A message to you Rudy
The delayed Queen's Speech included the statement: "A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online".
This may sound like new legislation will be presented to parliament, but in reality it probably means that the UK will be implementing the EU General Data Protection Regulation (GDPR). The GDPR legislation began its passage back in 2012, and was adopted by the Council of Europe and the European Parliament in April 2016. It was formerly entered into force in May 2016 which means that all member states should implement it no later than 25th May 2018. The UK will still be a member of the EU in May 2018 and will be required to implement GDPR, although the existing UK data protection legislation is in fact much closer to the GDPR than for many other countries, and the UK would likely implement the regulations whether or not it was a member of the EU.
Unlike directives, EU regulations do not require enabling legislation from member states. The main effect of the GDPR will be to harmonise data protection regulations, to remove areas for interpretation, and to bring all states up to the same data protection standards.
Some specific examples are that GDPR requires explicit consent to collect and store personal data which must be clearly given, and be verifiable. People also have a right to withdraw consent. Under GDPR, all business processes, products, and services, must be designed with data protection built in, and the default settings of systems must be the highest level of privacy, i.e. you cannot opt-in people by default, and you must use clear and understandable language at the point where you ask for consent, not buried in legalese in the middle of a page of terms and conditions. Other changes include recasting the right to be forgotten into a less ambiguous right of erasure.
GDPR also aims to harmonise the enforcement of data protection and privacy. Currently, some countries impose fines for violations of privacy, whilst others only pay lip service to the regulations. Under GDPR, companies which unintentionally disclose personal data will receive a written warning from the Information Commissioner for a first offence, but other sanctions available for repeat offenders or deliberate offenders include periodic audits of the organisation's systems and a range of fines, up to 20m Euros or 4% of the annual turnover, whichever is greater.
Too often businesses ignore data protection laws and knowingly spam people who never opted in or who have attempted to opt out. The excuses used for this behaviour range from "acted in good faith", to "everybody does it", to "so what, what can they do?" In the UK the ICO is becoming more and more active in enforcing good data protection, and does now impose fines. This month the ICO has fined the supermarket chain Morrisons £10,500 for continuing to send marketing emails (aka spam) to people who had held loyalty cards but had clearly unsubscribed from the mailing list. Morrisons did so knowingly as evidenced by the email which invited the cancelled recipient to resubscribe. One recipient of the spam complained about this to the ICO which triggered the investigation.
A spokesman for Morrisons used the "acted in good faith" excuse when he said "We sent out an information message to a small percentage of our customers that aimed to provide some helpful information about our service. We did this with the best of intentions and we are disappointed that this was deemed to be marketing material."
Earlier this year, the ICO has issued fines of £70,000 to FlyBe and £13,000 to Honda for similar bulk email violations.
29th June 2017
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.