Third-party data breaches will see brand owners held accountable by ICO
The General Data Protection Regulation (GDPR), a single law aimed at unifying data protection compliance in EU member states, was agreed upon by the European Council on 15 June 2015. This regulation is set to bring significant changes for businesses across the European Union.
The GDPR will require companies to prepare for a substantial increase in requests for full information held on individuals. Under the new law, Subject Access Requests will be free, potentially leading to a large increase in requests, especially in sectors like finance.
The level of consent required to use personal information has been tightened. Consent must now be freely given, specific, informed, and an explicit indication of a consumer's wishes. This means businesses will need to re-evaluate their current consent practices.
New developments in the GDPR are expected to include stricter practices, such as tightening of consent levels and restrictions on web analytics and profiling. The European Parliament is pushing to introduce consent for all profiling.
Justice and home affairs ministers consider pseudonymous data should be treated as a subset of personal data. This expansion of the definition of personal data to possibly cover some IP addresses and cookies as 'online identifiers' will have implications for businesses that heavily rely on data. The cost for such businesses will be substantially more than the average figure.
Agencies and third-party data processors face high costs due to staff training. Predicted to be £7,500 per person, everyone involved in data use will need to be familiar with the complexities of GDPR. The burden of proof to demonstrate the correct consent conditions were obtained will be on the brand owner or agency.
The Information Commissioners Office (ICO) has stated that it will target brands as well as third parties if the latter have been responsible for breaching rules. This means any irregularities within agencies while using client data will be considered the responsibility of the client - agency or third-party processor - and both will be subject to fines and resulting publicity.
The rules on data breaches are likely to be changed, requiring the ICO to be informed within 24 hours and consumers within 72 hours, with detailed reporting required. Fines for businesses that break the GDPR can reach up to €1 million or 2% of company turnover.
The GDPR followed a one-year review of the proposed law, which had previously been reviewed for two years by the European Parliament. The Council, Commission, and Parliament form the 'trilogue' involved in the legislative process of debating what will be included in the GDPR. The lead negotiators in the trilogue talks on GDPR amendments were the European Parliament rapporteur Jan Philipp Albrecht and representatives of the EU Council and Commission.
Dene Walsh, operations and compliance director at Verso Group, stated that the new GDPR will be tougher on marketing data and communication, giving competitive advantage to those that follow good data practice. The estimated cost for UK companies is £47 billion in lost sales, and £2.73 billion in preparation, averaging £76,000 per company. However, compliance with the GDPR could provide a competitive edge for businesses that prioritise data protection and privacy.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Stopping Osteoporosis Treatment: Timeline Considerations
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
