These changes will have a significant impact on advertising and marketing companies that are increasingly turning to the deep use of customer and 'big data' to deliver enhanced targeting.
New fines increasing penalties from £5,000 to £500,000 per offence, implementation of the E-Privacy Directive (and new restrictions on cookie use, tracking and customer profiling), a newly appointed enforcer in the UK, website policing for the first time, not to mention the new European Data Protection Regulation which is on the horizon, have helped focus attention on what has been for many a bothersome or dull compliance topic.
Failure to take appropriate action on the back of these developments could prove an expensive and damaging mistake.
Increased prosecutions/fines
The push for much more aggressive fine levels and enforcement is actually the end result of too many companies taking a half hearted approach to data protection compliance, a view expressed by the enforcers along with increasing impatience and greater appetite for enforcement action.
Next year may also usher in further grandiose changes with proposals to beef up and alter the current main Directive. There will be numerous changes.
A key part of the new regulation is even larger fines – 5% of global turnover for data protection breaches have been proposed.
Such elements are combining into quite a perfect storm of significant increased risk, higher fines, more aggressive enforcers and less time to get one’s house in order.
Does this affect you?
Does your organisation process personal data in Europe? Do you really have the consent of individuals whose data you process? Do you transfer personal data from Europe? Does your organisation use cookies on a website which is aimed at European customers? How about sending marketing emails to Europe – does your organisation do this?
If any of these questions resonate with you, you should urgency consider acting now given these developments.
What changes may catch you out?
Firstly, it is much easier for the enforcers to fine you as some of the new powers allow on-the-spot fines without going to court. The UK Information Commissioner’s Office (ICO) has already started to use these new powers.
In terms of further developments, social media activity, as well as what you say or don’t say on your corporate website, has become much more complex, with regulatory codes that did not previously apply, now biting.
Companies need to review their websites and use/exposure on Facebook, Twitter etc, as well as how they use any data collected via the same.
Laws relating to the use of cookies and customer profile/tracking data under the EU E-Privacy Directive also changed back in 2011 and users must now opt in with regards to their use before they can be used/set, significantly changing the way websites operate and giving all those who conduct e-business in Europe some homework to do.
European Regulators announced a "cookie sweep" day in September 2014, carrying out random spot checks on websites to assess for compliance with EU cookie laws, with further sweeps scheduled.
Businesses should therefore be checking their websites and cookie notices now to ensure they are compliant and fix any issues.
Additionally, on the issue of what constitutes consent there has been important EU Working Party clarification which affects the way many have been operating to date, particularly requiring explicit consent (rather than implied).
What changes are on the horizon? How will this affect my business?
The new regulation is expected to be finalised during the course of 2015 and, once implemented, will take effect across Europe. Key proposals on the table include:
*Icon based privacy notices – this new concept would require information to be provided to individuals in two ways: (i) an icon-based table; and (ii) a detailed notice, essentially requiring businesses to update privacy notices/policies;
*Appointment of data protection officers – currently, all businesses processing personal data relating to 5K or more data subjects in any consecutive 12-month period would be required to appoint a data protection officer (who must meet certain minimum criteria to be appointed);
*Introduction of a data protection "seal" – this scheme would encourage businesses to certify their processing with a supervisory authority. It is envisaged that if "certified" this would potentially provide businesses with lawful grounds to transfer their data outside of Europe.
Whatever the weather, businesses processing personal data cannot afford to stand still and will need to react to the regulation in some shape or form.
So what should we do?
'Privacy by design' has been the mantra coming out of the EU for a while now. To keep enforcers at bay a company should conduct a fresh audit that highlights awareness of the recent changes, changes on the horizon and how they affect the company.
In many cases, next steps will mean appointing/revising data privacy officers/teams and auditing how and where data is used, what consents they have/don’t have and importantly what data is being transferred around the world and to where.
Key 2014/2015 board agenda item
In short, businesses, wherever they are based, that deal with data in the EU, need to urgently revisit what they are doing, what procedures, policies, standards, documents they are using and whether they are in fact as compliant as they think they are, given the new landscape, recent changes and the further pending changes.
The storm of new laws, new fines and enforcement, with more coming shortly, should quite rightly fast track this to the top of board agendas.