Law & Regulation: What You Need to Know to Safeguard Customer Data
Jonathon Little, Partner at Jones Day, talks about what changing data Protection laws mean for global customer experience and insight professionals.
2016 has been a big year for data privacy. After more than four years of consideration, the EU has implemented a fundamental review of its data protection laws. Consequently, an updated regime will come into force on 25 May 2018. This will, for the first time, extend the scope of the EU data protection rules to many businesses located outside Europe, increase the obligations on those processing customer data, and significantly raise maximum penalties for non-compliance.
Against this backdrop of increased regulatory scrutiny, it is vital that any business looking to analyse personal data to improve customer experience is aware of and complies with these rules. This article highlights the key changes to data protection rules and suggests areas that businesses should review to check that they are ready for the new regime.
A Changed Regulatory Approach: What You Need to Know
The current data protection rules mean that businesses can only process personal data when one of a list of conditions is met, for example, where there is data subject consent. Processors must follow eight “data protection principles”, including obligations to process personal data “fairly and lawfully” and to apply an “appropriate” level of security.
Businesses can only transfer personal data outside the EEA in limited circumstances or under approved arrangements. Individuals have rights to object to marketing and some profiling activities. While this basic structure of regulation is being retained, customer experience and insight professionals should note that the new rules will mean that many of the obligations will be tightened.
A different approach
- The General Data Protection Regulation (GDPR) takes the form of a regulation which means that it will be directly applicable in all EU Member States without the need for national legislation. At present, each Member State has adopted legislation to implement a common directive which has led to significant differences in approach between countries.
- There will be a “one-stop shop” approach to regulation and a single national authority will regulate all processing activities of a business across the EU. This will typically be the authority of the “main establishment” of the business.
- The new rules will also apply to non-EU based companies offering goods or services (even if free) to EU residents or monitoring their behaviour. This is a significant development as currently the EU data protection rules only apply to EU entities or those using EU-located equipment.
- Both the existing and the new rules only apply to information of its “personal data”. However, this is defined very broadly by the GDPR, expanding the existing concept to include any situation where an individual is likely to be “singled out,” whether directly or indirectly. It is likely that this will catch cookies and IP addresses.
Tighter conditions for processing
- Individuals are always able to withdraw consent.
- If consent is “bundled” as a condition for a contract then this is likely to cause issues as to whether consent was freely given.
- For the first time there will be specific rules for consent given by children and the approval of a parent will be required for those under 16.
Requirements for planning and system design
- CX and insight leaders must consider data protection and privacy in planning their systems and activities (“Privacy by Design”).
- Significant data protects, such as systematic and extensive profiling, must be preceded by a data protection impact assessment.
New rights for individuals
- Customers will have a new right to be forgotten, which will require businesses to erase their personal data.
- Individuals will have a right to data portability, allowing them to request a copy of their personal data or ask that it be transferred to a new supplier.
Data Protection Officers
• Companies will need to appoint a Data Protection Officer if their core activities involve processing personal data in a way that requires regular and large scale monitoring or large-scale processing of “sensitive personal data” (data on race, health, religion, belief, trade union membership or sexual life).
- There will be a general obligation to notify data breaches to the authorities and, where there is a high risk to individuals, to the data subjects themselves.
- Notifications to authorities must take place within 72 hours of discovery of a breach. Enforcement
- The maximum penalties breach for breach will increase to the greater of Euro 20 million or 4 per cent of worldwide annual turnover.
An Outline Approach to Compliance
It is important for businesses working with data to understand that making the necessary changes to the account of the GDPR will take time. It’s likely to be an extensive exercise and one that should be approached seriously. The changes made by the GDPR will have a major impact on any company carrying out data analytics. The necessary changes are likely to require significant amendment to marketing strategies, profiling activities and IT systems.
Companies should start by reviewing their current use of personal data and the policies, systems and consents connected with this. Particular care should be taken to identify the occasions in which personal data is recorded and to confirm that either the necessary consents are being obtained or that there is an alternative legitimate basis for processing.
Once the current uses of personal data have been identified, companies will need to turn to the changes made by the GDPR. In particular:
- “Privacy by design” and the need to make impact assessments before large projects mean that data protection needs to be considered at an early stage together with IT and marketing strategy.
- Privacy policies will almost certainly need updating.
- Where processing depends on consent then this will need to be reconsidered. Consent forms must meet the new requirements. Particular care is needed where children are concerned.
- International transfers of personal data should be reviewed.
- IT systems will need to take account of the new rights to be forgotten and of data portability.
- Systems and processes will be needed to ensure that data breaches can be notified in time.
A Word About Brexit
Brexit is a big issue for UK-located businesses.
From 25 May 2018 the GDPR will apply in the UK unless Brexit has already taken place. After Brexit, the GDPR will no longer apply as a matter of UK law (although it will still apply under EU law to UK businesses in relation to sales and monitoring activity in the EU).
From the date of Brexit the UK can in theory choose its own data protection rules. However, in practice this freedom will be significantly constrained by the EU data transfer rules. EU law prohibits the transfer of personal data to countries lacking ‘adequate’ data protection.
This standard is increasingly seen as requiring substantially equivalent rules.
The UK will face a choice. It can either apply data protection rules that are ‘adequate’ which is likely to mean similar to the GDPR (perhaps with lower penalties) or it can accept that UK businesses will be subject to the same restrictions that currently apply to data transfers from the EU to the U.S. or Asia. These require use of the EU Standard Contractual Clauses, Binding Corporate Rules or bilateral arrangements and can lead to cost and complexity.
The views and opinions set forth herein are the personal views or opinions of the author. They do not necessarily reflect views or opinions of the law firm with which he is associated.