LONDON: The General Data Protection Regulation (GDPR), which comes into force in May 2018, will give individuals greater protective frameworks around how their data is collected, shared, stored, and used - and brands must be able to respond in a way that retains consumer trust, says a leading lawyer.

The GDPR legislation was formulated to iron out inconsistencies in national data protection laws of EU member states. At its core, it expands the definition of personal data and ramps up the fines on non-compliant firms, writes Jo Blazey, Privacy Officer & Counsel at Vodafone, in a new best practice article for WARC.  

Recent growth in data-gathering technologies are key to understanding the new definition, which covers information such as “a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.

Meanwhile, a survey by SAS, the analytics firm, found 48% of UK shoppers intend to utilise their rights over their personal data. Worryingly, the survey also found that a third of the sample would ask retailers to stop using their data for marketing purposes.

It is essential, therefore, to inform customers about how precisely their personal data is being used. Further regulation exists stipulating the clarity and transparency of this explanation. Consent must be freely given and ideally not bundled with other terms and conditions. Furthermore, pre-ticked boxes do not amount to consent, Blazey adds.

Accountability extends into an organisation’s legal position. “For the use of the personal data to be 'fair and lawful', there has to be a legal basis for its use,” Blazey writes. However, marketers should be mindful of the uses that do not require consent.

“One basis is that it is necessary in the legitimate interests of the data controller. Another legal basis is that an individual has given his or her consent for their personal data to be used for a particular purpose,” she explains.

Crucially, “GDPR sets the bar high to obtain consent and requires it to be a ‘freely given, specific, informed and unambiguous indication of the individual's wishes’ demonstrated by a statement or some form of clear affirmative action to be given.”

One of the requirements on consent is to ensure it is easy for individuals to withdraw it.

Finally, a key recommendation is the setup of a privacy portal or online privacy mechanism on the company website, to “help customers understand how their personal data is being used and where customers can easily self-serve and make changes to their privacy settings”.

Sourced from WARC, SAS