European Data Protection update. Winter is getting closer.

We’ve written before that Winter is Coming for businesses that collect customer data.  Just as Game of Thrones is reaching a conclusion, the European Data Protection Regulations are now defined and will be arriving in legislation in the not too distant future.

So if you are collecting customer data, or using digital marketing in anyway you need to be aware and you need to be prepared.

“We used to think that digital is the new oil. It’s also the new asbestos. You have to manage those new opportunities”.  Christopher Graham, UK Information Commissioner.

The handily named EDPR (EU Data Protection Regulations) have now been agreed within Brussels.  So the rules of the game for direct and digital marketing will change in the not too distant future.

Even if the UK opts out of the EU, given that the Data Protection legislation is in dire need of an update, I’d expect the majority of these changes to come into force in 2017.

Understanding the impact of the these changes will allow you to make the necessary adjustments to how you work – changes that could potentially save a lot of time and effort in the future.

Of course, such changes can also create new opportunities.  As a business that provides data driven software we’ve been awaiting these changes for some time and have already started work to make sure that ‘we’ and our clients will be in line with these changes.

What you need to know about the EDPR (European Data Protection Regulations)

I’ve tried to summarise the key points from the EDPR.  Consider this very brief summary, to give you the top line information.  Please check sources such as the DMA and the Information Commissioners Office for full detailed information.

 

It’s still ok to use the personal data you collect for marketing

Apologies for the legalese on this, but is a starting point.

It’s recognised that the marketing to people based on the personal data within the customer data you process may be regarded as a legitimate interest.

 

But be aware of what the term ‘personal data’ now means

Personal data now means ‘ANY’ information relating to an identified or identifiable person.   An identified or identifiable person being a name, an identification number, location data or online identifier.

 

This might include online identifiers such as cookies

But is also might not.  It depends how you use this information.  If the cookie is used to identify ‘me’ then that is ‘personal data’.

However if the cookie is used further down the ‘online-ecosystem’ (great phrase from the DMA) and is ‘non-identifiable’ in that the data can’t be used to identify anyone.  Then that is unlikely to be considered as personal data.

Note the language.  The cookie bit in the personal data ‘specification’ is yet to be fully and wholly defined.   A case at currently at the German Supreme Court is likely to define when a cookie is and when a cookie is not ‘personal data’.

 

Either way, you are going to need to prove you have my permission

The laws on marketing consent are going to get tighter, but you don’t yet need to operate ‘explicit’ consent.

What you do have to do is be transparent in how you are going to use the personal information you collect.  Be clear, be concise of this when you collect personal data.  Don’t hide this information in item 12B of your terms and conditions.

 

Of course, make sure you allow people to opt-out from your marketing

Make it clear and easy for people to opt-out of your marketing communications.  And if they do opt- out, you are unable to use their personal information any more.

 

Keep the door open.

If I want to see what personal information you have on me.  You have to provide it to me, free of charge. Their personal information can no longer be processed for marketing purposes.

 

And people could opt out from profiling (if you aren’t clear)

But this depends on how you use ‘automated decision making’ – if it adversely or legally affects them then someone could opt-out from profiling.

However, if you are clear in your terms and conditions in relation to personal data, and someones already agreed to it, then they can’t opt out.

Or if the Government needs someone to run automated decision making on your personal data.  Then they can do that.

 

Here’s what you also may or may not need to do…

If you are a ‘high risk processor’ of data, then you need to appoint a Data Protection Officer.

The minimum age for registering with digital services could rise from 13 up to 16, but that is to be defined for the UK.

 

If you are building technology then…

Data protection safeguards should be built into products from the earliest stages

Pseudonomysation and other privacy-friendly techniques are encouraged.

Pseudonomysation being the the concept of personally identifying information.  That is any “personal data,” which is defined as “information relating to an identified or identifiable natural person ‘data subject’,” is considered to fall within the scope of the Regulation.

 

The Teeth.  These regulations now have bite.

  • Fines for companies that breach the new regulations could run to 4% of global turnover.
  • And a single ‘one stop shop’ to police data businesses regardless of where they are in the EU

So the data driven marketing world is changing rather than ending and changing for the better in our opinion.

Those businesses that add value in their marketing, and send marketing that is relevant to their audience will be continue to be successful and should be able to meet the European Data Protection Regulations with a minimum of fuss.

If you’d like to talk to us about how we can help you to manage your customer data and make sure your email marketing relevant, targeted and super successful, please get in touch.