GDPR and ePrivacy will impose 'a much higher bar' on website owners, marketers and list brokers

While the finer points of the new legislation are still being hammered out, the direction of travel is clear

Barely a day goes by in which businesses are not urged from some part of the legal, consultancy and technology spectrum to get their houses in order in readiness for the arrival of the EU General Protection Regulation (GDPR) this time next year.

The ‘why' should be crystal clear by now (if a fine of up £20m does not focus minds then nothing will), but when it comes to the ‘what' and the ‘how' there remain some gaping holes.

For example, almost every business has a website, and a good number of those will gather information about visitors for marketing purposes. In order to obtain the much vaunted 360-degree view of the customer, many businesses will use cookies and other mechanisms to track users around their site and across devices. Others will display programmatic advertising that comes with a bevvy of trackers of its own. And many firms make use of third-party marketing lists to bolster sales and marketing campaigns.

Where and how will marketing and advertising practices need to be tightened up? This is not at all easy to find out, particularly with reference to online advertising, where the details are still being thrashed out by lobbyists, interest groups and politicians.

On the marketing side the first thing to say is that many organisations are likely in breach of the current rules, whether they are aware of this or not.

"I think there are many who are in that camp," said Marc Dautlich, lead partner for information law and cyber security at law firm Pinsent Masons.

They may have got away with ignoring or bending the rules until now, but things are changing, he went on.

"The ICO is being beefed up, with many more case officers going into enforcement - seemingly more every week. It's definitely increasing its resource."

The upcoming EU data protection regulations (GDPR and ePrivacy) play a big role in this beefing up, but Dautlich points out that the ICO (Information Commissioner's Office, the data protection watchdog) has shown an increasing willingness to bare its teeth for some time anyway.

He mentions the Optical Express case in which the high street optician was fined heavily for breach of consent rules when using a third-party marketing list from Thomas Cook to send SMS marketing messages. Then there's Honda Europe and Flybe, which were recently convicted of sending ‘re-consenting' emails to people who had not opted in to receive them. These convictions were brought under the existing law.

Nevertheless, all eyes are now on the GDPR, which becomes law in May 2018 and the ePrivacy regulation the first draft of which is expected in October, and which will probably become law some months after GDPR.

Join Computing's IT Leaders' Forum in June: GDPR: are you sure you've thought of everything?

In summary, the GDPR is designed to uphold the protection of personal data as enshrined in Article 8 of the EU Charter of Fundamental Rights and sets out ways in which personal data must be treated, while the ePrivacy regulation concerns the right to a private life (Article 7) and covers things such as internet tracking and cookies.

Tough cookie

The provisions of the ePrivacy regulation may not have been nailed down yet, but the direction of travel is clear when you look at the GDPR, according to Richard Beaumont of OneTrust privacy management software, who wished to make it clear he was commenting on a personal basis.

"Cookies used for marketing - which are generally third party and involve cross-domain profiling of individuals - are caught by the definition of personal data in GDPR. They will almost certainly require people to give their consent to such processing, and consent under GDPR is a higher bar than we have seen before," he said.

"It is very much an opt-in model, and that is not something many websites, or their marketing partners, are prepared for. In particular it puts the current online behavioural advertising opt-out model into a lot of question about is viability."

It can no longer be assumed that the person wishes to receive personalised services that they have not requested, Beaumont continued.

"Many sites will likely need some re-design to enable users to have some direct control over what sort of cookies and tracking they are happy with."

This may also have an impact on the type of content that websites will be able to serve, Beaumont added.

"Think in particular about what this might mean for personalisation. Lots of media sites are customising the content users see based on some level of behavioural profile. Right now that is done automatically, but as it involves tracking behaviour it may no longer be allowed without active user consent - and that could have a big impact on how some sites operate."

However, for websites that don't engage in such granular tracking the changes will not be too hard to accommodate, according to Dautlich.

"If they are already complaint they will have a banner to advise people about cookies and trackers," he said. "They may need to tweak the detail about what is being given consent for… but it won't be massively different from what we have now".

Natural versus juridical persons

With respect to the treatment of individuals according to their personae, the picture is much clearer. Until now, B2B marketers have been able to push messages at people while they are at work in a way that would be inappropriate - and illegal - were the same person at home in a private role. Under GDPR this distinction between "juridical" and "natural" persons will be swept away.

"GDPR doesn't differentiate between personal and business context in terms of the rights of the data subject," said Beaumont. "From a B2B marketing perspective the same standards apply whether the subject's data is being processed as an individual or in a business role."

This is likely to have a big impact on B2B marketing campaigns, which will be forced to move from a push to a pull model, with professionals opting in to receive messages.

While the finer points of the new legislation are still being hammered out, the direction of travel is clear

List rental woes

It looks like bad news for the sellers and users of third party lists. Unless those on a list have given their clear consent, users and providers are likely to be in breach of the current DPA, let alone the incoming regulations. Indeed the ICO recently fined both parties in a spamming case for such a breach under the current rules.

The difference will be the degree to which new laws are enforced. The ICO will no doubt be looking to make an example of severe transgressors; on the other hand, while its numbers might be growing, it only has a limited staff to gather evidence and prosecute.

"Inevitably it will be selective, going after higher profile or larger companies or abusers," said Dautlich. "They will look for a systemic or deliberate failure to comply, or at well-known firms who should know better".

However, he advised strongly against firms carrying on as normal in the hope that they will slip under the radar. At the very least they need to be able to show they are making efforts to comply. The existence of documentation showing that a proper risk analysis has been carried out will be a key factor when regulators consider whether data sharing is legal.

"Organisations that cannot show they carried out risk assessments, and made reason judgements will be more harshly looked on when it comes to handing out penalties," said Beaumont.

If that happens it will also be harder to pass the buck down the supply chain than it is now, blaming the vendor of a list or a cloud supplier.

"Seen from a GDPR perspective, there are several processing operations in data collection, selling and then use of that data," he continued. "Each party plays a role as data controller at different points in the whole operation - and therefore they each carry liability. The broker must make sure they are legally able to supply the data, and the receiving company that they are legally able to use it."

Taking action against a supplier for breach of contract is likely to be a costly process in terms of money and reputation, said Dautlich and anyway: "You might struggle to get a court to enforce an indemnity against a list broker, and in practical terms the ICO will have powers to stop your marketing campaign and of course to fine you".

So will those who seek to share personal data with third parties be required to explicitly name those parties? Certainly the ICO draft guidance on GDPR consent indicates that third-party organisations given access to personal data should be individually named, however this has been challenged as an overly restrictive interpretation, according to Beaumont.

More likely will a requirement for consent to share with a "clear, knowable category" of organisations, agreed Dautlich.

Whatever the final outcome, the catch-all tick box for ‘sharing with carefully selected third parties and partners' will be a thing of the past, and once again, demonstrating that measures have been taken to comply with the rules governing consent will be key.

"Those collecting data to put into lists to sell, will in particular need to make sure they get the right permissions - but also document those properly, and make sure those permissions travel with the data whenever it changes hands," advised Beaumont.

Will existing consent suffice?

Many firms will be wondering whether they must seek renewed consent from those people whose details reside in their CMS. The answer is that if consent was gathered in accordance with existing data protection regulations then it should be fine under the new regime. But for many firms that will be a big ‘if'. Consent in GDPR has to be obtained using clear and plain language, and the intent must be provable.

"You will need to be confident that your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily," said Beaumont.

"The best advice is to look at existing consents, how they were obtained, and whether you can demonstrate clearly that the consent was valid. If not, then it will be better to go back to data subjects to get new consents."

However, he warned, seeking renewed consent must be handled with care. There have been examples of where companies have tried to use the opportunity of re-consent to harvest more personal data and been prosecuted.

"The ICO has handed out fines recently in cases where companies were going through a re-consenting exercise, as these communications themselves were not deemed to have been consented to by some recipients."

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!