I know. You might not think this is the most riveting subject to blog about. But if you run a business of any size and capture data about your customers or clients then read on because this is important. The EU is in the process of developing General Data Protection Regulation which, if implemented, will have far reaching consequences and replace virtually all of the current data protection law in the UK. This week I introduced a seminar on the subject on behalf of the Worshipful Company of Marketors. Held at Cass Business School in conjunction with the Financial Services Forum, with a well-balanced panel of experts, the event drew a large audience mainly from the Financial Services Industry but these changes will impact all types of business and indeed other organisations in both the public and voluntary sectors.
Hazel Grant, a partner in Fieldfisher LLP specialising in Data Protection Law, described the background. In January 2012 the European Commission issued a proposal for reform of European-wide Data Law. In March 2014 a first reading of a draft bill went through the European Parliament. This meant there were now two drafts of the Regulation with significant differences between them. In May 2014 the Commission agreed a partial general approach, that is nothing is agreed until everything is agreed. To date these drafts have had more amendments than any previous body of EU Law. The expectation is that the Regulation will be agreed this year. If so, that would be a relatively quick time frame. Observers think it is more likely to be issued in 2016. There would then be a period of two years for organisations to comply with the new Regulation.
To illustrate the amount of work involved the working party of the Commission tasked with redrafting took to sleeping in tents in their offices in Brussels. To ensure that commercial entities take these changes seriously they are debating fines of either 2% or 5% of global annual turnover thus putting the Regulation on a par with breaches of the Competition rules. One Commissioner was quoted as saying that 2% was insufficient as that was merely pocket money![i]
Hazel summarised the main changes. The Regulation will apply globally versus EU only today, that is any firm anywhere in the world which collects data on EU citizens will be subject to the Regulation. Today issues are dealt with in each member state. Under the Regulation there will be a ’one stop shop.’ Today there is limited accountability. Under the Regulation accountability will be key. Apparently this is problematic because the French don’t have a word for accountability. Today rules apply to the controller of data only whereas tomorrow they will apply to the Controller and the Processor. Today fines are relatively small and differ between states. In the future fines will be huge. Under current rules there is no obligation to report a breach, though it is good practice to do so. Under the new rules there will be a statutory obligation to report a breach, possibly within 72 hours. Another change will be the requirement for large firms, to be defined, to employ a Data Protection Officer, who will have a separate reporting line to the authorities. There have been indications that ‘large’ may be defined as organisations that process data on more than 5,000 people. This does not seem very large to me. In my personal LinkedIn account I have over 1,000 contacts.
Some of the effects of these changes would include privacy impact assessment. Consent must be freely given. Security must be broadened. Personal data includes cookies and IP addresses.
Hazel thinks that these changes will come in but there is still plenty of disagreement among member states on several issues and there is no common position. Some dislike the concept of a ‘one stop shop’ as there would be a lack of proximity of citizens to effective remedy. There is disagreement on consistency mechanisms. Germany opposes the idea that it should apply to the public sector. The role of the Presidency is crucial in such areas of disagreement and that is currently held by Latvia, to be followed in July by Luxembourg. Thus two of the EU’s smallest states hold this position during this critical period. The Netherlands takes over in January 2016. France, Italy and Spain all want to reach agreement soon while Denmark, Sweden and the UK oppose the concept of introducing these changes as a Regulation preferring a Directive which would allow them to bring them in under local laws and so adapt them more to local practice. Something tells me that won’t happen. The greatest area of disagreement remains the different texts of the European Commission and the European Parliament.
When it comes to enforcement the most common reason for a breach is human error. Then there is a failure to encrypt, a lack of policies or staff training and very often misdirected communications, whether post, fax or email. The best chance to mitigate a fine is to self-report.
As well as fines Information Commissioners like to name and shame and today, when fines are relatively low, reputational damage may well be more serious for a company. The French authorities forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.
Jenny Moseley, an expert on Direct Marketing, described some of the implications. The Conduct of Business Source book (COBS) would have to be revised. Terms and conditions need to be fair, clear and not misleading. When collecting data privacy policies, particularly in gaining consent, must be transparent. Implied consent won’t work, and indeed, conditional consent won’t work either. There is a gap between interpretation of the rules as they apply to B2C versus B2B, but this will narrow.
Chris Wood, Head of UK Banking Regulation Compliance at HSBC commented on the problem of the slipping timetable. He was concerned that this might cause senior executives to not engage properly as there was no immediate threat and they had plenty of other regulatory pressures to deal with. He was also concerned that good data controllers were being punished as they were more likely to report breaches. On the other hand he thought the Regulation would give more clarity and if the Regulation improves matters for customers that can only be a good thing. He gave an example how the slightest error cam lead to a mainstream breach. One wrongly addressed email had led to 55 million emails before the matter was brought under control. The reply all button has a lot to answer for.
Martin Hickley is a Data Privacy and Governance Consultant. He told the attendees that just that morning Facebook and Instagram had been hacked with the accounts of 1.6 billion people affected. The notorious Lizard Squad of PlayStation and Xbox fame claimed responsibility. Facebook later denied this but it is a wakeup call. Virtually no company could protect itself wholly against cybercrime and so some additional rules had to be implemented. Bring Your Own Device (BYOD) has to stop. All HR data must be protected. If IP addresses are personal data then consider what this might include. Even fridges have IP addresses today. And then millions of children have their thumbprints registered at school for cashless payments. Once lost these are lost for ever.
The panellists then discussed what actions businesses and especially marketers could do to prepare for these changes. From that I gleaned the following ten rules:
At first sight the Regulation seems quite a threat with increased control and cost, risk of massive fines and reputational damage in the event of breaches even when caused by unwitting human error. But situations like this are also opportunities to gain competitive advantage by performing these tasks more efficiently and accurately. And, finally, a company that has the right attitude to its customers; treats them as a source of business rather than a piece of data; treats them fairly and with respect rather than with cynicism, should not have anything to fear.