The document outlines upcoming changes to EU data protection legislation, including the General Data Protection Regulation (GDPR) likely being passed in 2016. Key changes include consumers having the right to access all data companies hold on them for free, requiring explicit opt-in consent for data usage and marketing, the right to have all personal data deleted, and stricter rules around user profiling and data sharing with third parties. Fines for non-compliance will be up to 4% of global annual turnover or €100 million. Companies need to overhaul how they acquire and manage customer data to prioritize consent, trust, and data protection.

1. Data
Protection:
Outlining the forthcoming changes
in EU Data Protection legislation
February 2014

2. 2
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
By 2016, the European Parliament is likely to pass the
General Data Protection Regulation (GDPR) into law.
This will have a profound effect on the way you can
• Speak to consumers
• Gather data from them
• Retain and use this data for commercial purposes
Recent news stories about data breaches, data theft, and the
abuse of personal data has led to a shift in consumer attitudes
towards privacy. Consumers are much more protective of their
personal data, and are much less likely to provide it to
companies they don’t trust.
The effect of this is that the new regulations will be very much
driven by the consumer’s need, with the key implication being
that you will need to explicitly ask for permission to use
someone’s data for all marketing purposes.
To help companies understand what the impact of the
legislation might be, Tangible have created a table which
summarises the current and proposed regulations, along
with suggestions for future-proofing your approach to
data collection.

3. 3
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
Current Legislation Proposed Legislation Action
Consumers are able to
request to see the data
that is being held about
them, but will be charged
for doing so.
A standard charge in the
industry is usually £10,
which mostly acts to
deter ‘time-wasting’.
A consumer can request
a copy of the information
being held about them.
Companies should send the
information electronically,
at the most possible
convenience to the
consumer and free of
charge.
Lower the charge for
consumers to view
information.
Begin devising an efficient,
cost-effective process
for responding to these
requests going forward.
CONSUMER REQUESTS TO ACCESS DATA
Current Legislation Proposed Legislation Action
Consumers must be given
the option to ‘opt out’ if
they do not want their data
to be used for marketing
purposes.
If a consumer hasn’t
explicitly opted out,
companies are able to
assume consent has
been given.
Consumers must be given
the option to explicitly
‘opt in’ to their data being
captured and processed.
If challenged, companies
must be able to prove that
explicit consent has been
gathered.
Consumers can withdraw
their consent at any time.
Change wording now to
explicitly offer consumers
the opportunity to ‘opt in’ to
all future communications.
Clearly explain the
purpose(s) for which
their data will be used.
CONSENT – FROM OPT OUT TO OPT IN

4. 4
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
Current Legislation Proposed Legislation Action
Consumers can request that
their data is no longer used
for marketing purposes.
Upon receipt of such a
request, companies are
obliged to flag the data as
“Do Not Contact” to ensure
it is not used for future
communications.
Consumers can request that
their data is completely
deleted from a database
as opposed to being
suppressed.
A business can dispute
the deletion of data if
they believe the retention
of data is in the business’
interest.
Legitimate business
interests include Direct
Marketing, donation
collection, selling
related services and B2B
marketing.
Data must also be deleted if
the information is no longer
necessary, or if the original
purpose for data collection
is no longer valid.
Devise a procedure so
that consumers can apply
for erasure as quickly as
possible.
Plan and trial a practice
where data can be erased
with minimal impact to
your database and at
minimal cost.
RIGHT TO ERASURE
Current Legislation Proposed Legislation Action
Companies can combine
as much data as a subject
is willing to allow, building
a ‘profile’ of a person, and
then segmenting and
categorising based
on that.
Data can include personal
information about a
subject, such as race,
religion, sexuality and health.
Any information about
a consumer processed
for profiling is illegal,
unless the consumer has
given clear and explicit
permission that it can
happen.
Profiling cannot be applied
to create what may be
considered as “sensitive
data”, just as beliefs,
activities, and health,
without permission.
Make sure that any
profiling carried out is done
with the explicit permission
of the consumer.
Test clear and
understandable privacy
policies that explain why
profiling should occur, and
the benefits of profiling
data.
PERMISSION TO UNDERTAKE PROFILING

5. 5
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
Current Legislation Proposed Legislation Action
Third parties can buy data
from companies without
the consumer knowing
who they are. These
third parties can then
contact them, as long as
the consumer has given
permission.
Third parties must be
identified to the consumer,
and data protection
must be secure. Third
Parties must also inform
the consumer of their
legitimate interests.
If a consumer requests
their data to be erased,
third parties must do so
swiftly and free of charge.
Construct and carry out
due diligence on any third
party who may have a
business interest in your
customers’ data.
Test the effectiveness of
statements inviting
customers to opt in to
receiving communication
from third parties.
THIRD PARTIES USING YOUR DATA
Current Legislation Proposed Legislation Action
Businesses are subject to
the laws of the consumer’s
nationality.
For example, Google were
fined in January for altering
the privacy policies for
sixty services, affecting all
internet users in France.
As a result, it was fined
€150,000 by the French
Data Protection Authority.
Fines will be dependent on
the size of the corporation
accountable for the data
breach, as well as the
extent of the breach itself.
When a breach is first
identified, the level of
punishment escalates as
follows:
1) A written warning for
a first, or unintended
offence.
2) Regular audits for
repeated offenders
3) A fine of up to €100m,
or 5% of annual global
turnover (whichever is
greater), for a serious
breach, or repeated
breaches.
Encourage an atmosphere
of “Privacy by design”,
which, by default, offers
consumers the maximum
level of protection available.
Look to acquire data in a
safe environment, and with
explicit and informed
consent from the consumer.
FINES

6. 6
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
Current Legislation Proposed Legislation Action
At their own discretion,
companies can choose to
employ a Data Protection
Officer to ensure that best
practice is upheld.
Varying privacy policies
between states and
companies means that the
standard of Data Protection
varies.
Companies who process
data in a way which is not
completely risk-averse
will have to carry out a
Data Protection Impact
Assessment in order to
ensure their procedures
are legal.
Data Protection Officers,
which are a legal
necessity for companies
with more than 5,000
records, must ensure
compliance.
Train all employees who are
involved in processing data
to make them aware that
they should be practising
‘privacy by design’.
Train a designated
employee to become a Data
Protection Officer, or, in the
event of a large number of
consumers, employ one
specifically.
Trial and implement a
procedure that will allow
for speedy notifications of
a data breach, should one
happen.
ACCOUNTABILITY

7. 7
Data Protection: Outlining the forthcoming changes in EU Data Protection legislation
Changing the way we
think about data
The EU legislation will not just bring about a practical change to
data protection, it will also require a fundamental shift in the way
businesses think about acquiring and handling customer’s data.
Consent is key to unlocking the future of data management.
Without it, businesses will be forced into a position where their
communications, even with the warmest of consumers, will be
impersonal, and risk irrelevance. This can be avoided if a little
more time is taken to gain the trust of the customer, and
provide a genuine value exchange for their data.
Once that data is acquired effectively, and value is given to the
customer as well as the business, it is the responsibility of the
business to ensure that it is protected, to the highest-level possible
to continue the level of trust between a subject and business.
It would be unwise to wait until the laws come into effect before
considering a new approach to permission marketing and data
acquisition. The earlier businesses embrace change, the better
prepared they will be when the legislation comes into effect,
minimising impact, and improving the relationship it has with
both existing and potential customers.
For further information please contact Nick Banbury on:
Mobile: 07834 518783
Direct Line: 0131 526 3069
Email: nick.banbury@tangible.uk.com
www.tangible.uk.com