Dealerships and manufacturers face a triple data regulation change on top of the finally agreed EU data law, but the Information Commissioners Office (ICO) is stepping up assistance in aiding compliance.
Although Brussels has completed a U-turn on the terms of the new EU data law that was threatening to undermine the capability of service departments and car sales staff and marketers to communicate with consumers, it is now domestic regulators that are posing new challenges.
A parliamentary Select Committee has announced it wants the Government to introduce much stricter data laws that go beyond the recently announced EU law - General Data Protection Regulation (GDPR). The committee believe that current sanctions have not been an effective deterrence to rogue marketers, and a key element of its recommendation is introducing criminal sanctions with the aim of focusing the minds of business leaders to ensure data protection policy is treated with much greater importance.
At the same time the ICO is introducing a policy of actively seeking out data offenders rather than investigating complaints, and is reviewing its guidelines with a view to introducing tougher regulation, plus it will double in size this year, and may move into bigger premises.
In addition, Ofcom has completed the consultancy period of a review of rules as part of its initiative to introduce more control in the way businesses are allowed to communicate by telephone with customers and sales prospects. As yet there is no date for publication of regulation changes.
Although everyone responsible for sales and marketing contact with customers and sales prospects will have to understand and adopt multiple rule changes, the ICO is providing practical support to assist in meeting new regulations. It has introduced an online self-assessment tool that enables users to identify all of the considerations necessary under the Data Protection Act
In addition the ICO has produced a 12 step guide to preparing for the new EU data law and accompanying guidance into the overall context of the change to come. It highlights the fact that many of the principles in the new EU legislation are the same as those in the current Data Protection Act. It points out that if companies are currently data compliant then the foundations for meeting GDPR regulation will be in place.
The 12-point guide issued by the ICO is as follows:
You should make sure that decision makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communication privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organsation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Author: Dene Walsh, operations and compliance director Verso Group, and chair of the enforcement and regulation hub of the Direct Marketing Association Contact Centre and Telemarketing Council.