After outlining the threat to retail marketing of the new EU General Data Protection Regulation (GDPR) in the September issue of Furniture News, Dene Walsh returns with news that some data marketers face a triple data regulation change on top of the finally agreed EU law – thankfully, the Information Commissioner’s Office (ICO) is stepping up the assistance it provides to aid compliance …
Although Brussels has completed a U-turn on the terms of the new EU data law that was threatening to undermine the capability of marketers, it is now domestic regulators that are posing new challenges.
A parliamentary Select Committee has announced it wants the Government to introduce much stricter data laws that go beyond the recently-announced EU GDPR law.
The committee believe that current sanctions have not been an effective deterrence to rogue marketers, and a key element of its recommendation is introducing criminal sanctions with the aim of focusing the minds of business leaders to ensure data protection policy is treated with much greater importance.
At the same time, the ICO is introducing a policy of actively seeking out data offenders rather than investigating complaints, and is reviewing its guidelines with a view to introducing tougher regulation – plus it will double in size this year, and may move into bigger premises.
In addition, Ofcom has completed the consultancy period of a review of rules as part of its initiative to introduce more control in the way businesses are allowed to communicate by telephone with customers and sales prospects. As yet there is no data for publication of regulation changes.
Although some marketing departments will have to understand and adopt multiple rule changes, the ICO is providing practical support to assist in meeting new regulations. It has introduced an online self-assessment tool that enables users to identify all of the considerations necessary under the Data Protection Act, here.
“Although Brussels has completed a U-turn on the terms of the new EU data law that was threatening to undermine the capability of marketers, it is now domestic regulators that are posing new challenges”
In addition, the ICO has produced a 12-step guide to preparing for the new EU data law, and accompanying guidance on the overall context of the change to come. It highlights the fact that many of the principles in the new EU legislation are the same as those in the current Data Protection Act. It points out that if companies are currently data compliant then the foundations for meeting GDPR regulation will be in place already.
The 12-point guide issued by the ICO is as follows:
1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communication privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
7. Consent
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
8. Children
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate personal data breach.
10. Data protection by design and data protection impact assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. Data protection officers
You should designate a data protection officer, if required, or someone to take responsibility for data protection compliance, and assess where this role will sit within your organisation’s structure and governance arrangements.
12. International
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Dene Walsh is the operations director of lead generation service Verso Group, and is responsible for data compliance at the company. He also plays a leading role in compliance in the data sector as a whole as a member of the Direct Marketing Association’s contact centre and telemarketing council.
