Businesses that are not prepared for GDPR are risking far more than hefty fines, a panel of data protection experts have warned.

 

The event, organised by lead generation company Lolagrove on 25 May, tackled some of the biggest questions the industry has around GDPR.

New data rules come into force in May 2018, including new regulations requiring that companies designate a data protection officer.

Here are a selection of what data protection experts said with regards to questions about fines, Brexit and and changes to brands’ responsibilities with regards to holding customers’ personal data.

1. Worse than a hefty fine, brands could lose all customer loyalty data

“On top of €20m (£17.3m) or 4% of global turnover, companies may be required to delete all personal data held for client service purposes and be prevented from processing personal data until key compliance criteria has been met, as happened to Loyaltybuild recently following a ruling by the Irish Information Commissioner,” said Ruth Boardman, partner co-head, International Data Protection at international law firm Bird&Bird.

2. Brexit or no Brexit, GDPR applies

GDPR applies before Brexit and will continue once the UK is out of the EU, Boardman explained.

She added: “It will be retained by the ‘Great Repeal Bill’ and applies extra territorially if offering goods/services or monitoring EU data subjects.”

3. What constitutes personal data? What about custom audiences?

“As a starting point, if you are singling somebody out, that is personal data. Even if you don’t use email or loyalty card data, you are trying to single out an individual and target ads at them, so that is personal data. If you use cookies to do so, there is an extra layer due to e-privacy regulations requiring you have consent to use or store information in a user’s device,” Boardman said.

When it comes to custom audiences, when you provide a hashed version of customer data to a social network, they will need something to match that data to personal accounts, she added. “Hashing is a nice security feature but it doesn’t stop this being personal data. Which doesn’t mean you can’t use it, only that rules apply.”

4. Consent under the DPA isn’t enough for the GDPR

“The consents you obtained under the DPA (data protection act) are very likely not going to be acceptable under GDPR,” John Mitchison, head of preference services, compliance and legal at the DMA, said.

This is because the GDPR defines consent in a far more rigid manner. “Consent must be freely given, specific, informed, unambiguous, unbundled and granular. This does not include silence, pre-ticked boxes or inactivity.”

As a result, third-party data providers will be the most impacted by the GDPR. “Many companies do marketing with emails – through other people. Under the GDPR, you will need to customers to opt in to a named organisation, not just categories or general third-parties. It may close down a large portion of the third-party data industry,” Mitchison said.

Any company that doesn’t have a direct relationship with the person they’re targeting will have it really hard, Angela Mills-Wade, executive director of the European Publisher’s Council, added.

5. If you’re handling a campaign, you’re on the hook when things go wrong

When asked, who takes the blame if things go wrong, Mitchison said: “It would depend on who is deciding which data is being collected and used by the campaign.  The responsibility could be shared out between both brand and agency. It’s a good idea to have an agreement as to who takes responsibility for which stage of the campaign. While processors in the chain have their own obligations, particularly when they sub-contract, the controller is the main party held responsibility and they need to make sure they are supervising the processors – either operationally, or in a contractual sense.”

Originally posted Campaign 30 May 2017