0333 999 0802
0800 042 0401
Despite considerable technological advances of recent years, the rise of social media and the big data boom, data protection laws have not significantly altered over the past 20 years.
In Europe, the current EU Data Protection Directive 95/46/EC does not consider important aspects like globalisation and technological developments like cloud computing sufficiently.
To address the gap between legislation and technology, and to unify data protection law within the European Union, the European Commission is planning a comprehensive reform of the data protection law, which will take the form of a new General Data Protection Regulation (GDPR).
The following video explains to consumers how the new ruling will be designed to put them in control of personal information and safeguard their right to personal data protection:
The first draft of the GDPR was released in January 2012 and following numerous proposed amendments by the European Parliament and the Council of Ministers, these parties recently met with the European Commission to begin negotiating a final version.
As the last lap of talks begins between the EU institutions, German MEP, Jan Philipp Albrecht tells us in the following video, why he thinks the new law would be a huge boost to EU companies doing business online:
The new regulation is expected to be adopted later this year/early 2016, it will automatically apply to all 28 EU member states, it will become enforceable across EU countries after a two-year transition period.
Although the two year transition period may seem excessive, helping firms to comply with the new regulation will involve significant organisation and resources, for example; a single company may require IT, marketing, legal and compliance, management and business teams. Considering the timescales involved in the development and implementation in large IT projects alone, the two years will pass fairly quickly for some firms.
As a result, several prudent businesses will be considering the effects of the regulation and discussing plans already.
The major change for UK businesses is the increased scope of the regulation. Currently, data protection legislation only applies to;
This means that pseudonyms, IP addresses and other unique reference numbers are not classified as ‘personal data’, unless the data controller can combine them with other information (such as email addresses) to identify an individual.
However, under the GDPR this is set to change and any data that directly or indirectly identifies an individual will be considered personal. This means that any unique identifier or pseudonyms will become personal data when the regulation comes into effect.
Many businesses currently use pseudonymous data as a means of sidestepping data protection laws, but this legal loophole will be closed when the GDPR is enforced.
A key issue still to be negotiated is whether or not pseudonymous data should be subject to less stringent compliance requirements - a decision that is opposed by many data protection regulators and privacy rights groups.
The three legislative bodies (Parliament, Council and Commission) all agree that pseudonymous data is a subset of personal data, but there is disagreement as to whether it should be subject to the same requirement as conventional personal data.
In order to prepare for the new regulation, businesses will need to review the types of data they hold (sensitive, personal or pseudonymous) and where possible try to use pseudonymous data over personal data, as it could benefit from less stringent compliance requirements.
Another area for debate under the regulation is customer profiling, which is broadly defined as;
“any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”.
As this definition could be deemed to include any form of data analytics, any changes in this arena are likely to significantly impact data-driven businesses.
It anticipated that the regulation will require businesses to obtain the permission of the data subject (the person to which the data relates) to be profiled, unless the company has a statutory basis for profiling, such as crime prevention or detection. This will make it considerably more difficult for firms to use personal data for analytics.
It is currently possible profile customers using personal data, provided it is for a legitimate purpose and does not unduly infringe the individuals’ rights and interests. Companies have also been able to profile customers without consent, by using pseudonymous data.
Under the new regime, the standard of consent is expected to change so that it must be ‘freely given, specific and informed.’ In addition; ‘the individual must have a genuine choice as to whether to give consent and be able to withdraw consent without detriment.’
This would mean that companies who engage in personal data analytics will need to start telling individuals that they are carrying out profiling, the details of the profiling and the implications, before providing the individual the opportunity to opt-in or opt-out.
Due to increasing public concern about the ways companies use personal data, it is not unlikely that many customers will refuse to provide their consent.
Although it is important to give individuals control over their personal data, this could significantly hinder data analysis and innovation – even in areas where it could be used to improve peoples’ lives.
Businesses will be required to meet the issue head-on and consider their marketing strategies and customer engagement more carefully.
It will become increasingly important to gain the trust of customers if companies want to continue using and benefitting from personal data – using appropriate customer terms and legally compliant consents.
What is your opinion of the new ruling? Is it likely to affect your business? Leave your opinion in the comments section below:
If you or your staff breach data protection legislation, it can leave your business exposed to costly liability claims.
Make sure you’re adequately protected with a professional indemnity insurance policy from Be Wiser Business Insurance.
Call us today: 0800 231 5100 from a landline and 0333 003 3299 from a mobile.