Data protection: do you know what you don’t know could cost you?

The Data Protection Directive (DPD) is an inherent part of EU law that can have a dramatic impact on your enterprise if mishandled. And if you think you are exempt from this act because you don’t handle digital data, you’re wrong.

Know what you’re handling

This Directive and its upcoming successor, the General Data Protection Regulation (GDPR) cover a wide range of data sources, including specific hard-copy diaries and sales personal organizer records.

Why? Because any data that contains information such as names, financial or health information and even photographs is personal information.

In fact, the European Commission states: ‘personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.’

In reality, your digital agency should have your back. Here at Novacom, we consider ISO management processes and associated certification an important part of mitigating these significant client-facing risks.

Be cautious: it’s a big subject

And then, if you include the required EU directives on more sensitive personal data, such as personal religious beliefs, political opinions, health, sexual orientation, race, membership of organisations, further enhanced restrictions can apply.

So data actually exists in multiple dimensions and needs both storing and processing with varying privacy parameters. These parameters will govern who can view the data and how (if at all) it can be used.

To further increase the level of complexity, while the current DPD and upcoming GDPR are both very wide ranging regulatory instruments and with the roll-out of GDPR designed to offer a single EU-wide regulation, this will likely cast the regulatory net ever wider – and deeper.

The international dimension

While the EU is a big place, most transnational digital marketing agencies such as Novacom have both regional and global clients on our roster. This means we may regularly seek to import data into the EU and export for use data in other, non-EU regions.

And given that we are subject to the local EU regulations discussed, these situations need to be considered very carefully. Because, quite apart from our own local data protection laws, we must factor in the laws of both our import and export regions.

Trace data origins, check your destinations

Here are two examples where experience and awareness of international digital regulations saved clients serious legal challenge. The first example is a technology client with a number of offices in the EU, which expanded into the US market.

With a continuous growth strategy, the company grew in the US until a contractual issue caused the cessation of a key strategic US market development relationship.

With a significant stake holding in this US relationship, the EU enterprise exercised its right to export and consolidate its US website data capture for EU use in subsequently targeting US prospects and customers.

But given that the US-EU relationship had ceased and the US-controlled website was taken off-line significant information such as the website’s privacy policy – the terms under which users and therefore email recipients had signed up – were gone.

This meant we had no legal premise under which we could robustly prove a legitimate right to use the US generated data, and without which it would be illegal to do so, rendering the data unusable in the EU under local law.

Stay safe, live longer

While this seems quite spectacular to discard such useful marketing collateral, the legal impact of misuse would be of equal significance: fines in excess of €600.000 are now not uncommon for data protection violations.

The second example illustrates how simple client requests can create potential legal risk if not properly understood and checked by competent digital marketing partners.

We were asked by the EU marketers in one of our global clients to send a dataset to their US counterparts for use in US markets. We could do that at the press of a button.

But on close examination, we discovered that this global corporates’ US holding company did not have appropriate EU data protection credentials, and exporting this data would therefore have been a criminal offence. The financial penalty for this would have been substantial.

Know who you’re working with

So in your enterprise, is it possible that these data protection irregularities could have taken place historically, or may be taking place now, as you read this?

Unfortunately, the data protection breaches mentioned here are but a tiny few of the possible risks marketers take with database assets on a daily basis, if you or your digital marketing agency don’t understand international data protection law.

We also undertake regular refresher training to ensure our knowledge is up-to-date. While this is still rare among digital marketing agencies, the logic is unassailable, particularly when faced with the ever-increasing risk of catastrophic penalties any mismanagement could cause clients.

Generally still under-reported, the risk is very present. As this blog was completed, Police Scotland (UK) admitted losing 20,000 2014 year stop and search records due to a ‘computer programming mistake’.

If such errors can occur in a UK police authority, it can happen to you.