December 5, 2016
Most people have heard of the Data Protection Act and if your in email marketing then you have probably also heard of the E-Privacy Directive. But what about GDPR ? If you have heard of it, where does this fit in relation to the other two and do you need to be doing anything ? The short answer is yes.
First we need to look at the difference between a directive and a regulation as regards EU law. An EU regulation is applied in full to all members states without the need for local legislation. Once the regulation gets voted in it becomes law across all EU members immediately. An EU directive is more like a set of guidelines and objectives. These need to be implemented in local legislation by a certain date.
|So lets start at the beginning in 1995 with the Data Protection Directive. This was an EU directive aimed at regulating the processing of personal data with the European Union. As a directive all members states had until 1998 to implement local legislation.|
The Data Protection Act of 1995 is the UK's implementation of this directive. It defines eight key principles regarding the processing and movement of personal data.
Between 1995 and 2000 the world of communications change with the rapid growth of the internet. Electronic communications and other digital technologies became common place and it was recognised that the Data Protection Directive needed to be extended to cover these areas. So in 2002 came the Directive of Privacy and Electronic Communications, more commonly known as the E-Privacy Directive.
Again, all was well in the world of data protection for a short while until things evolved again. The development of smart phones and mobile applications along with cloud technologies meant that individuals were losing control of their personal data. Think about how many applications you have installed on your mobile phone ? How many of these collect personal data about yourself ? Do you know where it is stored ? Who has access ? What it is used for ? Generally the answer is no.
The General Data Protection Regulation (GDPR) of 2016 replaces the Data Protection Directive and is designed to give back control of data to the individuals. Since it is a regulation it was immediately adopted by all member states and replaces our Data Protection Act of 1995 with a 2 year transition period before it is enforceable from 25th May 2018.
GDPR sits above PECR in the legal framework and neither trumps the other.
The question that everyone asks is what are the main differences between the Data Protection Directive and GDPR and will it affect me ? There are 2 keys points. The Data Protection Act allowed direct marketing on an opt out basis. So you could process somebodies data for direct marketing until they opted out. Since PECR stated that business addresses could be marketed on an opt out basis this meant that in essence B2C became opt-in for email and B2B became opt-out. GDPR now says you must have informed unambiguous consent to process somebodies personal data. All marketing whether it is B2C or B2B now becomes opt-in and it is the responsibility of the data controller to prove consent. You need to be able to show the data of consent and the information that the data subject agreed to.
Even though Brexit is on the horizon it is not going to happen before May 2018 and the ICO has stated that everyone should start planning for the implementation of GDPR.
Posted by Simon Hill
If you use an Email Service Provider, you now get some pretty powerful technology alongside…
February 10, 2017
Most people have heard of the Data Protection Act and if your in email marketing…
December 5, 2016