EU data reforms: the five top issues for marketers

DMA signs shirt sponsorship deal (2)As the dust begins to settle over the EU General Data Protection Regulation agreement the DMA has released what it sees as the five key points for marketers to consider.

Direct marketing as a legitimate interest.
The text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest. While processing for direct marketing purposes is considered a legitimate interest, if an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual.

Definition of personal data
Personal data is any information relating to an identified or identifiable person. How companies interact with personal data is the focus for the legislation. An identifiable person is somebody who can be identified directly or indirectly, particularly by reference to a name, identification number, location data or online identifier.
Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.
This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.

The text refers to ‘unambiguous’ consent rather than ‘explicit’ consent, which is a stricter definition. Under unambiguous consent, consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
Either way, marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.
Days when the consent could be buried in lengthy terms and conditions are numbered.

Right to object (unsubscribe/opt-out)
Under the new Regulation, individuals will have the right to object to any processing of their personal information, including profiling, at any time and free of charge. If individuals object, then their personal information can no longer be processed for marketing purposes.
Most marketers will use the legitimate interest grounds for processing personal information (see above) if they are using an unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated.
Again, existing unsubscribe/opt-out language will need to be revised.

Profiling has now been included under the label ‘automated decision making’. Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
But, individuals have no right to opt-out of profiling if they have already explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.

From the text we know so far that:
Fines for companies that breach the new regulations could run to 4% of global turnover – vast when you consider the size of some digital giants
Creation of a Data Protection Officer within businesses involved with ‘high risk processing’ whose job it is to make sure the business is compliant with the new rules
The minimum age for registering with digital services could rise from 13 up to 16, but this would be at the discretion of member states
Single ‘one stop shop’ to police data businesses regardless of where they are in the EU
Rules for businesses will be proportional to the risk those businesses could present to individuals
Data protection safeguards should be built into products from the earliest stages
Pseudonomysation and other privacy-friendly techniques will be encouraged
For those of you who have enough time, there is a leaked copy of the full text here >


Print Friendly