I had a very interesting day today at the Information Commissioners annual conference for Data Protection officers. Over 800 DPO’s attended at the Manchester Central Conference Centre (with 300 on the waiting list). The day consisted of some key note speeches in the main auditorium and some very interesting breakout sessions – particularly around the implications of the forthcoming European Regulation on data protection. To Data Protection officers this new Regulation is very much the ‘Elephant in the room’ as it will fundamentally change how businesses manage data protection and how the ICO as regulator punishes data protection breaches.
This new Regulation will be the successor to the original European Data Protection Directive (95/46/EC) which is the legal root of the UK’s Data Protection Act 1998. For those who don’t follow the legislative process in Europe there are fundamental differences between a Directive and a Regulation. A ‘Directive’ has to be enacted using local law, so the directive 95/46/EC passed in 1995 eventually became the UK’s Data Protection Act 1998, which did not become effective until the year 2000 – five years from the passing of the original European law. A ‘Regulation’ on the other hand is law in all 27 member states the moment it is passed by the European Parliament – the implication of cause is that our own parliament has no opportunity to amend the details or interpretation of the law. A ‘Regulation’ is fantastic for the harmonisation of laws across Europe but disastrous for recognising UK cultural differences and legal preferences. Although the Regulation is only at the draft stage it is progressing quickly and the European Parliament will be voting on numerous amendments in the summer, with final ratification coming in 2014. If things progress as planned the Data Protection Act 1998 will be replaced with this Data Protection Regulation from 2016 – the implications for business, and marketing in particular, are quite significant.
As it stands today the draft Regulation would make marketing almost totally permission based requiring ‘consent’ for all marketing activity. The new Regulation weakens the role of ‘legitimate interest’ as a valid basis of processing personal data, and it also introduces some questions around a marketers ability to use customer profiling. There is intense lobbying taking place, lead by the DMA in the UK, and even the Information Commissioner has some reservations about the current draft proposals – at the conference the ICO expressed the view that we will see some changes to the details of the current draft but it will not address all their concerns.
It is certainly going to be interesting times for marketers in the years to come as we come to terms with the demands of this new Data Protection regime – I will be following developments closely.
5th March 13