Privacy law in the European Union was back in the headlines recently. That's due to proposed changes to EU privacy protections that were released by The European Commission.
A lot of people were likely scratching their heads, wondering how the proposed changes to EU privacy law would impact them and their business. Well, our own Chief Security and Privacy Officer, Dennis Dayman, follows this news the way some follow celebrity gossip.
Dennis tackled some of the most frequently asked questions about the proposed changes to EU privacy laws.
What is changing in EU privacy law?
The European Commission is proposing changes it deems necessary for the ongoing protection of individuals information in an online world. For many of you this includes email and social media, how you can collect, use (process), share, control, etc the personal data on any individual with in the EU. In essence, this is the EU keeping up with technology and ensuring the regulations do as well.
These changes are intended to become a regulation, unlike the existing EU Privacy Directive, which asked member states to adopt their own laws. Instead, the regulation will be uniform across all member states and will apply directly to organizations and individuals.
What do they mean by "personal data"?
The definition is meant to be broad. "Personal data" is when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples: address, credit card number, bank statements, criminal record, etc. So this means that almost anything, including an email address, is considered personal.
I heard about this last year. What movement is happening now that's putting it back in the headlines?
Last year we heard about the requirement for obtaining explicit or affirmative consent to drop, access, and use a tracking mechanism on an individuals computer. That was an addition to the directives. You can learn more about that here: http://blog.eloqua.com/7-misconception-eu/
When is this going to happen?
These are just proposals today. Upon publication their must be an agreement on a final text before the Regulation can be adopted as law by Council of the European Union, which represents each of the individual countries, and the European Parliament composed of representatives elected by EU citizens. Changes to the proposal are very likely, and it will probably be a few years before this regulation comes into force.
How does this impact my marketing efforts?
You will see a strong requirement of needing to obtain "affirmative" consent from an end user before "processing" any of their information. In the past, assumed consent in some cases were valid. In the new proposal consent is defined as freely given, specific, informed and explicit indication of an individual’s wishes. It can be expressed in the form of a statement or as clear affirmative action that signifies an individual’s agreement to the processing of his/her personal data. If you want to obtain consent to email or contact an individual through social media, you would have to gain an actionable consent like the user affirmatively completing a check-box saying they want you to process their data. This means no pre-checked boxes.
What if I'm not in the EU?
The latest change is who will have to abide by these rules. In the past, it was determined by the location of the equipment used to process data. With these new changes the Regulation would apply to anyone processing of EU/European Economic Area (“EEA”) residents' personal data when that processing relates to 1. the offering of goods or services to such individuals, and 2. the monitoring of individuals’ behavior. In other words, if your headquartered in the US and collect data on EU citizens, you have to abide by such rules as explicit opt-in.
I heard a lot about the "right to be forgotten." What's the status of this? What does this mean for me and my marketing?
This portion has gone through a lot of debate these past few years. The proposal requires a controller (you) to create a way for an individual to “erase” any links to personal data if that data is made publicly available. This would probably have a much larger impact on your social media marketing than email, but in general it's a best practice to allow an individual to opt-out of your campaigns through links or a preference centre.
What are the changes for data breach notification?
The Regulation introduces broad data breach notification requirements for any personal data security breach. Any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, personal data transmitted, stored or otherwise processed” would need to be notified to the national supervisory authorities without undue delay and within 24 hours of the controller becoming aware of the breach.
I heard we're going to have to hire a data protection officer. Is this true?
Yes! This is my favorite part of this proposal. The Regulation would require all private sector organizations with more than 250 employees or those undertaking “risky” monitoring of individuals, as well as all public sector organizations, to appoint a data protection officer (“DPO”). Group companies may appoint a single data protection officer. The DPO may be an employee or contractor, and must serve a minimum of two years. Appointment of the DPO would need to be reported to the authorities, and his/her contact details should be made publicly available.
How can I check the credentials and reputation of a service provider?
The best way is to use the BBB in the United States, but you should also be check out TRUSTe. Our privacy statement and practices have been reviewed by TRUSTe for compliance with our program requirements. It's priced well and provides a third-party so you aren't just "self" certifying yourself.
What tools are available now that can help me meet these standards?
TRUSTe is a good place to start. They can help understand how your marketing programs compare to what's required.
The International Association of Privacy Professionals (IAPP) is a not-for-profit association with nearly 10,000 members in 70 countries. The IAPP helps define, support and improve the privacy profession through networking, education and certification. It's not just an organization for privacy people. It's for anyone who is dealing with data. Here At Eloqua, we have 15 people not related to the privacy office who are members of the IAPP. Some are in HR, some are in marketing, and some are in our developers and operations sector.
1. Notice—data subjects should be given notice when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potential abuses;
5. Disclosure—data subjects should be informed as to who is collecting their data;
6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles
Subscribe to our blog to keep in touch with the latest issues impacting your marketing.