Boards    Business    Chile    Current Affairs    Education    Environment    Foreign Affairs    Future    Health    History    In Memoriam    Innovation    Languages & Culture    Law    Leadership & Management    Marketing    Networking    Pedantics    Pedantry    People    Philanthropy    Politics & Economics    Politics and Economics    Science    Sport    Sustainability    Technology    Worshipful Company of Marketors   

Home Biography Advice / Mentoring Public Speaking Recommendations / Endorsements Honours Contact David Blog Books

31 January 2015

Data Protection

Tag(s): Business, Marketing
I know. You might not think this is the most riveting subject to blog about. But if you run a business of any size and capture data about your customers or clients then read on because this is important. The EU is in the process of developing General Data Protection Regulation which, if implemented, will have far reaching consequences and replace virtually all of the current data protection law in the UK. This week I introduced a seminar on the subject on behalf of the Worshipful Company of Marketors. Held at Cass Business School in conjunction with the Financial Services Forum, with a well-balanced panel of experts, the event drew a large audience mainly from the Financial Services Industry but these changes will impact all types of business and indeed other organisations in both the public and voluntary sectors.

Hazel Grant, a partner in Fieldfisher LLP specialising in Data Protection Law, described the background. In January 2012 the European Commission issued a proposal for reform of European-wide Data Law. In March 2014 a first reading of a draft bill went through the European Parliament. This meant there were now two drafts of the Regulation with significant differences between them. In May 2014 the Commission agreed a partial general approach, that is nothing is agreed until everything is agreed. To date these drafts have had more amendments than any previous body of EU Law. The expectation is that the Regulation will be agreed this year. If so, that would be a relatively quick time frame. Observers think it is more likely to be issued in 2016. There would then be a period of two years for organisations to comply with the new Regulation.

To illustrate the amount of work involved the working party of the Commission tasked with redrafting took to sleeping in tents in their offices in Brussels.  To ensure that commercial entities take these changes seriously they are debating fines of either 2% or 5% of global annual turnover thus putting the Regulation on a par with breaches of the Competition rules. One Commissioner was quoted as saying that 2% was insufficient as that was merely pocket money![i]

Hazel summarised the main changes. The Regulation will apply globally versus EU only today, that is any firm anywhere in the world which collects data on EU citizens will be subject to the Regulation. Today issues are dealt with in each member state. Under the Regulation there will be a ’one stop shop.’ Today there is limited accountability. Under the Regulation accountability will be key. Apparently this is problematic because the French don’t have a word for accountability. Today rules apply to the controller of data only whereas tomorrow they will apply to the Controller and the Processor. Today fines are relatively small and differ between states. In the future fines will be huge. Under current rules there is no obligation to report a breach, though it is good practice to do so. Under the new rules there will be a statutory obligation to report a breach, possibly within 72 hours. Another change will be the requirement for large firms, to be defined, to employ a Data Protection Officer, who will have a separate reporting line to the authorities. There have been indications that ‘large’ may be defined as organisations that process data on more than 5,000 people. This does not seem very large to me. In my personal LinkedIn account I have over 1,000 contacts.

Some of the effects of these changes would include privacy impact assessment. Consent must be freely given. Security must be broadened. Personal data includes cookies and IP addresses.

Hazel thinks that these changes will come in but there is still plenty of disagreement among member states on several issues and there is no common position. Some dislike the concept of a ‘one stop shop’ as there would be a lack of proximity of citizens to effective remedy. There is disagreement on consistency mechanisms. Germany opposes the idea that it should apply to the public sector. The role of the Presidency is crucial in such areas of disagreement and that is currently held by Latvia, to be followed in July by Luxembourg. Thus two of the EU’s smallest states hold this position during this critical period. The Netherlands takes over in January 2016. France, Italy and Spain all want to reach agreement soon while Denmark, Sweden and the UK oppose the concept of introducing these changes as a Regulation preferring a Directive which would allow them to bring them in under local laws and so adapt them more to local practice. Something tells me that won’t happen. The greatest area of disagreement remains the different texts of the European Commission and the European Parliament.

When it comes to enforcement the most common reason for a breach is human error. Then there is a failure to encrypt, a lack of policies or staff training and very often misdirected communications, whether post, fax or email. The best chance to mitigate a fine is to self-report.

As well as fines Information Commissioners like to name and shame and today, when fines are relatively low, reputational damage may well be more serious for a company. The French authorities forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Jenny Moseley, an expert on Direct Marketing, described some of the implications. The Conduct of Business Source book (COBS) would have to be revised. Terms and conditions need to be fair, clear and not misleading. When collecting data privacy policies, particularly in gaining consent, must be transparent. Implied consent won’t work, and indeed, conditional consent won’t work either. There is a gap between interpretation of the rules as they apply to B2C versus B2B, but this will narrow.

Chris Wood, Head of UK Banking Regulation Compliance at HSBC commented on the problem of the slipping timetable. He was concerned that this might cause senior executives to not engage properly as there was no immediate threat and they had plenty of other regulatory pressures to deal with. He was also concerned that good data controllers were being punished as they were more likely to report breaches. On the other hand he thought the Regulation would give more clarity and if the Regulation improves matters for customers that can only be a good thing. He gave an example how the slightest error cam lead to a mainstream breach. One wrongly addressed email had led to 55 million emails before the matter was brought under control. The reply all button has a lot to answer for.

Martin Hickley is a Data Privacy and Governance Consultant. He told the attendees that just that morning Facebook and Instagram had been hacked with the accounts of 1.6 billion people affected. The notorious Lizard Squad of PlayStation and Xbox fame claimed responsibility. Facebook later denied this but it is a wakeup call. Virtually no company could protect itself wholly against cybercrime and so some additional rules had to be implemented. Bring Your Own Device (BYOD) has to stop. All HR data must be protected.  If IP addresses are personal data then consider what this might include. Even fridges have IP addresses today. And then millions of children have their thumbprints registered at school for cashless payments. Once lost these are lost for ever.

The panellists then discussed what actions businesses and especially marketers could do to prepare for these changes. From that I gleaned the following ten rules:
  1. Write down a set of policies and procedures.
  2. This should include actions in the event of a security breach.
  3. Consider what breaches might do harm and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud. So pay particular attention to passport details etc.
  4. Train all employees involved in collecting and processing data with a view to preventing human error.
  5. But automate as much as possible to eliminate sources of human error.
  6. Set very clear, fair and transparent rules for obtaining consent.
  7. Know what data you hold and their impact.
  8. But don’t keep data for ever. Develop a policy for destroying out of date data.
  9. Recognise the risk of consumer activism. One aggrieved customer can quickly mount a campaign on social media.
  10. Integrate Data Protection fully into your business processes; don’t treat it as a side issue.
At first sight the Regulation seems quite a threat with increased control and cost, risk of massive fines and reputational damage in the event of breaches even when caused by unwitting human error. But situations like this are also opportunities to gain competitive advantage by performing these tasks more efficiently and accurately. And, finally, a company that has the right attitude to its customers; treats them as a source of business rather than a piece of data; treats them fairly and with respect rather than with cynicism, should not have anything to fear.

[i] This just shows that some of these Commissioners do not live in the real world. When I worked for Sony, at a time when our performance was very good, our annual net profits on consolidated income globally was about 2%. In other words if we had committed an offence against this Regulation the fine could have wiped out our total profits. More recently in the last five years Sony has only lost money so such a fine could bankrupt it.

Copyright David C Pearson 2015 All rights reserved


Blog Archive

    Boards    Business    Chile    Current Affairs    Education    Environment    Foreign Affairs    Future    Health    History    In Memoriam    Innovation    Languages & Culture    Law    Leadership & Management    Marketing    Networking    Pedantics    Pedantry    People    Philanthropy    Politics & Economics    Politics and Economics    Science    Sport    Sustainability    Technology    Worshipful Company of Marketors   

David's Blog

Rothamsted Research
2 October 2021

4 September 2021

Footballers with Dementia
21 August 2021

The Non-Olympics (2)
7 August 2021

The Non-Olympics
31 July 2021

Working From Home
24 July 2021

Bad Buying
29 May 2021

Charles de Gaulle
15 May 2021

The Uncivil Service
1 May 2021

17 April 2021

The Huguenots
10 April 2021

Public Speaking
27 February 2021

20 February 2021

Global Risks
13 February 2021

The Number Bias (2)
6 February 2021

The Number Bias
30 January 2021

Cowboys and Indians
23 January 2021

9 January 2021

© David C Pearson 2021 (All rights reserved)