Last Wednesday, in her speech to address the new parliament, the Queen mentioned a new data protection law. How will that affect UK businesses, and more specifically, should the digital marketer be worried that their activities will be impacted?
What did she say?
What she said was very brief:
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”
The “new law” she refers to is the new Data Protection Bill which, among other things, will implement the requirements of GDPR, the General Data Protection Regulation drawn up by the EU and coming into effect May 25 next year.
What didn’t she say?
In the background notes to the speech, there is a little more detail.
There are two elements of the Bill which digital marketers will want to be aware of:
- The new law will replace the old Data Protection Act 1998. In line with the requirements of GDPR, the new law will give individuals more control over their personal data, including a right to be forgotten when they no longer want their data to be processed (provided that there are no legitimate grounds for retaining it).
- There will also be updated powers and sanctions available to the Information Commissioner. This means the ICO will be able to place the heavy fines that GDPR has recommended – up to 4% of global revenue or €20m for companies failing to comply.
What does this mean?
In some ways, this is old news made to sound new. The UK has already committed to ensuring that the GDPR is implemented by May 25, 2018. The Queen’s Speech says how it will be put it into the correct UK legal framework: the new Data Protection Act.
But the GDPR says that each country has some leeway in introducing their own optional exceptions in areas such as crime prevention, and also to add their own provisions in areas such as staff data processing. The Queen’s Speech suggests that the UK will give further powers to its security forces to delete corrupting material (presumably anything that promotes extremism and anything deemed as inappropriate to children) and to use personal data to track terrorist activity.
They don’t say how they will balance two things that now seem opposed to each other: controlling the internet to make the UK safer and protecting an individual’s right to privacy and free access to information.
How does this affect you?
There is more to GDPR than the government’s background notes cover. For a comprehensive overview, see https://ico.org.uk/for-organisations/data-protection-reform/ and download the excellent “Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now”.
The big three points for the digital marketer are:
This presents us with an immediate challenge. There needs to be a clear opt-in to all marketing (not a pre-ticked check box or an implicit passive condition to accept our marketing). Most companies’ email marketing database does not capture whether the address was opt-in or opt-out. We can’t prove that we collected it the right way. Did we provide a full clear description of what the data would be used for? Did we ask for permission for behavioural targeting or programmatic advertising?
2. Right to see all your data
An individual can request that a company show all the data they have on them. But many companies will struggle to identify all the data the refers to that individual as much of it will be anonymous. Much will be sitting with third parties, for example on adservers.
3. Right to be forgotten
GDPR talks about the ability for an individual to request that all the data a company holds on them can be deleted. This might prove to be very challenging for the same reasons as the point above. The Queens Speech seems to direct this requirement at social media companies, who presumably would be in a better position to delete their first party data, as it would be clearly identifiable.
What actions should you take?
- Educate. Read the information on the ICO website and then organise a team briefing. Everyone in your marketing team needs on the same page, and bringing in an external GDPR expert for half-day briefing session would be a great start.
- Audit. We would strongly recommend an audit of all marketing data to ensure you not only know where the data sits and who is responsible for it, but also where the risks would be.
- Plan. It would also be advisable to produce an action plan in place to fix anything that might be causing a breach.
- Centralise. Putting a centralised permissions application that covers all marketing activity would a sensible step towards ensuring all permissions are captured in a transparent way. In theory, a centralised permissions application could also provide the individual’s view of their data and the button to delete it.
The challenge for most organisations will be lack of resource, as well as lack of expertise in this area. That’s where we can help you.