Amendments to personal data protection regulations are just around the corner and approaching fast. They will be of great importance for personal data processing. In May 2018, an EU regulation comes into force which will be binding for any entity which uses and processes personal data. This will be particularly important for people from marketing and sales departments and those who deal with customer service. What will it mean for marketing and communication professionals?
The current legislation has been in force since 1995 and, seeing the development of new technologies, has become largely obsolete. The basis for the new regulation will be the issue of the security of data already stored in our systems and profiled for the purpose of marketing campaigns. By introducing the same level of personal data protection for all EU citizens and facilitating transboundary operations, the new regulation is going to respond to the challenges of the contemporary market. What should we pay special attention to?
1. Data security must be ensured at all the stages of a project. The new regulation mentions two very important principles, i.e. Privacy by Design and Privacy by Default. Personal data protection will be the basic element of each project, starting from the design phase and ending with default settings of each software.
2. All systems will have to be described. If audited, we need to demonstrate that we ensure personal data protection at all the stages of our operations. Companies are obliged to describe their actions step by step.
3. If we outsource personal data processing, it is important to adequately share liability for a security breach (the new regulations require relevant amendments to be introduced in contract).
4. Marketing consents for the processing of data will have to be obtained accordingly. Such consents must be unambiguous, clear and explicit and, most importantly, voluntary. The person whose data we are collecting should also be able to quickly and smoothly withdraw their consent.
5. In case of a data security breach (e.g. information leak), we will be obliged to report such an incident within 72 hours to competent authorities. In our case this is GIODO (Inspector General for Personal Data Protection). In many cases, companies will be obliged to inform their customers about it
The new regulation also means new high financial penalties, which is why it is worth taking a look at the new guidelines and starting to introduce the necessary changes. Major breaches may trigger penalties up to EUR 20m or 4% of the company’s global turnover. New regulations will come into force in 2018, so it is worth preparing already in order to prevent any potential risks while ensuring continuity of business development.