The impending shake-up of the data protection regime in Europe and the UK has become a hot topic for a number of businesses and sectors.
As we witness the growth of the creative and marketing sector across the north of England, we are asked to advise more and more businesses about how the new data protection regulations will affect the media sector and what processes they need to put in place to ensure compliance.
Marketing agencies should not underestimate the impact of the proposed data protection regulations given the large sets of data handled by them. We regularly advise clients as to the processes and systems they should have in place to ensure their processing and retention of personal data complies with the proposed regulations.
One of the changes that will be introduced by the proposed regulations is the need to obtain express and explicit consent, as opposed to relying on “deemed” consent from a data subject. In addition, the proposed regulations introduce a requirement that personal data only be used for the specific purpose for which it has been obtained. This could have significant consequences for marketing agencies carrying out profiling activities. Each data subject will also be provided with a “right to be forgotten”. All businesses that collect, store and handle personal data will therefore need to ensure the data is retained on a system which allows for quick and easy deletion of the data, if requested by the relevant individual.
Failure to comply with the new regulations could see companies face significantly higher fines than those which can currently be imposed, including fines of up to 20 million Euros or, if higher, 4% of worldwide turnover for a loss of data or privacy or a failure to process the data correctly.
The proposed regulations are due to take effect in 2018. Given the potentially time consuming IT changes businesses may need to implement, we recommend that businesses begin to take steps now to ensure their processes and records comply with the new regulations to avoid frantic changes being required in the weeks and months prior to enactment of the regulation and to avoid the loss of data which has not been obtained in accordance with the regulations.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.