There has been a lot of coverage in the press and TV news lately on what they suggest is the new ‘right to be forgotten’, or more correctly the right to erasure of personal data. We’ll stick with RTBF for this article.
Despite most outlets focusing on the implications for social media, not only in headlines but content as well, it should be noted that it applies to online traders and particularly email marketing. One thing which will grab the attention is the maximum fine of £17m (€20) or 4% of global turnover, whichever is the greater.
The tory party manifesto made mention of social media being targeted but this has now been extended to include personal data held by companies, so this has come as something of a surprise for some. However, it is not so earth-shattering as some reports suggest. The ICO summarised it as: to enable an individual to request the deletion or removal of personal data [when] there is no compelling reason for its continued processing.
Personal data will now also include IP addresses, internet cookies and DNA. Further, companies will be banned from allowing people to be identified from anonymous personal data.
The new law will hopefully allow free flow of data between the EU and the UK post Brexit as the UK will be classed as a third-party country. It will oblige data controllers to allow an individual, free of charge, electronic access to their data with rights to rectify or delete, and a right to object to processing. They will also be able to verify that their data is processed lawfully.
There are specific circumstance where the right o be forgotten can be exercised. These are:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Significantly the GDPR moves a step forward from the Data Protection Act where the right to erasure was limited, specifically to that which causes unwarranted and substantial damage or distress. Under the new law there is no such limitation.
Whilst the legislation has not yet gone through Parliament, it is unlikely to be watered down to any great extent as the requirement is compliance with EU regulations in order for data transfer to continue.
Given that personal data is the essence of email marketing lists, this will impact our businesses more than most, although by no means enough to limit our competitiveness against other marketing methods. Planning should start now. We will cover the sensible steps you should be taking in a later article, but there is a requirement to understand and plan for the impact of GDPR now.