26
|
RESOURCES EU Data Law – an update
THE AUTHOR
Dene Walsh is the operations director of lead generation service Verso Group, and is responsible for data compliance at the company. He also plays a leading role in compliance in the data sector as a whole as a member of the Direct Marketing Association’s contact centre and telemarketing council. W versogroup.co.uk
Be prepared for changes to data law After outlining the threat to retail marketing of the new EU General Data Protection Regulation (GDPR) in the September issue of Furniture News, Dene Walsh returns with news that some data marketers face a triple data regulation change on top of the finally agreed EU law – thankfully, the Information Commissioner’s Office (ICO) is stepping up the assistance it provides to aid compliance … Although Brussels has completed a U-turn on the terms of the new EU data law that was threatening to undermine the capability of marketers, it is now domestic regulators that are posing new challenges. A parliamentary Select Committee has announced it wants the Government to introduce much stricter data laws that go beyond the recently-announced EU GDPR law. The committee believe that current sanctions have not been an effective deterrence to rogue marketers, and a key part of its recommendation is introducing criminal sanctions with the aim of focusing the minds of business leaders to ensure data protection policy is treated with greater importance. At the same time, the ICO is introducing a policy of actively seeking out data offenders rather than investigating complaints, and is reviewing its guidelines with a view to introducing tougher regulation – plus it will double in size this year, and may move into bigger premises. In addition, Ofcom has completed the consultancy period of a review of rules as part of its initiative to introduce more control in the way businesses are allowed to communicate by telephone with customers and sales prospects. As yet there is no data for publication of regulation changes. Although some marketing departments will have to understand and adopt multiple rule changes, the ICO is providing practical support to assist in meeting new regulations. It has introduced an online self-assessment tool that enables users to identify all of the considerations necessary under the Data Protection Act, at https://ico.org.uk//fororganisations/improve-your-practices/dataprotection-toolkit/index.html In addition, the ICO has produced a 12-step guide to preparing for the new EU data law,
FN_325 V18.indd 26
and accompanying guidance on the overall context of the change to come. It highlights the fact that many of the principles in the new EU legislation are the same as those in the current Data Protection Act. It points out that if companies are currently data compliant then the foundations for meeting GDPR regulation will be in place already. Theguide issued by the ICO is as follows:
6. Legal basis for processing personal data You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
1. Awareness You should make sure that decision makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.
8. Children You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
2. Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. 3. Communication privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. 4. Individuals’ rights You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. 5. Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
7. Consent You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
9. Data breaches You should make sure you have the right procedures in place to detect, report and investigate personal data breach. 10. Data protection by design and data protection impact assessments You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. 11. Data protection officers You should designate a data protection officer, if required, or someone to take responsibility for data protection compliance, and assess where this role will sit within your organisation’s structure and governance arrangements. 12. International If your organisation operates internationally, you should determine which data protection supervisory authority you come under
24/03/2016 15:38