Anyone who is in the business of processing personal data will be aware of the proposed new EU Data Protection Regulation. It’s a pretty hot topic right now (as I’m sure you’d agree) as it represents the most significant global development in data protection law since the EU Data Protection Directive that was agreed over 17 years ago. This was clearly way before smartphones were in everyone’s pockets and internet access was in every household, so no one would deny the fact that in this age of mass information sharing, this piece of legislation is in need of some revision.
However, a common view amongst marketers and data owners is that the current draft of the Regulation doesn’t strike the right balance between a) protecting an individual’s right to data privacy, and b) allowing businesses to engage with consumers, using the data they have access to, to deliver really relevant content.
As part of the proposed new Regulation, the European Commission is widening the scope of data protection laws to include a requirement that any business that stores personal data will have to disclose the details of any data security breaches.
So what does this mean and how do data security breaches occur? They can happen in a vast majority of ways, which can include:
• Lost or stolen laptops, removable storage devices (USB sticks etc.) or paper records containing personal information
• Hard disk drives being disposed of or returned without the information being correctly erased
• Staff members accessing or disclosing personal information illicitly
• Unsecured recycling of confidential waste
• Sending sensitive information digitally without encrypting it properly first
According to the Information Commissioner’s Office (ICO) the definition of a personal data security breach is “a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Under the draft Regulation, it’s proposed that any organisation that processes personal data will be required to inform the ICO if a personal data security breach occurs.
So what does this mean for us as Email Marketers?
Essentially it gives the consumer much more information and ultimately control. Yes, this is great for our customers, but not so wonderful for us as many organisations (especially those of us in the email industry who handle a large amount of data for our clients) have expressed concern about potential ‘over-disclosure’ opportunities that could arise thanks to the requirement to provide the necessary information within 24 hours of a data security breach, as envisaged in the draft Regulation. It could potentially force organisations to reveal more information than they need to (such as notifying every individual who might have been affected by the breach rather than those who definitely were). This concern is backed up by recent research from LogRhythm who found that 87% of UK businesses have admitted that they wouldn’t be able to identify individuals affected by a breach within this timeframe.
Another concern amongst email marketers is that this requirement to notify a data security breach within 24 hours doesn’t just apply to organisations based within the EU, but it includes those doing business in it, making the draft Regulation the first de facto global data breach law.
Finally, it could lead to ‘notification fatigue’. With the requirement for each and every breach to be notified, regardless of the severity, consumers could be inundated with breach notifications, which could lead to consumers tuning out.
The good news is that it could take another 3-4 years before the changes come into play, however many of our peers are expressing concern over the negative impact the new Regulation could have on email and direct marketing. The DMA (UK), with FEDMA, is lobbying the EU institutions in Brussels ,the Ministry of Justice and the Department of Culture Media and Sport here in London to try and achieve an outcome that is more business-friendly. We would like to see the requirement to notify regulators and individuals of a data security breach restricted to serious breaches and the 24 hour time limit to notify a breach to be extended. Whatever the outcome is, positive or otherwise, you can bet your bottom dollar that the data security breach notification requirement will remain in the Regulation in some form or other. Therefore, it’s absolutely imperative that you put in place or review clear and well-understood data security breach notification procedures.