GDPR – and they think its all over!
Well May 25th has been and gone and like the millennium bug (remember that) our whole marketing software infrastructure hasn’t imploded. At Napier we ran our own internal Data Protection Impact Analysis (DPIA) project to establish what we needed to do to meet the obligations of the incoming GDPR regulations.
We assessed our inbound and outbound data flows, which of the 6 types of legitimate interest we had for processing data, forms and preferencing centre for our own marketing activities and lastly updated our policies the procedures accordingly to deal individuals rights.
It’s been a good exercise for making sure we have the correct systems and processes in place many of which haven’t changed from the previous data protection laws.
In B2B marketing there has been much debate about whether you need to have consent to send email communications or its better to use one of the other legitimate interests; contract, vital interest or, direct marketing.
If you have used direct marketing as your legitimate interest, don’t think you can rest on your laurel’s as there is another set of regulations to consider.
Going by the snappy name PECR, the Privacy and Electronic Communications (EC Directive) Regulations governs email marketing. Originally implemented in 2003 as an EC directive. Being a directive, the UK can choose how it gets implements and it currently allows businesses the freedom to email other business. It was updated in 2018 by the incoming GDPR regulations as the definition of consent has changed, with the new version of PECR called ePR, but more importantly the EU wants to further update/upgrade it in 2020.
The EU want to upgrade it to a regulation whereby all EU countries are obliged to implement it. It could mean the end of email marketing based on legitimate interest and only allowing email marketing by consent. Like GDPR, if ePR is ratified before the exit it will become part of the package of EU laws that are in the UK’s withdrawal bill.
So, if you decided on direct mail as your legitimate interest to process your data to carry on sending emails you might want to spend the next two years thinking about how to transition your activities to a consent based approached in readiness in case ePR becomes a regulation.
You didn’t believe it would be all over before Euro 2016? ‘EU-US Privacy shield inadequate’ claims data protection watchdog.
Following on from my earlier post "One step forward to the NEW EU-US Privacy Shield agreement" I wanted to provide an update on the state of progress on agreeing the original 2000 Data Protection Safe Harbour Agreement.
Over the weekend, the European Data Protection Supervisor (EDPS) make it clear the EU-US Privacy Shield had to undergo “significant improvement” before being in a position to be adopted. Designed to replace the existing Safe Harbour agreement that was declared invalid back in October 2015, the new pact was supposed to be ratified in June, which doesn’t look like it’s going to happen in time.
"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny," wrote the EDPS Giovanni Buttarelli.
While Snr Butarelli’s statement doesn’t meant the pact will be scrapped and we have to go back to the drawing board, his comments reflect the concerns expressed by the European Privacy regulators & Article 29 committee. The EU’s main concerns are centred around the possibility of “massive and indiscriminate bulk collection of its citizen information” by US authorities and the need to provide adequate oversight, transparency, redress and data protection rights.
Ah well Rome wasn’t built in a day!
One step forward to the NEW EU-US Privacy Shield agreement – it’s a marvel or is it?
Since the old data protection safe harbour agreement between the US and EU was declared invalid in October 2015 there’s been much anticipation about if there was going to be upheaval to the data processing laws and pose greater restrictions on companies transferring data onto servers outside the EU jurisdiction.
Without any safe harbour agreement any company that stored individual’s data in the US would have segment its database and then re-patriate that data back to its country of origin and then delete any trace of it. This would have been a massive undertaken and hugely expensive for all concerned.
There has been a new draft agreement between the European Commission and the US. Announced on the 2nd February and still undergoing political ratification it imposes new tougher enforceable rules on companies handling European’s personal data. It included three key features:
- Strong Obligations for Companies’ Handling of EU Citizens’ Data
- Clear Safeguards and Transparency Obligations for U.S. Government Agency Access
- New Redress and Complaint Resolution Mechanisms for EU Citizens
Following the Snowdon episode, the US has had to provide written assurances that law enforcement and national security agencies are subject to clear limitations, safeguards and oversight mechanisms to prevent unauthorised access/use of personal data. There is also a clearly defined processes for EU citizens who consider that their data has been misused to seek redress without any charge and a new ombudsman will be created. Many still believe this isn’t enough.
As to getting the new safe harbour agreement in place, earlier in March the European Commission published a range of documents that underpin the Privacy Shield. Included in those papers was a draft 'adequacy decision' of the Commission which outlined its view that data transfers to the US made under the EU-US Privacy Shield will correspond to EU data protection law requirements. The privacy principles that businesses will have to comply with if they sign up to the Privacy Shield were also detailed in the documents published by the Commission.
A committee made of representatives from national data protection authorities based across the EU known as the Article 29 Working Party said it would "now assess these documents in order to give its opinion on the level of protection afforded by the EU-US Privacy Shield".
We expect that opinion in mid-April.
Further reading:
http://www.itic.org/safeharbor
https://iapp.org/news/a/we-read-privacy-shield-so-you-dont-have-to/