With the 25th May just around the corner, GDPR-related queries are no doubt pouring into lawyers’ inboxes thick and fast.
Whilst attempting to tackle all of them in one blog post would be a stretch, we’ve had a go at answering three questions we've noticed popping up again and again (that are particularly pertinent to ecommerce marketers).
- “What will the GDPR mean for the UK post-Brexit?”
- “Do I need to implement double opt-in?”
- “What’s the ePrivacy Regulation?”
🌟 This blog post is part of our GDPR series; to download our comprehensive, no-nonsense guide (written just for ecommerce marketers) click here.
💡 N.b.The aim of writing this post has not been to provide legal advice, but simply to make marketers feel more confident in their understanding of the regulation and how it relates to their professional life.
1) "What will the GDPR mean for the UK post-Brexit?"
The UK leaves the EU at 11pm on the 29th March 2019. Thereafter, UK businesses will not be subject to the GDPR per se.
However, remember that UK businesses targeting EU citizens will still need to be compliant because of the extra-territorial reach of the GDPR (it applies not only to businesses operating in the EU but also those that market to EU residents).
Moreover, the government has introduced a new bill designed to update the UK’s data protections laws (replacing the Data Protection Act) and set new standards in accordance with the GDPR once we’ve left the EU: the Data Protection Bill.
As DCMS Secretary of State, Matt Hancock, said:
"The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit.
"In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”
Does the Bill differ to the GDPR in any way? Yes, it will include a number of “modifications” to make it work for the benefit of the UK in areas such as “academic research, financial services and child protection”.
You can read more about it here.
It may be the case that the UK, following the passing of the Bill, is not seen as having equivalent data protection laws to the GDPR, in which case it may have to enter into some form of Privacy Shield type of arrangement with the EU.
When it comes to transferring personal data across the Atlantic, it’s likely the UK will need to form a framework with the U.S. similar to the EU-U.S. and Swiss-U.S. Privacy Shield.
2) "Do I need to implement double opt in?"
The GDPR doesn't make it mandatory for retailers to implement a double-opt in mechanism, however, as the regulation has such high standards for consent, it is an attractive option for retailers keen to ensure they are compliant.
For example, under the GDPR….
- Retailers need customer consent specifically for processing (don’t just bundle consent with T&Cs)
- Customer consent must be freely given, specific, informed and unambiguously given
- Pre-checked opt-in not allowed, nor consent by default
- Retailers must keep clear records of consent
- Customers have the right to withdraw consent, and retailers need to tell them about this right and how they can achieve it, which has to be as easy as the opt-in mechanism
(N.b. Review your consent mechanism to check it is GDPR compliant. If it’s not, you will need to consider obtaining fresh consent. We’ll cover repermission campaigns in great depth in an upcoming blog post.)
3) “What is the ePrivacy Regulation?”
Proposed by the European Commission in January 2017, the ePrivacy Regulation is set to replace the existing 2009 ePrivacy Directive. This is likely to happen in the course of 2019—it’s currently being negotiated by the three bodies of the EU.
(It’s worth staying up to date on these negotiations, which will kick off in Autumn.)
In the original press release, the ePrivacy Regulation is described as a new legislation to “ensure stronger privacy in electronic communications, while opening up new business opportunities”.
To give you an idea of how the regulation is likely to affect marketers, the draft legislation includes:
- Preventing cookie walls/cookie banners that don’t help visitors maintain control over their personal data and privacy or become informed about their rights. (Source)
- To protect the security and integrity of networks and services, “the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design”. (Source)
- ‘Direct marketing communications’ to mean any form of advertising, “whether in written, oral or video format, sent, served or presented”. (Source)
- Requiring data protection impact assessments where a type of processing of electronic communications metadata…is likely to result in a high risk to the rights and freedoms of natural persons. (Source)
- Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, to offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. (Source)
"By failing to prepare, you are preparing to fail"
We hope these answers to three FAQs help you on your GDPR-journey.
We understand the regulation can seem overwhelming at first, but once you get your head around the basics it starts to make more sense. If you’re keen to learn more, here are a few articles on the upcoming GDPR we recommend reading:
- Six things to know about the upcoming regulation
- Working with a GDPR lawyer: Ten things to consider
- ICO's Guide to the General Data Protection Regulation (GDPR)
- Proposed e-Privacy Regulation in Trilogue Phase Making May 2018 Enforcement Unlikely
- Eight Ways EU GDPR Differs From the EU Data Protection Directive