With the approval of the Council and Parliament on Thursday, the new European data protection law, the “General Data Protection Regulation” (GDPR), cleared the last hurdle. The IT security expert Niels Lepperhoff explains the changes that companies will be facing in the field of marketing and sales.
After a two-year transition period, the General Data Protection Regulation is expected to almost completely replace the existing data protection law in May 2018. At this point in time, all activities, processes and contracts must comply with the new law, as there is no old case regulation.
The following examples show how far-reaching the changes are that companies in the field of marketing and sales are:
1. Proof of innocence
By far the most far-reaching change is likely to be the reversal of the burden of proof. Data protection violations no longer have to be proven by the competent authority. Rather, companies have to prove that they comply with the rules. If data protection regulations are violated, fines of up to four percent of global annual sales are threatened.
2. Comprehensive documentation requirements
More than ever, companies need to document why personal data can be processed, how the processing takes place and which security measures are used to protect the data. The challenge here is to set up a documentation system. Data protection supervisory authorities can view the documentation.
3. Farewell to list privilege
The third far-reaching change is the abolition of the special regulations for the advertising industry, which, among other things, basically permitted the forwarding of addresses or the advertising of customers. In the future, the challenge will be to find legal permission or to switch to consent. Which solution is available depends on the individual case. It is therefore advisable to collect information about your own advertising activities and then evaluate them as to whether and to what extent they will still be permitted in the future.
However, since the requirements for consent are also changing, it is advisable to align all consent texts that are to be used beyond May 2018 to the GDPR today.
4. More external transparency – information requirements
In the future, companies will have to inform their customers and users much more extensively and more frequently than today that their data is being processed. This also applies if data is supplied by third parties – through address trading or a credit check. The following are obliged to provide information:
- all purposes of data processing,
- the legal legitimation for data processing,
- the recipients of the data,
- the storage period or criteria to determine the period,
- the rights to information, deletion, etc. and
- the right to lodge a complaint with the data protection supervisory authority.
Even if inventory data is processed for new purposes, the duty to provide information is revived. Anyone who wants to use their customer addresses for a mailing must regularly inform the affected customers at the latest when the data is selected and the mailing is sent. The customer would therefore receive two letters one after the other: the information and the actual mailing. In order not to unnecessarily confuse consumers, companies must carefully plan the implementation of the information obligation.
5. All companies have to adapt their processes
The two-year transition period should be used to adapt business models, processes and contracts to the new law, for example. Otherwise, managing directors and board members run the risk of being personally liable. The higher level of external transparency makes it easier for consumer advocates and competitors to take action against illegal actions. How much the conversion effort will be depends on the company. What is certain is that there is a need for adaptation everywhere.