The European Commission has just published what is in effect a draft of the proposed European Data Protection Regulations (DPR), the replacement in many ways of the Data Protection Directive. It is not expected to become law until late 2017 at the earliest, and probably 2018. So why should anyone in email marketing bother about it now?
There are certain specific points concerning data management that will be covered fully in a future article, but first we need to understand the proposals.
It has not been anticipated with any degree of favour by many lawyers, some suggesting it would contain 'draconian' data protection requirements that will be impossible to comply with for many companies. It hasn't, it would appear, been greeted by total enthusiasm.
The major subject of contention would appear to be the 'one size for all' nature of the regulations. Given that the idea of the DPR is to ensure compliance across the whole of the EU with one set of regulations for data protection, it would appear to be the natural result.
Further, being Regulations rather than a Directive means that it doesn't require national legislation to enable it. Once passed by the EU, it applies to every constituent country.
There is much in the DPR that appears to address criticisms of past conduct, and one proposal is that there be a requirement for companies and organisations to notify their national supervisory authority of any serious data breaches as soon as possible. This is not so restrictive as many feared, although 'soon as possible' can be difficult to quantify. The additional limitation, 'if feasible within 24 hours' seems superfluous unless it is a warning that you'd better have good reason for failing to hit that limit.
Given that there were suggestions of companies sitting on data breaches for days before notifying customers, it is probably a provision that will increase confidence in email marketing. Perhaps this might reassure those considering subscribing to your email marketing list.
There has been something of a furore over the so-called 'Right to be Forgotten'. There are probable cost implications that will be explored in a later article, but at a basic level any company managing data well will experience little difficulty. The real point of the criticism seems to be that the rule extends far beyond just marketing.
The Deputy Information Commissioner has said that he welcomes the improved rights for individuals, the clear responsibilities, the increase in the level of consent, stronger supervisory authorities and the concept of privacy by design. He feels that consistency over the whole of the EU is a good thing.
The ICO will gain, if that is the right word, the ability to impose fines and sanctions for breaches of the new Regulations.
As with much EU and national regulations, the reality is not quite so dreadful as many pundits suggested, although this is not to suggest the changes are minor. In a future article we will cover the implications for email marketing in the DPR that will require careful planning well before implementation, and why now is the time to start considering how you will deal with requirements.