This document summarizes new EU data protection laws that will take effect in February 2017 and provides recommendations for businesses to avoid penalties for non-compliance. The key changes include stricter consent requirements, increased fines up to 2% of global revenue, enhanced data subject rights, and additional obligations like data protection officers and breach notifications. The document advises businesses to assign responsibility, provide training, review policies and supplier agreements, ensure registrations are up to date, assess intra-group transfers, and plan for security breach responses.
CASE STUDY: New EU legislation: how to avoid data disaster
1. New EU data protection law
How to avoid disaster
Stephen Groom
1
2. osborneclarke.com
Osborne Clarke
• An international law firm
• 600 lawyers
• 8 countries
• 18 offices
• 6 key sectors including digital business
• Leaders in marketing and privacy law
• Marketinglaw.co.uk
2
3. Current data protection obligations in a nutshell
Restrictions
on transfers
outside the
EEA Keep data
accurate &
up-to-date
Retain data
for an
appropriate
period
Respond to
data
subject
requests
Annual
notification
obligation
Get opt in /
out consent
for email /
SMS
marketing
Screen
against
TPS/FPS
"do not call"
lists
Get opt-in
consent to
use cookies
Data must
be relevant
and not
excessive
Notify ICO of
security
breaches
(not yet
compulsory for
all)
Knowledge/
Consent
Data
protection
obligations
4. New data protection obligations from February 2017?
Restrictions
on transfers
outside the
EEA Keep data
accurate &
up-to-date
Retain data
for an
appropriate
period
Respond to
data
subject
requests
Annual
notification
obligation
Get opt in /
out consent
for email /
SMS
marketing
Screen
against
TPS/FPS
"do not call"
lists
Get opt-in
consent to
use cookies
Data must
be relevant
and not
excessive
Notify ICO of
security
breaches
(not yet
compulsory for
all)
Knowledge/
Consent
Data
protection
obligations DPO requirement
Enhanced data
subject rights:
- right to be forgotten
- data portability
24 / 72 hours to
notify data / cyber
breaches
Fines to increase (<2% world-
wide turnover or €1m)
Expanded
definition of
personal data
Data
processor
responsibility
Higher level of
consent
required
Increased use of
Privacy Impact
Assessments (PIAs)
and emphasis on
accountability
Processor BCRS
Profiling only with
explicit prior
consent
5. osborneclarke.com
5
Non-compliance – the penalties
Key regulator weapons and other impacts
1. Fines – Are on the increase:
• UK (ICO has had power to fine up to £500k from April 2010)
2. Weapons used by National Regulatory Authorities:
• Good Practice Assessments
• Enforcement Notices/Undertakings
3. It's not just about fines
• Negative impact on share value
• Customer and staff perception and trust
• Brand damage
• Diversion of time and resources
6. osborneclarke.com
Increase in Enforcement
2013/4 marketing law milestones
• June 2013: ICO fines Save Britain Money £225,000 for nuisance calls
• December 2013: ICO fines payday lender First Financial UK Ltd
£175,000 fine for spam texts
• January 2014: Spain – jewellery companies first in Europe to be
fined for non compliance with cookie laws
• January 2014: UK High Court Vidal-Hall vs Google – behavioural
targeting (ongoing)
• February 2014: Trading standards criminal prosecution against cold
callers Apple Group Holdings £36,000
• March 2014: "serious breach" £500K hurdle may be lowered to
"serious nuisance and annoyance"
6
8. osborneclarke.com
Data privacy and marketing
The bottom line
• So with stricter data protection laws round
the corner..
• enforcers taking more action under the
existing law and..
• the threshold for six figure fines likely to be
reduced…
• doing nothing until new data protection laws
arrive …
• is not an option.
8
9. osborneclarke.com
9
Technology and business trends
What makes our phone ring?
• Cloud computing
• BYOD
• Location marketing
• Tracking / Cookies
• Social media
• Digital sales
• Near field communications/payments
• Outsourcing / offshoring
• Telematics/vehicle tracking
• Smart meters, grid, devices, home…..
• Global HR systems
10. osborneclarke.com
(1) Assign responsibility
Bite the bullet and appoint a DPO
1. Assign ownership (and budget)
Time to appoint a DPO (law may oblige you to soon)
2. Who should it be: IT, Legal, Compliance, HR?
Benefits of legal privilege
3. Visible reporting lines
To existing risk committees
And to board
4. Risk registers
Failure to address known issues increases penalties
Whether your issues or a 3rd party's
10
11. osborneclarke.com
(2) Get serious about training
ICO's #1 pet hate
1. 72% of ICO enforcement action last year cited lack of suitable
training as a reason action taken
2. So who to train?
− Start with DPO and leaders of teams who process your most
sensitive data
− Viral training – train the trainer
3. Desk top or in person?
4. The message can be spread in other ways too
− Videos, notices, pop up reminders, pay slip inserts…..
5. Ensure it's not a 1 off event
11
12. osborneclarke.com
12
(3) Time to review your policies
Are your current policies fit for purpose?
1. Technology/business developments have rendered many policies
out of date
− Privacy
− Cookies
− Social media
− BYOD
− Security
− Data retention
3. Beware need for Works Council approval if changing policies in EU
13. osborneclarke.com
(4) Review your approach to hiring marketing service
suppliers
What have you agreed, what will you agree?
Key DPA principles:
"Appropriate technical and organisational measures must be taken
against unauthorised or unlawful processing of personal data and
against accidental loss, destruction or damage"
– Written contracts required with suppliers
– Staff reliability measures
– Supplier selection linked to security guarantees
– Steps to ensure ongoing supplier compliance
Data only kept as long as it is needed
• Check which suppliers process valuable data
• Check existing contracts, precedents and RFP language
13
14. osborneclarke.com
(5) Registrations
In place and up to date?
1. Classic error is to be under-registered
2. N.B. each group company must notify – as must company pension
trusts
3. Separate registrations required in each EU country for each Data
Controller
4. In the UK 2 tier fees – payable annually:
• £35; or
• £500 if > £25.9M turnover and > 249 staff
14
15. osborneclarke.com
(6) Intra-group data transfers
Assess your compliance with the fiddliest aspect of DP laws
1. Even if you don't have global operations your
suppliers may do
2. Europe's law makers and regulators are fixated by
data transfer issues
• Check your data transfer solutions – model
contracts, safe harbor, BCRs
• Beware model contract registration
requirement in many EU countries
3. Remember that
• viewing personal data on a UK server from a
terminal in the US= a data transfer
• EU data laws apply to personal data of all living
individuals, not just EU citizens
15
16. osborneclarke.com
16
(7) Security breach notification
Plan your approach to reacting to cyber attack or data loss
1. Design your team – Legal, IT, PR, HR?
2. Pre-plan for the issues which it will need to consider:
i. Location – breach, affected individuals
ii. Seriousness of breach (timing, potential for harm, numbers affected,
Sensitivity of data involved)
iii. Measures taken to limit harm
iv. Evidence preservation
v. Legal privilege
vi. Who will need to be notified?
vii. Insurance position
17. osborneclarke.com
(8) Marketing compliance
Do your sales and marketing teams know their responsibilities?
1. Ensure that relevant teams understand opt in / out
2. Consider partners
• Do you have control of all notices
3. Review approach to marketing list purchase
• The DMA's list purchase warranties
4. Time for a marketing audit?
17
18. osborneclarke.com
18
Useful Materials
General:
• ICO's introductory DP guide
– https://www.ico.gov.uk/Global/~/media/documents/library/Data_Protection/Practical_
application/THE_GUIDE_TO_DATA_PROTECTION.ashx
• ICO's direct marketing guidance
– http://ico.org.uk/enforcement/action/~/media/documents/library/Privacy_and_electro
nic/Practical_application/direct-marketing-guidance.pdf
• ICO's data breach guidance note
– http://www.ico.gov.uk/for_organisations/guidance_index/~/media/documents/library/
Data_Protection/Practical_application/breach_reporting.ashx
• EC's review of Data Protection laws and link to draft
regulation
– http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
Osborne Clarke:
• OC's White Paper - "Prepare now and avoid the risks"
– Contact us for a copy
• OC's Data report (The Data Gold Rush) and DP blog:
– http://www.osborneclarke.com/connected-insights/campaigns/data-gold-rush/
19. osborneclarke.com
19
Any questions?
Stephen Groom
Co-chair-Advertising & Marketing Law Group
Deputy Chair-Privacy and Data Law Group
T +44 (0) 207 105 7078
M +44 (0) 7788 584 295
stephen.groom@osborneclarke.com
www.marketinglaw.co.uk
[insert photo here]
Height = 5.39cm
Width = 5.81cm