Rosemary Smith talks to us about the new EU data protection rules – General Data Protection Regulation (GDPR)
What should you do about data protection and GDPR now the UK has voted to exit the EU? We asked one of the UK’s leading experts in data protection, Rosemary Smith.
Rosemary became involved in the lobby against restrictive data protection in Europe whilst working at the Periodical Publishers Association in the late eighties.
She wrote the first guide to the 1984 Act for magazine publishers and served on the Advertising Association Data Protection Committee and the CAP Committee.
Rosemary was later active in the British List Brokers Association and wrote guidance for members on privacy issues. She served on the working party which drafted the list and database rules in the CAP code.
She served on DMA’s Governance Committee for eight years and was Chairman until 2008 overseeing lobbying activity, the Mailing, Telephone and Fax preference Services and the DMA Code of Practice.
Rosemary was also a member of the DMA Board for 7 years and was DMA Chairman until October 2008.
She is an active member of the FEDMA List Council.
She has given presentations covering privacy, data protection and self-regulation to audiences in the UK, Europe, USA and Australia.
Rosemary is co-author (with fellow Opt-4 Director, Jenny Moseley) of the book “New Data Protection Liabilities & Risks for Direct Marketers” published in September 2004.
Rosemary is also Managing Director of data consultancy RSA Direct.
What next for Data Protection, post Brexit? Will GDPR still apply?
What advice can Rosemary give?
It affects you if you handle any data from which an individual can be identified. So that includes B2B data too!
Our existing Data Protection Act was created in ’95 and enacted in ’98, so the latest changes are all about bringing the law up to date.
GDPR – General Data Protection Regulation – it was all going smoothly until the Brexit vote. The plan was for the GDPR to be implemented on 25 May 2018.
The ICO, Information Commissioners Officer believe the UK needs to prove adequacy to trade with the EU. So UK data protection standards need to be equivalent to EU legislation. Rosemary suggests we could get a GDPR ‘lite’.
The UK was a dove in the EU discussions. As opposed to Germany and Spain who were far more stringent.
If you process data on people in the EU, then the EU data protection regulations will apply to you as the legislation has the extra territorial reach.
So what are the BIG changes?
GDPR has 2 overarching principles
- Transparency – all about making sure individuals know if you are collecting their data what you’ll do with their data, how long you’ll hold it. This places an emphasis on making your intentions clear on point of capture – Rosemary suggested that previous data protect statements were true examples of obfuscation by nature, they did not make it clear at all.
- Accountability – you have to account for what you are and aren’t doing with the data. How will you secure it, who has access it, will it be shared? Record keeping stuff.
For marketing, the big issue is the definition of consent. Under the current legislation that can be done on implied consent, that is opt out. Consent to send communications.
However, the new legislation makes the definition, it needs to be UNAMBIGUOUS?
Rosemary says you need to be opting in customers. A shock to the system.
Balance of interest – is it in the legitimate interest of the organisation to send a communication? This may be a way to use for direct mail, rather than email, as that is already controlled by PECR legislation, already in place.
Profiling has been defined. That’s any automated decision making. Stuff that marketers do all the time. Most profiling will only have a requirement for the individual to object, rather than specifically agree.
One of the purposes of the regulations is to give individuals more rights with regard to their data. One of these new rights is the right to be forgotten, or the right to erasure. This right applies to any data controller, but if they are indebted to you, they cannot erase their records.
Companies will be able to create STOP files to enable them to ‘erase’ the individuals, to prevent the same erased person being re-purchased in new data.
The sanctions are eye watering from the point of view – 20 million Euros, 4% global turnover.
The right of subject access, is currently covered by a £10 fee, but under the new law that is proposed to be taken away. Subject Access Requests are a challenge. Beware!
Data processors also become jointly liable for errors with data, as they acting under a data controller’s instructions. New liability comes in for processors, where the person suffered damage as a result of a breach. There should be a written contract between data controller and data processor.
The GDPR changes are significant. A data protection officer is required where you handle sensitive, health or ethnicity.
Exceptions for small business? Yes. Under 250 employees have a lower threshold on record keeping on data processing.
How do I find out more about GDPR?
Rosemary has developed some materials for would be DPOs.
Learn. Apply. Comply. This is where you can get FREE resources on data protection. You can also get in touch with Rosemary through her company website:
and via her email: firstname.lastname@example.org
(NOTE: Rosemary is not in our Facebook group – she is famed for not liking their privacy terms. So if you have a question for Rosemary, she has provided her email address.)
How do you get the marketing permission to use people’s data?
- Focus your words on the data-value exchange
- I believe I will get something in return for their email contact address
- Don’t leave it to your LEGAL department
- You can DOUBLE the level of consent if you ask people in a nice way.
People dislike NOT having a choice of channel – People prefer channel opt-outs.
The most ticked boxes are:
- These are the least popular channels, so make sure you have a way to get your communications to the person.
Age counts here. Younger people are freer with their information. The older generations are more likely to say yes for postal communications.
Remember, business data is covered by the regulations. Your HR team will need to be up to date, as data on employees falls into sensitive data.
YOUR BEST STRATEGY – assume the EU regulations will be adopted. So start now with these 3 steps in the next 100 days…
- Be compliant with current legislation now! That’s a good place to start. Are your data protection notices clear for whatever purpose you are using the data?
- Review contracts with your data processors.
- Think about the new rights? How would you manage the erasure request in your databases?
Go to www.dpnetwork.org.uk will help you comply with current legislation. They are accessible. Written in plain English.