GDPR Summary - Part 1 - On your marks, get set, go!
Companies and organisations that use data at the centre of their sales and marketing activities – and that’s just about everyone reading this blog - will be impacted by the forthcoming EU General Data Protection Regulation (GDPR).
Yesterday (Monday 15 June), the European Council of Ministers gave its strongest signal yet that it was prepared to negotiate the detail of the GDPR with the European Parliament in order to try and reach agreement by the end of 2015.
Agreement between the European Parliament, Council of Ministers and European Commission now looks like a distinct possibility in November/December 2015 after which there’ll be a two-year transition period before sanctions begin to bite.
However, as the blogosphere went into overdrive, many critics were sceptical that this could be achieved in a 6-month time frame given that both sides will need to reach agreement on a wide range of data protection and privacy issues. However, what most commentators forgot to mention was that parties preparing to enter into an agreement (of any sort) need to be prepared to compromise – so as they say, where there’s a will, there’s a way!
How the GDPR fits into an overall framework of changes within the European Union
EU Charter of Fundamental Rights
The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled. The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources. Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.
The Digital Single Market
A couple of weeks’ ago the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).
EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.
The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.
It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.
What’s the big stuff that’s of relevance for marketers?
This can be summarised as:
• Putting individuals back in control of their own data
• Portability of data
• Breach notification
• More effective supervision and enforcement
• One-Stop Shop
Putting individuals back in control of their own data
This includes moves for explicit consent required for the use of data, the so-called ‘right to be forgotten’ and powers to take legal action against organisations that don’t respect these rights by complaining to the supervisory authority rather than going through the court system.
Portability of data
This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider. This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice and being able to effectively make a choice in the market.
According to the European Commission this measure lowers the barriers to entry in particular to those markets which are currently dominated by very few big players.
In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU.
This approach is consistent with what’s known as ‘protection of privacy by design’ which means it’s about marketers investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services.
More effective supervision and enforcement
The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.
Data protection and data breaches have become much more serious and relevant and currently within the EU there isn’t a credible set of enforcement rules and sufficiently dissuasive sanctions.
In fact, it’s very fragmented, where some countries have power to impose financial penalties and some countries don’t appear to have that power.
The change in supervision and enforcement draws from the experience of competition law. The level of fines – up to 5% of global turnover or €100m whichever is the greater is a maximum and will be applicable to the most serious violations of GDPR where the principles of proportionality will apply and this includes the impact of a data breach on users.
From a marketing and PR perspective, any breach carries the risk of damage to a company or organisation’s reputation so marketers must ensure that all data that is being used in marketing activities complies with the GDPR.
This is making it easier for citizens within the EU to complain about infringement of their data protection and privacy rights under GDPR. However, not everyone in the EU likes this and the Council of Ministers in particular aren’t keen but they could be won over to back this change as it’s a centrepiece of GDPR as drafted by the European Parliament.
The way it works:
- when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the Data Protection Authority (DPA )of the main establishment
- when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.
- where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. According to the European Commission this is a legally more robust position under the Fundamental Rights Charter perspective.
Practical stuff for you to consider doing NOW
Don’t sit on your hands and adopt a ‘wait and see’ approach.
Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation.
However, two years is a shorter period of time compared with the average length of most business and marketing contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.
For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.
Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.
For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.
Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met?
The answer is simple – it’s you as the data controller!
What penalties do you accept, and what do you pass onto the third party in such circumstances?
This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life. Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR.