• by Sean Hargrave , Staff Writer, March 20, 2015

It is interesting to see Marketing Week getting UK marketers prepared for potential new rules regarding privacy and data handling which will come in via the EU, but lawyers assure me that's not for at least another year or two. As it so happens, I've been doing my own bit of delving into the upcoming General Data Protection Regulation (GDPR) and have also been talking to marketers claiming that this is the year where Data Management Platforms (DMPs) are going to seriously take off. Thus, any upcoming changes to the law will potentially impact any marketer, whether they are amassing and acting on data at the agency or client side.

The major difference seems to be that it will no longer be okay to rely on grey areas of the current law which can be used to get away with not disclosing that customer data has been stolen. At the same time, marketers are going to have to be prepared for massive fines. So, in fact, the big aspect of the new data protection rules is going to be the CMO and CIO working together with the CSO to ensure systems are safe and plans are in place should data be lost or stolen.

Of course, there are rules already in place in the existing Data Protection Act but these are not too onerous. Effectively, if you treat data with respect, use it for the purpose for which it was given, don't store it for too long and protect it from hackers and cyber criminals, then you are okay.

Now, nobody knows what wording the European Parliament's GDPR will finally take, but for me, the major changes will come for marketers with masses of email addresses and telephone numbers and for brand marketers who hold credit card details and perhaps personal information, such as customers' health records or sexual persuasion.

At the moment, UK law is one great big grey area, and it's generally up to each brand regarding whether they disclose that they have had customer data stolen or have lost it somehow. The law only says that if a lot of general info goes missing, then the Information Commissioner's Office (ICO) needs to find out. The same goes for personal, sensitive information, only it will take a lot less data to trigger the moment you need to get in touch with the ICO. The trouble is that the law doesn't state how much is a lot and how much is less than a lot, so nobody really knows. It also doesn't state how long after a breach or a loss of data is discovered that the ICO should be informed. See what I mean about a great, big grey area? Does this answer any questions as to how eBay could get away with not bothering to tell its customers to change their passwords until a good month or two after it had been breached and, even then, only after news of the hack has already leaked.

The new European Act will need to be brought in to British law, and so the many changes in wording that have occurred in Brussels could still feature further interpretation in London. However, the basic premise is there will be a better definition of what constitutes a loss of data that needs to be communicated with the ICO within a specific time frame -- 72 hours is the latest timing given.

The big news is with the fines that have consistently, through different wordings of the Act, mentioned maximum punishments of 5% of global annual turnover or 100m Euros -- roughly $100m.

All of this has been banded around Brussels for an embarrassingly long time but the Act is widely expected to be passed this year and so should be in British law by next year, 2017 at the very outside. 

The grey areas will go, and the punishments will be huge. So it just might be a good time when you're looking at a DMP to chat with the CIO and, if you have one, the CSO, to make sure everything is being done to protect your new data capability from falling in to the wrong hands. The prospect of a 100m Euro fine should just about be enough to focus minds on getting a new system right from launch.