Create new data policies and procedures
Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
#2: Mitigate known risks
Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so sales and marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
#3: Invest in education and training now
Invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
#4: Review how you currently obtain customer consent
Set very clear, fair and transparent rules for obtaining customer consent.
#5: Don’t hang on to data!
Don’t keep data forever – unless of course it’s to ensure that you don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
#6: Out-of-date data policy
Create a policy for destroying out-of-date data.
#7: Be prepared for an increase in consumer activism
Recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
#8: Make data protection central to your marketing process
Integrate data protection fully into all business processes and not treat this as an add-on or side issue.
#9: Move your mind-set from compliance to competitive advantage
Consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
#10: Treat your customers as real people
Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.
The Council of Ministers is still reviewing the draft EU Regulation at a technical level and negotiations on the proposed text between the Council of Ministers and the European Parliament will only commence once the Council of Ministers is ready.
The earliest there could be agreement on the draft EU Regulation is likely to be at the end of 2015 – and the expectation is that the revised data protection framework will be in place by mid-2017. Marketers should start now, as well as follow best practice guidance given by the ICO, ahead of the EU Regulation as much of the new regulation will be a codification of this guidance. Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided.
Darren Verrian is CEO of startup EU Compliance and Recruitment that trades under the Community Mark GO DPO. He’s the co-author of the forthcoming Data Protection and Privacy and The Data Protection Officer’s Handbook to be published by Kogan Page in early 2016.