First put forward by the European Union in January 2012, the General Data Protection Regulation (GDPR) was approved by the European Parliament in April this year and will come into force on 25 May 2018.
The GDPR is a huge piece of legislation currently set to replace the UK Data Protection Act, 1998 and despite common belief that Brexit will render it useless, its contents are highly likely to be implemented in the UK in some form.
The law, considered by many commentators to be far too stringent, brings new powers to data regulators and creates much tougher operating boundaries for businesses that process individuals’ personally identifiable information (PII).
Key is that the rules will apply not just to those with businesses in the EU, but to all those processing PII about EU citizens, which will have huge ramifications not only for UK businesses with a global presence but also those in the UK that process PII.
A statement from the Information Commissioner’s Office (ICO) following the referendum said that although GDPR would not directly affect the UK, something with the same clout would still be needed. An ICO spokesman said: “If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’. In other words UK data protection standards would have to be equivalent to the EU’s GDPR framework from 2018.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
Meanwhile DMA chief executive Chris Combemale warned businesses not to delay GDPR preparations on account of Brexit. “Our DMA members should continue with their plans to update their processes to be compliant with the GDPR regardless of the decision to leave the EU. The UK will be looking to enter into a trading relationship of some kind with the EU and so our data protection law will need to be broadly equivalent to the GDPR.”
The printing industry will not be directly impacted by every directive in the new regulation, although there are certainly inclusions that will warrant a thorough review of data protection processes. It will undoubtedly be indirectly impacted by others however, such as rules that will make it tougher for marketers to gain access to personal data.
Headline provisions include tougher requirements to gain consent for marketing where “clear affirmative action” will be needed from the recipient to give informed consent. So for digital campaigns people will now need to tick a box to opt-in rather than opt-out. This is already the case for postal marketing but the switch in digital has the potential to make multi-media campaigns much more difficult. Preticking boxes and making consent a condition of entering a contract will also be banned.
Special protections have been included in the GDPR for children’s data and data on health, ethnicity and sexuality, making them much harder to attain. These will come under ‘special categories’ and require explicit consent for use.
Additionally, people will need to be “clearly and explicitly” told about their right to object to processing as well as to profiling for marketing purposes, while individuals will be given new rights to free access of the data being processed about them, as well as the ability to demand its erasure.
The new regulation focuses on the need for transparency and that individuals have the right to, and must be given, substantial information about about how their details will be used.
Particularly onerous is the change to data processor responsibility, which will see liability for breaches and related compensation shared with the data controllers. This means that not only will the data provider bear the brunt of any legal action for wrongly used data, but so will those that publish the data for their clients, be that online or in print.
Following on from that, the GDPR will enforce huge new fines of up to €20m or 4% of a company’s annual turnover for data breaches.
Darren Crawford, managing director of creative and data insight business GI Red, says if the UK does not adopt the contents of the new GDPR it will cause serious problems.
“If we want to use EU data, by 2018 we will be outside the ‘safe harbour’ agreement, unless we have an equivalent. We would have serious problems doing pan-Europe campaigns, for example,” he explains. “In order to protect the industry, we really need legislation that will be as strong as the GDPR so we’ve really got no choice but to adopt it in my view.”
He says for the printing industry the GDPR, or its UK equivalent, will have widespread impact, affecting everyone from label printers to DM houses and transactional printers.
“Printers are doing a lot more multi-media campaigns and this is going to make life difficult for them, predominantly on the digital side but also in print. People will need procedures in place that are robust enough to challenge clients to verify if it is legitimate, approved data they are using. That will need to be in the form of contracts and random spot checks. If a printer has to do a print job and they haven’t indemnified themselves, they could be in trouble,” Crawford says.
While the UK’s future is unclear, what is clear is that businesses around the world are preparing for GDPR and we need to follow suit to ensure data protection standards are consistent and cross border business remains unhindered.
How will GDPR affect your business?
● Non-EU businesses must comply with GDPR if doing business in the EU or processing EU citizens’ data
● Data processors, such as printers, will have direct legal responsibilities
● Data breaches will carry huge fines
● Data privacy will cover greater detail of personally identifiable information
● New contracts needed to clarify supply chain responsibility
● Tougher rules to obtain consent for data use and greater rights for subjects to access or erase data
● Data Control Officers must be employed to carry out risk assessments in some cases
GDPR is one piece of Europe that is not going to go away
Rosemary Smith, director, Opt4
Most print firms now offer services that involve processing personal data. The impact of the GDPR will have on this processing has been limited by the decision to leave the EU but while we are in a period of uncertainty, businesses globally are preparing for GDPR implementation in 2018.
This is because GDPR applies not just to organisations established within the EU but to any organisation which processes the data of people in the EU.
The UK is very likely to adopt legislation that looks like GDPR. While there has been some talk of ‘GDPRlite’ for the UK this would face fierce criticism both from the rest of Europe and from consumers.
The main GDPR issue for print companies is that as data processors, they will start to share liability for breaches with clients, meaning the potential for significant fines and compensation. Contractual arrangements with clients will need to be precise, detailing exactly what the processing will entail.
Sub-processors will need client approval and must be bound by the same terms as the lead processor. Detailed records of processing must be kept (although this is limited to organisations with over 250 employees). Print companies will need to help with data protection impact assessments in advance of undertaking any “high-risk” processing. They must also assist with subject access requests and be prepared to honour the individual’s right to erasure and right to object. While not mandatory in most cases businesses may find that a data protection officer may be required by client procurement teams.
Until we know the outcome of Brexit negotiations, UK and European data may need to be handled differently. The security of data must be guaranteed and serious breaches will have to be reported to supervisory authorities within 72 hours.
Print companies should get to know the GDPR and start preparing now; this is one piece of Europe which is not going away.
Are you making plans for the implementation of GDPR?
Lee Bevan, service delivery manager – print, British Gas
“We don’t service the European market but we are addressing GDPR and intend to be fully compliant. To say this won’t affect us would be short-sighted. We are a vast organisation that handles a lot of personal data so our risk and compliance teams are assessing requirements and making sure all areas of the organisation, call centres for example, are fully aware of the needs for consent. We are looking at how to redesign our communications to ensure we are getting the consent.”
Tim Drake, chief risk officer, DST UK
“We have a working group dedicated to it and have been having board meetings for the past 12 months. DST has long recognised that much of our revenues and reputation depend on the appropriate respect, care and security of data. GDPR comes at a time when businesses and individuals are increasingly threatened by denial of access to, or theft of personal information. At DST we believe accountability for the guardianship of data no longer sits purely with IT and development teams but is the responsibility of each and every employee.”
Jonathan Stuart, chief technology officer, Paragon Group
“These new regulations pose an interesting challenge, and will impact even small printers who probably haven’t thought about the fact that they’re handling confidential data. It will require people to be much stricter than they have been. In DM you might have data moving from the client to the agency and then to the printer, and that makes it more difficult to be compliant. And people who feed into our world, such as designers, are not necessarily used to working in a structured formalised way.”