With the 25th May just around the corner, GDPR-related queries are no doubt pouring into lawyers’ inboxes thick and fast.
Whilst attempting to tackle all of them in one blog post would be a stretch, we’ve had a go at answering three questions we’ve noticed popping up again and again (that are particularly pertinent to ecommerce marketers).
This blog post is part of our GDPR series; to download our comprehensive, no-nonsense guide (written just for ecommerce marketers) click here.
N.b.The aim of writing this post has not been to provide legal advice, but simply to make marketers feel more confident in their understanding of the regulation and how it relates to their professional life.
The UK leaves the EU at 11pm on the 29th March 2019. Thereafter, UK businesses will not be subject to the GDPR per se.
However, remember that UK businesses targeting EU citizens will still need to be compliant because of the extra-territorial reach of the GDPR (it applies not only to businesses operating in the EU but also those that market to EU residents).
Moreover, the government has introduced a new bill designed to update the UK’s data protections laws (replacing the Data Protection Act) and set new standards in accordance with the GDPR once we’ve left the EU: the Data Protection Bill.
As DCMS Secretary of State, Matt Hancock, said:
“The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit.
“In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”
Does the Bill differ to the GDPR in any way? Yes, it will include a number of “modifications” to make it work for the benefit of the UK in areas such as “academic research, financial services and child protection”.
You can read more about it here.
It may be the case that the UK, following the passing of the Bill, is not seen as having equivalent data protection laws to the GDPR, in which case it may have to enter into some form of Privacy Shield type of arrangement with the EU.
When it comes to transferring personal data across the Atlantic, it’s likely the UK will need to form a framework with the U.S. similar to the EU-U.S. and Swiss-U.S. Privacy Shield.
The GDPR doesn’t make it mandatory for retailers to implement a double-opt in mechanism, however, as the regulation has such high standards for consent, it is an attractive option for retailers keen to ensure they are compliant.
For example, under the GDPR….
(N.b. Review your consent mechanism to check it is GDPR compliant. If it’s not, you will need to consider obtaining fresh consent. We’ll cover repermission campaigns in great depth in an upcoming blog post.)
Proposed by the European Commission in January 2017, the ePrivacy Regulation is set to replace the existing 2009 ePrivacy Directive. This is likely to happen in the course of 2019—it’s currently being negotiated by the three bodies of the EU.
(It’s worth staying up to date on these negotiations, which will kick off in Autumn.)
In the original press release, the ePrivacy Regulation is described as a new legislation to “ensure stronger privacy in electronic communications, while opening up new business opportunities”.
To give you an idea of how the regulation is likely to affect marketers, the draft legislation includes:
The overarching goal of the new ePrivacy Regulation will be to provide citizens and businesses a legal framework for privacy and data protection in Europe. In other words, it’s a way for the ePrivacy legislation to adapt in accordance with the new GDPR.
We hope these answers to three FAQs help you on your GDPR-journey.
We understand the regulation can seem overwhelming at first, but once you get your head around the basics it starts to make more sense. If you’re keen to learn more, here are a few articles on the upcoming GDPR we recommend reading: