ICO will hold brand owners responsible for third-party data breaches

Businesses will find it far more challenging to comply with the EU’s new data law than the European Council’s summer update led them to believe, it has been revealed.

On 15 June 2015, the Council reached a general approach on the General Data Protection Regulation (GDPR), which is an attempt by the European Commission to unify data protection compliance in EU member states with a single law.

The Council’s announcement followed a one-year review of the proposed law, which had previously been reviewed for two years by the European Parliament.

The proposed sanctions for businesses that break the new law includes fines of up to €1 million or 2% of company turnover.

Together, the Council, Commission and Parliament form the ‘trilogue’ that are involved in the legislative process of debating what will be included in the GDPR. The next step is for the Council and Parliament to agree on the final version through monthly trilogue meetings until the end of the year.

>See also: The great GDPR knowledge gap – why many businesses will fail to comply

The latest news out of these meetings reveals that even stricter practices are likely to be introduced, including tightening of consent levels and restrictions on web analytics and profiling.

Based on the new developments, the GDPR is now being estimated to cost UK companies £47 billion in lost sales, and £2.73 billion in preparation – averaging £76,000 per company.

However, the averaging of the figures is deceptive because the majority of UK companies are small and many barely be effected, if at all.  The cost for those that rely on data will be substantially more than the average figure.

Agencies and third-party data processors face a particular problem. With staff training predicted to be £7,500 per person, and the need for anyone involved in the use of data to be familiar with the complexities of GDPR, the costs will be high.

There is an added incentive for agencies to get compliance preparation right. The Information Commissioners Office (ICO), which enforces data regulation, has now stated that it will target brands as well as third parties if the latter have been responsible for breaching rules.

This means any irregularities that occur within agencies while utilising client data will be considered the responsibility of the client – agency or third-party processor – and both will be subject to fines and resulting publicity.

Third parties of all descriptions that bring sanctions upon clients, including agencies, may find it difficult to survive the damage to reputation and finances.  

The key areas the trilogue have so far tightened up on during recent discussions include the level of consent required to use personal information.

Consent is now agreed as having to be freely given, specific, informed and an explicit indication of a consumer’s wishes. It must be given by a statement or clear affirmative action.

The burden of proof to demonstrate the correct consent conditions were obtained will be on the brand owner or agency – it will not be up to the consumer or ICO to prove negligence.

The amendment to the draft of the law also takes opt-in conditions from the level of ‘specific’ informed indication of subject’s wishes’ to a new and higher level.

Another key point being examined, and crucial to digital marketers, is that the definition of personal data could be extended to cover some IP addresses and cookies as ‘online identifiers’. Web analytics and profiling would be made much more difficult, if not impossible if this were to happen.

It is the European Parliament that is pushing to introduce consent for all profiling, and additionally justice and home affairs ministers consider pseudonymous data should be treated as a sub set of personal data. 

If these wishes are applied there will be huge implications involved for digital marketers, the least of which may include the need to amend wording on privacy policy and data collection notices.

’With agreement being reached on key subject areas such as consent, we can see the law will be tougher than was previously considered as far as marketing data and communication is concerned,’ said Dene Walsh, operations and compliance director at Verso Group. ‘For years, short-term commercial advantage has been with those that ignore the rules with limited chance of sanctions.

‘When the new regulations come in it should switch to those that respect consumers, and as members of the public begin to understand their new rights they will recognise brands that adhere to them. The new law will give competitive advantage to those that follow good data practice.’ 

The rules on data breaches are likely to be changed to informing the ICO of problems within 24 hours, and consumer within 72 hours. The nature of the breach, number of data subjects, categories of data and proposed mitigation will also have to be reported.

Other changes include the need for companies to prepare for members of the public requesting full information held on them. Currently a maximum fee of £10 can be charged for this, which collectively costs £50 million a year, but ‘Subjects Access Requests’ will be free under the new law – and as this becomes widely known, certain sectors should be prepared for requests on a large scale, such as finance.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breaches