At the DPN’s well-attended DP Exchange event in London, the message was clear: for third party data providers and users alike, more value must be placed on quality over quantity. Data is a valuable asset, but only with the consent to use it.
In the face of tighter UK regulation and the impending General Data Protection Regulation (GDPR), the days of selling bulk records with dubious consent are over. Data is an asset, but it also presents a business risk. The focus must now be on accurate and permissioned data, which will become a premium commodity in and of itself.
On the agenda at our event was the recently updated ICO Direct Marketing Guidance, which makes it clear a list broker must demonstrate any list they’re selling or renting is reliable by “explaining how it was compiled and providing full details of what individuals consented to, when and how.” Furthermore organisations looking to buy or rent data must be diligent in ensuring data is “lawfully and fairly obtained” and individuals understood their data would be shared with other parties.
Undoubtedly, the main focus for most in the room was GDPR, which will be implemented on 25th May 2018. How will organisations realistically manage the Right to Erasure, and will they still be permitted to hold records on a suppression file? How detailed will Privacy Notices need to be to demonstrate the processing being undertaken, the Right to Object to Profiling, who the data might be shared with (and so the list goes on)?
Further questions included: If naming partners by sector is to be widely adopted, what sector titles will be appropriate? How can this all be done in a transparent easy to understand way? How will these processes be proportionately implemented and managed?
There has long been ambiguity surrounding Consent, which explains why so many different practices have been adopted. Under GDPR Consent is clearly defined as “freely given, specific, informed and unambiguous”.
Guest Speaker at the event Andrew Bridges, Data Quality and Governance Manager at the REaD Group, believes unambiguous means opt-in. He accepts it is still open to interpretation, and others will disagree. We all await further guidance, but what is unambiguously clear, is current practices such as silence, pre-ticked boxes or inactivity will no longer constitute Consent.
Andrew stressed how important it was to take action now to ensure readiness for GDPR. He said consumers were more aware, more savvy and the need for transparency has never been more acute. He recommended taking, at the very least, three key steps;
1) AUDIT: “Pull the engine out and examine every working part” – understand the data you hold
2) ASSESSMENT: evaluate how much of your data will be compliant under GDPR
3) ACCOUNTABILITY: who owns the data protection/compliance within your organisation? (Do you have or need a Data Protection Officer)
The overall consensus at the event was that silence and inactivity is not an option. Organisations must assess and make provisions for GDPR now. Value must finally come to be viewed as better than sheer volume.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.