A lack of guidance over the EU’s GDPR could cripple British businesses
There is no denying that the General Data Protection Regulation (GDPR) marks a great step forward for data protection in the UK and across Europe.
But with less than 16 months until it comes into force, it is critical for UK businesses to start preparing now.
However, despite being the most powerful piece of data legislation to ever hit British business, we’re still no closer to clarifying the finer details of GDPR, which will allow organisations to avoid the crippling penalties of non-compliance.
Specifically, the EU is yet to issue any firm guidance on the changes around consent and profiling, two aspects of data processing which are central to marketing practices. Consent, which is the permission given by an individual to allow the processing of their personal data, has been defined by GDPR as any ‘freely given, specific, informed and unambiguous indication of agreement’. However what hasn’t been defined is whether ‘unambiguous’ means the same as ‘explicit’ and therefore requires opt in by the data subject. It’s likely that the EU supervisory authorities will look for an active rather than passive action but this hasn’t been defined in practice.
Similarly, GDPR states that data subjects are entitled to a number of rights with regards to profiling. That is the use of personal data to analyse or predict other personal aspects about an individual. Under GDPR, profiling has been given comprehensive definitions, however there is still clarity needed on how these definitions translate into practice. This is a real cause for concern, particularly for the wide array of organisations that rely on these methods to better understand their customer base.
Last month, the Article 29 Working Party released a statement detailing its ‘GDPR Action Plan for 2017’, informing that guidelines on the topics of consent and profiling would continue to be developed into the second semester of 2017. Given this timeline, it is becoming unreasonable to expect businesses to be aligned with GDPR by deadline day in May 2018.
For example, to re-consent an entire marketing database, as would be required under the new rules, is no easy feat. To process a whole campaign around consent from start to finish, sourcing renewed permission from customers to hold their data, could take more than a matter of months. Without sufficient time to complete this, businesses risk wiping out huge chunks of their database; an asset considered by many as the ‘crown jewels’ in today’s information age.
GDPR will be instrumental in helping organisations understand what they can and cannot do when it comes to customer data. The regulation is much needed and, in my experience, responsible businesses are eager to comply. However with crucial details still yet to be revealed by the supervisory authorities, the deadline for ultimate compliance needs to be reasonable. With that said, I would hope to see a 6-12 months grace period for businesses to align with the new GDPR standard come May 2018.
More imminently, the industry is in desperate need of leadership in order to stop customer communication activities stalling. The charity sector is currently at a fundraising standstill due to reprimands over its activities in relation to profiling and consent. And whilst some may have knowingly breached current data protection laws, I would suggest that the majority are simply victims of their own lack of knowledge. We can’t risk more British businesses and organisations being stifled by fear of ignorance and unknown consequences.
Admittedly, the Information Commissioners Office (ICO) is somewhat caught between a rock and a hard place when it comes to GDPR; under pressure from the data industry for direction, yet at the mercy of the Working Party for guidelines. The industry needs reassurance at this stage. We as a data business are constantly being asked for guidance in the area of profiling and consent, and are eagerly awaiting direction from above.