Data protection rights, data protection wrongs

The Direct Marketing Association (DMA) has serious concerns about the potential impact of some of the new Data Protection Regulation’s requirements on the industry. As it currently stands, the draft Regulation does not strike a fair balance between protecting the data privacy rights of the individual and the interests of business to use data for marketing purposes. 

If the Regulation were to come into force tomorrow, then it would have costly ramifications for companies involved with direct marketing, and in turn detrimental consequences for the UK economy. The DMA believes the data privacy rights of individuals need to be protected, but this should not be at the expense of business. 

How the Data Protection Regulation could cost your business

If the draft Regulation passes into law unchanged from its current form, then there are four key areas which would have a serious financial impact on companies involved with direct marketing.

Opt-in / opt-out and obtaining consent
The new Regulation doesn’t go as far as heralding a comprehensive opt-in only regime for direct marketing - but it comes close. The current proposal demands that companies would have to obtain explicit consent from consumers by ‘clear statement or affirmative action’ to use their data for marketing purposes. While companies wouldn’t necessarily have to get consumers to tick an opt-in box, they won’t be able to take for granted that consumers consent to receiving marketing information - even if they have had previous interaction with them. 

The grey area surrounding the issue of what constitutes fair processing becomes greyer when considering the ‘balance of interests’ between the brand and the consumer. The worst case scenario is that companies that fail to prove they have properly obtained consent from individuals to contact them with direct marketing messages would have to scrap their contact databases and find it difficult to build them back up again. 

IP addresses
Under the current law, it’s vague as to whether or not IP addresses (the identifying number assigned to devices accessing the web) should be considered personal data. The new Regulation, however, would class IP addresses as personal data. This would result in web analytics no longer being available to companies without the consent of individuals. Even though they look at the online activities of anonymised batches of IP addresses, the information itself would be considered personal data and hence off-limits to those who did not provide consent. The ramifications of this are huge for digital marketers as they might then struggle to chart the journey consumers take from communication to action, or analyse their behaviour online. 

Classifying IP addresses as personal data would also overlap with the new cookies regulations. Doing so would damage user experience of websites. Their preferences might not be stored, which would deny visitors a personalised experience and they would have the inconvenience of uploading their details with every repeat transaction. These two effects would inflict incalculable damage on sales. 

The right to be forgotten
The new Regulation would give individuals the right to request companies to delete any information that they hold on them. This has been designed specifically to enable people to delete their social media accounts. This requirement would certainly stifle innovation for social media companies, but consequences of the right to be forgotten reach beyond social media platforms. 

Companies that hold an individual’s data and pass them to third parties would not only have to delete their information, they would also have to ensure the third party deletes their information too. This would spell disaster for data list brokers. Companies would also have to face increased data processing costs. 

Subject access request
Currently, companies can charge a fee of £10 when supplying individuals with a copy of all of the information they hold on them. Under the new Regulation, companies would have to supply this information free of charge. The £10 fee doesn’t cover the cost of collating and supplying the information. 

The administrative burden this places on companies is huge. In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through added manpower costs. 

Other changes

While the draft Data Protection Regulation would cause UK businesses a good many problems, not all of it is bad news. Some provisions of the Regulation need further thought and clarification and others might even be good for the marketing industry.  

Data breach notification
The current Privacy & Electronic Communications Directive requires communication services providers, such as telephone companies and internet service providers, to notify the authorities of serious data breaches. There are no requirements under the current Data Protection Directive. The new Regulation, however, would radically change this. Every company that holds personal data would have to notify the Information Commissioner’s Office and the individuals concerned within 24 hours of any instances of data breaches. However, the current draft is particularly vague on the detail of how this would work. 

International transfers of personal information to countries outside of Europe
While the rules on transferring personal information to countries outside of Europe may have been made more business friendly, there would be issues surrounding their application beyond the region. The law would apply to any company in the globe processing information about European citizens, but in a digital world a company wouldn’t know that they’re dealing with a European citizen until they complete an online registration process. This requirement simply doesn’t reflect the reality of 21st-century global data transfer practices, so the lawmakers will need to go back to the drawing board and rethink how such a requirement would be workable. 

Marketing to children
The DMA is pleased that the draft Regulation allows for marketing to children online from the age of 13 without parental consent. 

This crucial detail is missing in existing data protection legislation. The industry is currently only guided by the ICO’s view that children under the age of 12 can’t give their consent to receive direct marketing. Under the new Regulation, a parent or guardian would have to give their consent for a child under the age of 13 to receive direct marketing, but further detail on what this would entail needs to be fleshed out.

More onerous compliance obligations
Companies using data for marketing purposes would face new compliance requirements, but the DMA believes this will be a key step in building consumer trust through clear commitment to data protection. 

Organisations would only have to keep records of their data processing activities and supply them to the ICO on request, rather than as a matter of course under current rules. However, companies with 250+ staff would be required to have a designated independent data protection officer. Companies would also have to prove compliance with new data protection rules by building them into new processing activities.   

What next?

The draft text of the European Union’s new Data Protection Regulation was published on Wednesday 25 January. This is the start of a long process in which the draft Regulation will be debated in the European Parliament and by the Council of Ministers. The current Data Protection Act will continue to remain in force, so the direct marketing industry won’t notice any change until the new Regulation comes into force, which could take up to four years.

As the Regulation passes through the European Parliament, the DMA will be communicating with lawmakers at every stage to ensure they understand the economic consequences of creating a Regulation that does not strike the right balance between protecting the rights of individuals and honouring the commercial interests of businesses. Self regulation is the most effective way of keeping the industry in check without causing unintended consequences, so the DMA will be also working to ensure that the industry voluntarily takes action to protect the data privacy rights of consumers.