The General Data Protection Regulation (GDPR) – an EU-wide overhaul of consumer data laws aimed at strengthening the protection of people’s data privacy – was announced at the tail end of 2015.
The new laws won’t be finalised until later this year, and won’t take effect for another two years after that.
But in a talk I attended at Data Protection 2016 on Friday, two leading government figures did their best to tell the audience what to expect and explain why the reform is happening.
The talks came from Christopher Graham and Baroness Neville-Rolfe, the former being the UK’s Information Commissioner and the latter the Parliamentary Under-Secretary of State for the Department for Business, Innovation and Skills.
They are arguably two of the UK’s most knowledgeable people on the subject of data privacy, so I thought it would be useful to cover some of the key points from their talks.
The government is waging war on nuisance calls
A huge driver of this reformed legislation is the ever-present onslaught of nuisance telemarketing calls, particularly to the more vulnerable in society who rely on a landline phone.
“We should not dismiss (nuisance calls) as an unfortunate by-product of the rapid growth of data in marketing,” says Neville-Rolfe.
It is a form of harassment, she argues, citing one case in which a vulnerable woman whose landline phone was her only means of communication was left isolated and close to suicide following a barrage of intimidating telemarketing calls.
It was this incident that actually led to the recent expose on charity fundraising practices.
Neville-Rolfe insists the government is not trying to undermine legitimate fundraising or telemarketing activity. But the action of a minority, she says, are tarnishing the reputation of the majority.
The worst offender, a burglar alarm firm called Direct Security Marketing Ltd, made almost 40,000 calls a day between January and February this year, 10,000 of which were made between one and six in the morning.
Lots of firms have already been fined for breaching data laws
The firm mentioned above was fined £70,000 by the Information Commissioner’s Office (ICO), which has issued £2.5m in fines since January 2012.
In the week before this event alone it dished out £150,000 in penalties, and it expects to raise a further £1m before the end of the financial year.
But the fines are about to get MUCH bigger
Currently the ICO has the power to enforce penalties of up to £0.5m for nuisance marketers, but that figure is about to increase substantially.
While the exact figure is still to be confirmed, Graham says by summer 2018 it looks as if the ICO will be able to impose fines of up to €20m or 4% of global turnover, whichever is the higher figure.
He describes the new penalty cap as “eye-watering”, adding:
It’s very important we remain a proportionate regulator, but the sky is the limit in terms of enforcement powers. People need to sit up and take notice.
Despite the potential new powers for bigger fines, Graham is a firm believer that consumer behaviour trumps any kind of financial penalty when it comes to influencing shady marketing practice.
“You can make a quick buck,” he says, “but at the cost of damage to your reputation. The time and money it takes to rebuild confidence after a data breach can be as severe as any fine.”
He argues that with greater opportunities in data come increased risks.
We used to think of data as the new oil, but it can also be the new asbestos. You have to manage the risks if you want to take advantage of the opportunities.
It’s not just about punishing wrong-doers
Graham insists that the ICO is not just interested in dishing out fines and acting the bad cop, but rather hopes to use what he refers to as the ‘proportional positive partnership approach’.
He says the ICO’s mantra revolves around five Es:
- Enforcement – catching and fining those who break the law.
- Education – showing people what good practice looks like.
- Empowerment – giving citizens the power to assert their rights under the data protection act.
- Enablement – unlocking the power of digital in the economy while respecting people’s privacy and rights.
- Engagement – working with business and the technical world to make sure we get the best from the digital economy.
The impact of a ‘leave’ vote in the EU remains unclear
The obvious question of the day was around the EU referendum, specifically how a ‘leave’ vote might impact on these new EU-wide regulations.
As you can probably imagine, the answers were somewhat politician-like. The general message was along the lines of: ‘We’re not sure what will happen but we can’t afford to waste four months of work waiting to find out.’
In other words: they’ll cross that bridge if and when they come to it.
Marketers are urged to “get it right now”
Despite the new regulations not coming into force until 2018, not to mention the fact they won’t even be fully agreed between EU countries until probably June or July, Graham urges marketers to start thinking about data privacy now, not just to stay within the law but to follow best practice.
“Lawyers and translators are poring over text,” Graham says. “We’re working hard to make sure our organisation is ready to be an effective partner and give advice very early on.”
Graham ended by saying:
At its core, data protection is about simple things: respect, trust, integrity, and professionalism.
To learn more about data privacy in the marketing world, download our report: Value Exchange From Data Exchange.