Businesses could be fined £76 million under new EU Data Protection laws
16th Jan // 2015 - This post is archived and may no longer be relevant
Within the next 12-24 months, new EU data protection laws will be enforced that will cause a massive shake up in the way internet marketers and websites gather user data, with new enforcements and hefty fines being prepared for those who violate the usage of personal information.
The changes to the current laws which are currently being discussed and finalised aim to protect consumer data online. The biggest shock for brands over the next two years will be that explicit consent will now be required from the consumer as to what marketing materials they can be sent.
Why is it important to understand the new laws?
It is important to get a grasp of what the new laws will imply sooner rather than later, especially as the new legislation will potentially be implemented by the end of 2015.
The way brands gather data needs to change, and with huge possible fines of €100 million (£76 million) promised for the worst offenders, your business should start acting soon.
What are the new EU laws on data protection?
The new laws will likely be rolled out at some time between 2016 and 2017, but the exact date is yet to be confirmed. Businesses found in breach of the new legislation can be fined, as mentioned above, up to €100 million, or 5% of annual income (not just profit) – which ever is largest.
Individuals will have the right to claim for compensation themselves, which could lead to a rather ironic situation with adverts like: “Have you been contacted by a PPI claims company? Then you could have a claim.”
Another big shake up will be a new enforcement regime to ensure brands adhere to the new rulings, instead of the current culture of 'self-regulation' and best practice education. Internal slaps on the wrist will no longer be enough.
The long and short of it though is this:
Consumers must give explicit consent for the collection of their personal data, give explicit consent as to the usage of that data and agree explicitly to how their data is marketed.
Overall, your brand at some point in the near future needs to set out plans to explicitly comply with the new laws.
How to negate the fines
As we are all major stakeholders in the digital world, the want to help turn the internet into a more secure environment should be a long term aim or at least a notion being considered by all online companies. But lets face it, with the legislation looming, avoiding the hefty fines that can be dished out will be the primary focus for now.
What brands need to do to ensure they're whiter than white if the enforcers of the new rulings come calling is to be able to prove consent. This can be helped by making the language used on data capture forms simple and explicit. You should also make privacy information clear and easy to access.
An example is on sign-up forms with tick boxes beneath asking things like: “Is it OK for us to send you occasional special offers and news updates from us? Tick and then un-tick then perhaps refresh the page and tick the box again to not agree.”
The language needs to be clear. Consumers need to opt-in, not clumsily hope they've opted out by naturally un-ticking all visible boxes on the page even though one may have been an opt-out tick. Implied consent is now no longer a viable excuse, nor a viable reason to throw customer email lists into new campaigns they don't yet know about.
What to do with user data
Consumers will now also have the explicit and enforceable right to be forgotten and their personal data totally deleted from businesses databases.
This is a topic which has had Google hot and bothered recently, and other businesses should prepare systems that allow users to request such deletion from their archives.
What should I do now?
The EU is yet to release more information, timings or requirements regarding the promised legislation changes, which means it is difficult to put systems in place immediately to deal with the issue. Indeed, putting any process in place to regain consent from current user bases or changing website policies and the structure of data capture is a big job which is why businesses have at least a year to make changes.
But a year or two years will fly by, so before it's too late, it is at this stage worth pondering what changes your business may need to make and how you can put the wheels of change in motion.