[This article has been updated since its original publish date in January 2016 to reflect the updates and changes made to GDPR].
The European Parliament finally reached agreement on the reforms to data protection rules in December 2015 to harmonise data protection across the EU. Technically there are 2 instruments – the General Data Protection Regulation (GDPR) focusing on personal data and the Data Protection Directive (for police and criminal justice sectors to protect the data of victims, witnesses, and suspects of crimes).
The Regulation and Directive have been formally adopted by the European Parliament on 14 April 2016 and will enter into force in May 2016. This means these will apply in law in May 2018 (the Regulation on 25 May 2018 and the Directive has to be transposed into member states’ national by 6 May 2018).
- strengthening the ‘right to be forgotten’ so individuals can have their data deleted permanently
- enabling easier access and portability of data
- ensuring consent must be given – either by a direct statement or evidence of clear affirmative action. With regards to children, this means the specific consent of the parent (the age threshold will be defined by individual Member States within a range of 13 to 16 years).
- more transparency on how data is handled
- users to have the right to know when their data has been hacked, ie companies must notify the ICO immediately about any data breaches
- making companies with data processing as their core activities be more accountable by being required to have data protection officers and also main appropriate data protection settings and safeguards at all stages of contact
- data protection by design and default at the core of EU data protection rules, so that safeguards are built into products and services from the start.
So marketers will need to obtain “unambiguous” consent before using consumer data (with harsher penalties for breaching this regulation) but at least the term is less onerous than the original suggestion of “explicit” consent. But the “clear affirmative action” required means the current tendency to accept silence and inactivity will definitely not constitute consent.
The right to opt out profiling is also strengthened – marketers will need previous consented or a clear statement included in contract terms. But if organisations can ensure safeguards and privacy-friendly techniques are built into their communications, compliance will come easy (especially as current compliance means the changes are not too onerous).
The Information Commissioner’s Office has published a 12 Step Guide on how to prepare for implementing the GDPR into your business.