When the updated European Commission’s Draft Data Protection legislation was announced last year, a lot was made of the sweeping changes to the fundamental data principles. Many of the have already been covered in other blog posts but what I want to delve into here, are the changes in financial penalties involved for failure to comply with the rules. There are two separate provisions which could hit your corporate wallet. The first allows the regulators to levy a fine for breaches. While the other gives individuals the right to be awarded compensation for breaches.
Fines from Regulators
The original proposal gave regulators the power to levy a full €1m, or up to 2% of a business’s global turnover for breaches of the regulations. On the 20th of February, the Industry Committee of the European Parliament voted against mandatory fines and to give the power to set the size of the fine to the national regulators, which is in line with the current regulations. While many consumer and privacy advocates have said this will water down the new regulations, I for one applaud this move as it will allow fines to be in-line with local attitudes about data privacy and economic conditions.
Do not think that because the power to set mandatory fines has been taken away from Brussels and granted to the UK Information Commissioner that companies dealing in personal data will have an easy ride here in the UK. The ICO continues to lobby for greater enforcement powers and more importantly, greater budget to dedicate towards enforcement. The ICO’s office has also been using their current ability to assess financial penalties more over recent years with a two fold increase in the number of fines issued in 2012 over 2011 and a fourfold increase in the monetary penalty over the same period. The trend is clear the ICO is issuing more penalties and the fines are getting bigger.
Individuals Right to Compensation
The other potential hit to your corporate wallet is the new proposal giving individuals the right to compensation for breaches in the data protection regulations. This is worrying for a number of reasons. First, there are no guidelines around how a court or regulator would determine when personal compensation is warranted, how the compensation should be calculated or limits to the compensation award. A second concern is that this proposal will drive the EU to be more litigious.
The third and greatest worry for us as an industry is that this personal compensation can be sought from both the data owner and the data processor. Making data processors responsible for the actions of the data controllers is a new and very troubling concept which will significantly impact the email marketing industry.
Up till now, data processors primarily in the form of ESPs acted only on the instruction of the data controller and therefore were not required to ensure that the behaviour of the data controller was in fact legal. There is already an extra burden on our industry because as we all know we deal with the “second regulator” in the form of ISPs deciding whether to accept our email transmissions or not. Should this new provision go through, ESPs will not only have to ensure that their clients are following the best practices to optimise deliverability but they also have to get right under the skin of the client’s business to ensure that they are legally compliant with data protection regulations. This will be an intrusion that many client companies will not want, it is a process which ESPs are not currently structured to handle and one that will have to be funded in the form of higher send costs.
Should I Worry?
At the end of the day it is email marketing 101 type stuff. Any email marketing professional worth their salt, or any member of the DMA should be following the basics of best practice closely enough to not be doing anything wrong and should therefore have nothing to generally worry about. The worry comes as a result of simple human error which can cause a file to be corrupted, or a laptop left on a train or a password that is too easy to crack. These “simple human errors” could get to be very costly.
Take action now!
If you haven’t already, take time to read the DMA’s assessment of the impact of the new regulations Think about how this could hurt your business and then reach out to your MEP and make your voice heard.