During the referendum debates, our membership of the European Union was often criticised for being a source of significant cost to UK businesses because of the need to comply with an ever increasing body of regulations and standards.
Freedom from red tape was lauded as an inevitable result of an exit. In the months since the vote, we have had to separate reality from rhetoric. Have marketers been saved from dealing with the most dramatic change in data privacy to date?
The General Data Protection Regulation expands the rights of individuals across all areas of data privacy, security, transparency and use. It also introduces significant new requirements on businesses with regards to compliance, data portability and record keeping, regardless of your role as a brand or a service provider.
The GDPR also introduces principles that redefine personal data in a way that, at best, will catch many unprepared and, at worst, could threaten the very operation of your business. Disturbingly, these new requirements are not well understood and are open to interpretation.
For example, the GDPR clearly acknowledges that IP addresses and cookies are considered to be personal information. While not in the category of "sensitive" personal information, safeguards must be taken to protect the security of an IP address, and detailed records must be kept to demonstrate where and how such data is being used.
The GDPR also expands the "right to erasure", whereby individuals have the right to request their personal data be erased under certain circumstances, such as the withdrawal of individual consent. Unlike existing legislation, the GDPR does not provide specifics on the threshold under which that is applicable.
Would a customer with poor credit have the right to require Experian to purge their credit history? Are you able to allow your consumers to download all the data you carry about them, delete it from your system and give it to your competitors?
Do you maintain a record of all information you have on a consumer – including details of what you have done with it and who you have shared it with? If the answer is no, you are not prepared for the GDPR. Formally adopted by the EU in April, the GDPR has not received much attention in the UK.
Our collective consciousness was distracted by the referendum and the fact that the full force of the regulation will not come into play until May 2018. If we had voted to remain, two years would have been a short amount of time to prepare, and many marketers are acting under the assumption that the regulation will not be applicable.
This is incorrect. By choosing to ignore the GDPR, you are simply squandering the little time you have available. Given the listless pace at which the government is moving towards a formal resolution of the vote, it is almost guaranteed the UK will still be a member of the EU in 2018.
Article 50 of the Lisbon Treaty sets a maximum period of two years for resolution of a member’s intention to withdraw and, according to the prime minister, that clause will not be invoked until 2017. It is likely we will be bound to comply with the GDPR for months or possibly years.
Even ignoring the fact that the UK will still technically be part of the EU in 2019, the GDPR has been designed to be global. Unlike many previous laws, it focuses on the individual, not the source of data.
Its requirements and penalties are applicable to any company that engages with an EU national, regardless of geography. If your business or service provider operates in Europe, offshore data havens will not protect you.
The penalties for data violations are also global and run to a maximum of €20m (£17m) or 4% of your organisation’s global revenue – whichever is the greater. Regardless of your views or the outcome of the current political machinations, as business leaders we are inexorably linked to the EU for the foreseeable future and must take action.
The GDPR is just one area requiring action and you will need to help your data protection officer tackle the complex challenges they will face over the coming years.
You do have a data protection officer, don’t you? After all, it will be a legal requirement come May 2018.