Consumers are beginning to recognise the value of their data and understand that they own the data companies hold about them. With this increased awareness, consumers are also conscious of the responsibilities that come with the ownership of this data and the value it holds.
That said, this increased awareness has not meant that more consumers are shying away from sharing their data, nor has it therefore hampered the growth of the data market.
In fact, people seem to be increasingly comfortable with sharing their data, on their own terms. Our recent survey* found that 49% of consumers are prepared to give their data to brands they trust, while 69% were happy for brands to use their personal information to send them discounts on products and services that they really want.
Strengthening the rights of individuals as data subjects is an important factor of the GDPR and as a result, there are a number of new or enhanced data subject rights incorporated in the regulations.
Two of these, the Right to be Forgotten, and Right to be Informed are explained in a more detail within this page.
Businesses need to make sure individuals understand who is collecting their personal data and the purposes it will be used for. This includes visibility of the controller† and processor‡, as well as explicit information about how the data will be used.
The new principle of accountability in the GDPR means there will be more of an onus on controller businesses to demonstrate compliance with the data protection principles and organisations’ privacy policies will need to be updated in line with the new requirements.
A Right to Erasure has been set out clearly in the GDPR which allows individuals a qualified right to request that their data is erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected).
Businesses will have an obligation to erase the relevant personal data it holds concerning that individual within a maximum of one month of the receipt of the request.
Businesses will be required to appoint a data protection officer to help them comply with all of their obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance and is needed whether the organisation is acting as a processor or a controller where processing operations require regular or systematic monitoring of people on a large scale.
Under the Data Protection Act 1998 the statutory obligations were on data controllers only. However, under the GDPR, data processors will also have obligations for example, they will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities.
Processors will be legally accountable for compliance beyond any contract terms, but reputable data processors will already have many measures in place to demonstrate compliance.
Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the Information Commissioners Office (‘ICO’) in the UK) without undue delay and, where feasible, within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Where the breach is likely to result in high risk to those rights and freedoms, the data controller will also need to communicate the breach to impacted individuals without excessive delay.
Because today's world runs on data and we all leave footprints in the digital world, we have commissioned a comprehensive research programme into this topic. Specifically, we sought to discover:
- How aware people are of data sharing
- Understanding why customers value privacy, and the contrasts with what they share socially online
- How different people approach the value-exchange in terms of data sharing
- Understanding the different drivers to agreeing to, and being comfortable with, data sharing
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.
*Experian/Consumer Intelligence ‘Data Preferences’ Survey, 2016
† Data controller – an individual, organisation, corporate or unincorporated body of persons who decide the purpose and manner of data processing.
‡ Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller.