Revolution in the data protection world may have passed most consumers by but the General Data Protection Regulation (GDPR) will change the way that personal data is handled.
Whilst most organisations will be relieved that, after 3 long years of negotiation, we finally have an agreed text of the GDPR, consumer rights organisations are less happy. “The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century” was a typical reaction (this one from the European Digital Rights Group).
There is disappointment from these groups that some of the fundamental issues (including consent and legitimate interests) have been “fudged”. But privacy activists aren’t giving up just yet; take this fighting talk from Anna Fielder, Chair of Privacy International “data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable. Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers.”
So what differences might consumers notice when the Regulation is implemented or the UK adopts a similar regime?
Privacy notices must be transparent
Consumers will start to see a difference in the way that organisations communicate with them about data use. This will affect the length of consent statements and privacy policies. Whilst marketing consent does not need to be explicit, it does need to be unambiguous. Transparency is required and clear and plain language will be needed. Consent will need to be obtained by a “clear affirmative action” and “Silence, pre-ticked boxes or inactivity” will not count. Consumers cannot be forced to give consent for further use of data when signing up to a service.
There are some copywriting challenges ahead. How, for example, will organisations explain that they are processing under “legitimate interests”? How will they describe complex profiling and the right to erasure? The requirement for clarity will be even more important when collecting data from children (those under 13 in the UK but under 16 elsewhere). It has been suggested that pictorial representations may help consumers to understand data use. If icons are used they will need to be cleverly designed to avoid the kind of confusion already caused by similar schemes in food labelling and energy efficiency.
Data Controllers will have the job of demonstrating that they have obtained requisite consent and consumers will be able to challenge how and why they have been opted-into communications. It goes without saying that the need for more granular consent options and the additional rights to object to specific processing could hugely complicate the permission management functions of databases.
Consumer rights must be upheld and publicised
Data Controllers will now have to consider consumer rights before undertaking new processing – a factor which some say will hobble innovation. Although consumers won’t be aware, their rights will have to be taken into account when conducting Privacy Impact Assessments which could put paid to some bright ideas from data scientists. In many ways the Data Protection Officer (where one is appointed) will be required to become the consumer champion within the business.
It will be easier for individuals to exercise the right of subject access and, in most cases, they will not be charged for access so businesses may have to swallow significant costs in retrieving personal data. The GDPR will also facilitate consumers switching suppliers by requiring Data Controllers to provide “data portability” when accounts are closed.
Exercising the right to object to direct marketing and profiling should be easier under the Regulation. More consumers will understand these rights because Data Controllers will have to publicise them when they first contact individuals. In fact the Regulation goes so far as to say that the right to object should be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
News about data breaches will travel faster
Consumers will almost certainly see more breach notifications when the Regulation is implemented. Whilst this is an area where significant “watering down” of the text occurred, breaches will still have to be notified if they are likely to result in a high risk to the rights and freedoms of individuals. It is unlikely that we will experience the deluge of notifications common in the USA but Data Controllers may have to admit breaches publically and can be required to notify individuals by the Regulator.
Will higher fines stop data abuse?
Most consumers would be glad to hear that the Regulation has tougher penalties for data abuse. The risk for rogue operators – particularly those responsible for millions of nuisance calls and texts – will now be much higher (up to E20m or 4% of annual turnover). Whether this will simply drive more of the perpetrators to operate from outside Europe remains to be seen. Meanwhile legitimate data users will be adding these higher penalties to their risk registers and marketing departments may find that communications programmes will come under greater scrutiny from risk and compliance.
In some ways, the arrival of the GDPR will only underline the fact that consumers are in charge when it comes to data use. Many organisations have already seen the benefits of adopting more transparent privacy notices and offering their customers real control over their data’s destiny. Those who have not may find themselves under much more pressure in the next two years from consumers and privacy activists as the bar is raised ahead of implementation.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.