this EU law could cost you millions
Bravo Romeo’s Meredith Carson explains How the EU’s upcoming General Data Protection Regulation will affect MENA business
Bravo Romeo’s Meredith Carson and Al Tamimi & Co’s Fiona Robertson on why MENA businesses need to understand GDPR.
If you haven’t heard about the GDPR (General Data Protection Regulation) you will soon; it’s a set of regulations being brought in by the European Union in May 2018 to tackle data and, specifically, consent.
I’d like to paint a picture of its implications for businesses – from legal, content, reputation management and business development perspectives in the MENA region and globally – with valuable input from Fiona Robertson, Al Tamimi and Company’s senior legal associate for technology, media & telecommunications.
This should be an important heads-up on a topic that’s not being discussed in the industry here as much as it needs to be. And when I say important, I mean important to the tune of 20m euros. At least. So let’s start at the beginning.
WHAT IS CONSENT?
In a nutshell, consent means offering users choice and control. With regards to data, the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her.”
In the Middle East, as users we face real issues with consent – being relentlessly abused by marketers who flog their wares flagrantly in the face of the law, using personal data they genuinely have no right to use. As marketers, we owe it to ourselves and the brands we represent to regulate how we use data and how we manage consent. Why? Because brand reputation matters.
CONSENT AND REPUTATION MANAGEMENT
Placing legal ramifications aside – just for a moment, because they’re the juicy bits – the benefits of getting consent right are significant both from a customer service and brand trust perspective.
By being compliant with global best practice, you are demonstrating to your customers that you genuinely value and respect them. You’re elevating your brand above the competition. Getting it wrong means (at best) eroding brand trust, reputation damage and inhibiting the likelihood of customer engagement now and further down the line. So… what do you need to know?
In order to put together the following recommendations, I pored over the UK Information Commissioner’s Office (ICO) advice and Fiona and I knocked heads to deliver the following recommendations. Please bear in mind the legislation isn’t yet finalised – it’s released in May 2018. However we hope this serves as a guide to help you prepare.
1. The first thing that you need to know is that there’s a lot to know and attention to detail is critical. Read the ICO’s advice (it’s easy to find online). There are specific new provisions on a range of areas, including requirements around children’s consent for online services and, as you can imagine, consent for scientific research. The regulation applies to the manner of collection of data, the way data is secured and processed and the way in which it is used.
2. While the regulation applies to the European continent, when your audience is on the continent you will be subject to the law. In addition, and really importantly, the regulation is drafted to apply to all EU citizens, no matter where they are resident. In reality, this means the law is to be treated as a global mandate, as finding out who is and who isn’t an EU citizen is not at all a practical reality and would represent a feat of data management in and of itself.
3. Furthermore, the laws will apply to any entity that is part of an EU corporate structure. From a practical perspective, MENA subsidiaries will be expected to comply, as their European offices could be held liable for their errors.
4. When it comes to user-experience design and data capture, assume nothing and do your homework. The draft regulation indicates that it will require specific and granular action. A blanket check box will not cover you, so be thorough. Put a team together to ensure organisational-level understanding if you’re an agency and (at least) a departmental- level understanding within marcomms and IT if you’re clientside. In all cases, set internal protocols and working processes.
5. Another important point Fiona urges us to remember is that EU ‘data controllers’ (who are the officeholders responsible for data in a corporate entity) must carry out due diligence regarding their suppliers’ data management processes, where they will be collecting or managing data on their behalf. Failure to undertake this due diligence may also result in a fine to the EU entity – so expect them to be very diligent in their due diligence. Regional companies that do not pass this process can expect to be overlooked for EU contracts. So there’s a new-business aspect to this as well, agencies.
The agreements that you will see coming in from the EU will now include this higher standard for data collection, management and use. These clauses will not be negotiable, being required by the new law. This means that a company could be held in breach of contract if it fails to comply with the data provisions and could well be expected to include an indemnity for failing to comply as directed. Given the size of the fines involved, it will be important to take this contractual obligation seriously.
6. If a complaint is made, then the EU will notify all people it believes might have been subject to that breach. This could open your company up to wider findings of infringement and could well create a public relations crisis. This will also most certainly negatively affect your ability to secure future EU contracts. As you can see, getting it wrong is costly – beyond reputation damage, businesses may face substantial fines. Infringements of the basic principles for processing personal data, including conditions for consent, are subject to the highest tier of administrative fines. It could mean a fine of up to 20m euros or 4 per cent of your total worldwide annual turnover, whichever is higher. Meredith Carson is CEO of Bravo Romeo by AJ