Category Archives: Data Management

The Draft EU Data Protection Regulations and the Other Compliance Obligations

1 Reply

As our series of blogs on the proposed EU Data Protection Regulation is almost at an end, I think it’s fair to say that they made for very informative reading. I hope you would agree with me that many marketers can learn something from them. A lot of the main topics within the proposal have been covered. But what are the changes to the compliance obligations which organisations need to consider in their day to day activities if the proposal was to be passed in its current version?

Data processing is featured heavily in the proposed Regulation. One of the changes is around notifying the relevant national data protection authority, in the case of the UK the Information Commissioner’s Office (ICO), of your organisation’s data processing activities. Currently, providing such notification to the ICO has been a matter of course, whereas the proposal states that full records of data processing activities must be kept by the organisation and only supplied to the relevant national data protection authority on request.

The use of data in many organisations is crucial for marketing purposes, as well as general interaction with customers. If you work client-side, just think of the number of email campaigns your organisation sends out to your customers, whether the customers are active, prospective, lapsed or otherwise. Your data would have had to be processed in some way before emailing, whether it’s cleaning or segmenting for a targeted campaign; therefore keeping a record each time the data is processed with specific information would add another compliance burden to the activity. The obligation to keep records of processing activities is also extended to agencies where dealing with data is an integral part of running of the organisation, such as list rental and lead generation activities. With this in mind, if you think of your own organisation’s activities as well as the number of organisations involved in a typical data processing chain, then the number of data processing activities that will need to be recorded is overwhelming. The ICO is concerned that there is a danger that organisations will focus on the ‘paperwork’ rather than on actual data protection compliance. The removal of the notification fee, which organisations currently pay to the ICO when they complete the notification form, does raise questions as to how the ICO will be adequately funded to carry out its data protection work effectively.

Another change in the proposal which will have a big impact is the requirement for organisations with 250 or more staff to have a designated independent data protection officer. Even though data is crucial to a lot of organisations, the size, reasons for its use and frequency the data is handled and processed amongst organisations varies. The ICO believes that “a simple head-count criterion for the designation of a data protection officer is not the best approach.” Some low head count organisations may process a large amount of information about a lot of people and are therefore high risk. On the other hand, large head count organisations may carry out relatively small –scale and low risk processing. Read the ICO’s report on the draft regulations here

The additional bureaucratic requirements relating to these proposed new compliance obligations will certainly create extra administrative costs, particularly for smaller organisations. As well as the increased documentation of all data processing activities, consider the revision and issue of new terms and conditions, and the amount of employee guidance and training around these changes.

These new compliance obligations , as well as implementing the right to be forgotten, and explicit consent for data processing will mean that all organisations will have to review their day to day activities.

What is “personal Information” according to the draft EU Data Protection Regulation?

Leave a reply

In order to keep up with new technologies and addressing consumer concerns over privacy the 1995 European Data Protection Directive, which was implemented in UK in the 1998 Data Protection Act is in the process of being updated. This can be a good thing because aside from anything else it aims to reduce the red tape, and add more consistency across Europe. However, the draft proposals are missing the mark and not going to meet the objectives unless some additions and changes are made.

The definition of “personal data” is one example of this; it is proposed to be extended so it could cover some IP addresses and cookies;

“a natural person who can be identified, directly or indirectly by means likely to be used by the Data Controller……in particular by reference to an identification number, location data, online identifier…”

The definition makes no distinction between personal data which is not directly identifiable, such as an IP address identifying a device not a person and data which is, e.g. name and address. Furthermore an IP address only identifies a device not a person. This change would make profiling and web analytics much more difficult, if not impossible. This would change the whole way the internet and email marketing works. The easy user experiences and communications users are currently used to from talented marketers would be replaced with either nothing or un-targeted information, a backward step which will not benefit users or business. The updated European data protection legislative framework need to allow the commercial developments to continue, which will allow business to grow and users to have positive relevant information sent to them.

It is imperative that the definition of personal data is revised otherwise the online economy may be severely damaged.

EU Draft Data Protection Regulation – Data Breach Notification

Leave a reply

Anyone who is in the business of processing personal data will be aware of the proposed new EU Data Protection Regulation. It’s a pretty hot topic right now (as I’m sure you’d agree) as it represents the most significant global development in data protection law since the EU Data Protection Directive that was agreed over 17 years ago. This was clearly way before smartphones were in everyone’s pockets and internet access was in every household, so no one would deny the fact that in this age of mass information sharing, this piece of legislation is in need of some revision.

However, a common view amongst marketers and data owners is that the current draft of the Regulation doesn’t strike the right balance between a) protecting an individual’s right to data privacy, and b) allowing businesses to engage with consumers, using the data they have access to, to deliver really relevant content.

As part of the proposed new Regulation, the European Commission is widening the scope of data protection laws to include a requirement that any business that stores personal data will have to disclose the details of any data security breaches.

So what does this mean and how do data security breaches occur? They can happen in a vast majority of ways, which can include:
• Lost or stolen laptops, removable storage devices (USB sticks etc.) or paper records containing personal information
• Hard disk drives being disposed of or returned without the information being correctly erased
• Hacking
• Staff members accessing or disclosing personal information illicitly
• Unsecured recycling of confidential waste
• Sending sensitive information digitally without encrypting it properly first

According to the Information Commissioner’s Office (ICO) the definition of a personal data security breach is “a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Under the draft Regulation, it’s proposed that any organisation that processes personal data will be required to inform the ICO if a personal data security breach occurs.

So what does this mean for us as Email Marketers?

Essentially it gives the consumer much more information and ultimately control. Yes, this is great for our customers, but not so wonderful for us as many organisations (especially those of us in the email industry who handle a large amount of data for our clients) have expressed concern about potential ‘over-disclosure’ opportunities that could arise thanks to the requirement to provide the necessary information within 24 hours of a data security breach, as envisaged in the draft Regulation. It could potentially force organisations to reveal more information than they need to (such as notifying every individual who might have been affected by the breach rather than those who definitely were). This concern is backed up by recent research from LogRhythm who found that 87% of UK businesses have admitted that they wouldn’t be able to identify individuals affected by a breach within this timeframe.

Another concern amongst email marketers is that this requirement to notify a data security breach within 24 hours doesn’t just apply to organisations based within the EU, but it includes those doing business in it, making the draft Regulation the first de facto global data breach law.

Finally, it could lead to ‘notification fatigue’. With the requirement for each and every breach to be notified, regardless of the severity, consumers could be inundated with breach notifications, which could lead to consumers tuning out.

The good news is that it could take another 3-4 years before the changes come into play, however many of our peers are expressing concern over the negative impact the new Regulation could have on email and direct marketing. The DMA (UK), with FEDMA, is lobbying the EU institutions in Brussels ,the Ministry of Justice and the Department of Culture Media and Sport here in London to try and achieve an outcome that is more business-friendly. We would like to see the requirement to notify regulators and individuals of a data security breach restricted to serious breaches and the 24 hour time limit to notify a breach to be extended. Whatever the outcome is, positive or otherwise, you can bet your bottom dollar that the data security breach notification requirement will remain in the Regulation in some form or other. Therefore, it’s absolutely imperative that you put in place or review clear and well-understood data security breach notification procedures.

 

Related articles

EU Data Protection Regulation – Subject Access Request

Leave a reply

A lot has changed in the world since the EU Data Protection Directive was first introduced in 1995. The internet was just beginning and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is being updated to meet the challenges of how global business is conducted in the 21st century.

The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a “subject access request” any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to £10 when supplying individuals with a copy of their personal data. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests.

Under the new proposed EU Data Protection Regulation, organisations would have to supply this information free of charge.

In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through additional manpower costs alone. If the ability to charge for a request is removed then this figure could increase massively and put a huge financial burden on UK companies.

If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required.

Some organisations hold a vast amount of personal data in many different formats and in many locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, such as emails, with no indexing and try to identify what data refers to the individual and therefore falls within the definition of personal data. Consider an organisations’ email records. One person might be referenced in these emails by many different names. Not only that but these emails also might refer to other records stored in other formats i.e. paper files.

On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which when received by the data subject may be then transferred back into electronic format.

One of the aims of the changes in the draft Regulation is to put all EU countries on a consistent footing, but removing the charge for a subject access request surely cannot be good for anyone.

EU Draft Data Protection Regulation – Data Portability

Leave a reply

The next topic in the blog series on the new proposed EU data legislation looks at the area of ‘Data Portability’. Firstly let me clarify what that phrase means. The DataPortability Working Group defines it as “the option to share or move your personal data between trusted applications and vendors” – it’s really about the ability for people to be able to control their identity, media and other forms of personal data. You want to leave Facebook and use Google + but what about all those photos, the places that you checked in, data portability means there should be an easy way to move all this data.

As we increasingly put more of our lives online, we are putting that data at risk. After all who knows if those companies will be around in 5, 20 or 50 years and so it is possible that chunks of your online self could disappear, or the converse when those photos of your 21st birthday remain in a system you haven’t used in 15 years, which is where data portability’s legislative cousin ‘right to be forgotten’ comes into play.

I have a fundamental belief in privacy and transparency around personal data use and will always support the rights of the consumer to control their own data. It is your data, your persona, the challenge is to balance those noble principles with legislation that does not create a legal and regulatory environment that stifles the next Facebook or Flickr, by introducing solutions to problems that market ingenuity would be better placed to develop.

With my commercial practitioner’s hat on, there seems to be two main areas where I believe that the draft Data Protectuion Regulation needs to be more carefully understood.

The first of is the cost to business. A case study in the DMA’s Response to Ministry of Justice Call for Evidence on the EU Data Protection Regulation, (link here) , shows that for a data services provider to the retail sector the costs to implement data portability and right to be forgotten could be up to £100,000 for one off system development. In an already fragile economic climate is this additional burden really needed or helpful?

The second area is in the draft Regulation’s desire to try and set technical standards that would underpin the interoperability of systems. FEDMA (Federation of European Direct and Interactive Marketing Associations) believes that Article 12 (b) of the existing European Data Protection Directive (95/46/EC)) already covers this area in a technology neutral manner. Again, do we need more rigid legislation? After all it may be a surprise to some that since 2010 you can take all your data from Facebook using the ‘download your information’ function under account settings.Is it not in the commercial interests of other social network service providers to be able to make it as easy as possible for people to join their service and take in the data downloaded from Facebook? And to do that in innovative ways legislation would never be able to dictate?

The consumers’ right to control their personal data is already enshrined in the existing Data Protection Directive so the question to me is do we need to augment this with a more prescriptive approach? This Regulation could shape our industry for the next decade and so this is your opportunity to get across your perspective and be a part of the debate. I would encourage you all to comment here or reach out to an Email Marketing Council member or the DMA Legal Team, legaladvice@dma.org.uk..

Related articles

EU Data Protection International Transfer of Data

Leave a reply

The development of technology has enabled businesses to act globally and be less limited by geographical boundaries. From our sofas we can shop online from almost any country in the world, companies can achieve a market presence in a country without having a single employee there; and in the world of iCloud and Dropbox we can access our files wherever we are, yet have no idea where they are actually stored.

So, as digital “borders” blur, how is the EU Data Protection Legislation evolving and what are the implications for marketers?

Let’s look firstly at the existing legislation. The existing UK 1998 Data Protection Act says that “Personal data shall not be transferred to a country or territory outside the European Economic Area (the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Of course that’s not quite the whole story. You still have to adhere to other principles of the Act, informing individuals that their data is being transferred, and ensuring that you do it with the right security. Also, in the UK our current legislation allows a data controller to transfer data outside the EEA based on their own assessment of adequacy of protection – and this difference highlights another key challenge – that there are differences in national implementation of the 1995 European Data Protection Directive across the EU. Complaints have also been voiced about the complexity of the 1995 Directive regarding data transfer.

Those hoping for some advancement with the new European Draft Data Protection Regulation are, however, likely to be rather disappointed.

While some of the rules on transferring personal information to countries outside the EEA have been made more business-friendly the Draft Regulation arguably also takes a step backwards, and raises many more questions.

One of the proposed key changes is that the laws of the country where the data is held become less important than the question of whose data it is. So, for an EU Citizen, no matter where their data is processed, the law that would apply under the Draft Regulation is EU law. It’s nice to feel protected, but one wonders just how practical it will be to enforce implementation of this globally. How will organisations around the world even be able to identify that they are dealing with EU Citizens? In a digital world, nationality is not always obvious, and even if it were, why should organisations really care about laws in another country?

The differences in interpretation of the 1995 Directive between Member States were one of the key catalysts for the revision of the legislative framework. And, indeed, one of the key provisions of the Draft Regulation is for there to be co-operation between the national data protection authorities in the Member States to ensure consistency in the way the Regulation will be enforced. But in the revision, there has been an element of prescriptiveness which is actually more limiting for UK organisations than the current data protection laws – for instance, the Draft Regulation now removes the ability of an organisation to make their own risk assessment on data transfers to countries outside the EEA. Instead it reinforces the need to adhere to sanctioned processes and the Draft Regulation’s own definition of adequacy.

And this is one of the key areas that the ICO felt was not going in the right direction. The ICO have doubts about the way the Draft Regulation bases “adequacy” on the nature of the law in a particular country. It feels that “adequacy should be assessed more in relation to the specific circumstances of the transfer and less on the adequacy or otherwise of the law of the country the recipient is established in.” So, in other words, if I am transferring data to a reputable global firm in a country whose national data protection legislation is not adequate, why would that really be a problem?

Aside from the general concerns about the practicality of many of the proposed changes, the question of adequacy seems to be the hottest topic to debate. This is one of the aspects of the Draft Regulation that the ICO believes most needs to be amended to deal more realistically with current and future international data-flows. It (and we) believe that a future data protection framework should focus much more on risk assessment by the exporting data controller and that it should be clearer about data controllers’ responsibility, wherever they choose to process personal data.

Related articles

EU Data Protection Regulation – The Right to be Forgotten

1 Reply

Continuing with our series of posts reviewing the potential effects of the proposed EU Data Protection Regulation, one of the areas it addresses is an individual’s “right to be forgotten” by a business.  The specific wording is as follows:

“The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data”

This has clearly been written with Social Media in mind, for example, ensuring that Facebook users are able to completely delete their profiles if they so wish.  However, the effect on email marketers and direct marketers in general could be disastrous.  If somebody unsubscribes, or asks to no longer receive an advertiser’s communications, then clearly that individual’s details need to be held by the organisation in order to suppress them from future comms.  Forgetting them completely, i.e. erasing all their data could have the polar opposite effect from that which the consumer is expecting!  A individuals details need to be held in order for the organisation to “remember to forget”.  Also, industry suppression files, which are there to benefit consumers, could be put at risk by the Regulation.

The problems do not end there.  There would also be an issue with information that has already been passed on to third parties, e.g. via list brokers or through partnerships.  Also, consumers risk being mis-led.  For example, some data in financial services has to be kept for a specific period of time in order to meet with legal and FSA regulations.

In summary, not only does this section of the Regulation risk failing to achieve what it sets out to do, it could also damage consumer trust and increase the complexity and volume of data processing which needlessly increases the financial burden on companies.

Related articles