ICO will hold brand owners responsible for third-party data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/it-management/risk-and-compliance/123460488/ico-will-hold-brand-owners-responsible-third-party-data-breaches

Businesses will find it far more challenging to comply with the EU’s new
data law than the European Council’s summer update led them to believe, it
has been revealed.

On 15 June 2015, the Council reached a general approach on the General Data
Protection Regulation (GDPR), which is an attempt by the European
Commission to unify data protection compliance in EU member states with a
single law.

The Council’s announcement followed a one-year review of the proposed law,
which had previously been reviewed for two years by the European Parliament.

The proposed sanctions for businesses that break the new law includes fines
of up to €1 million or 2% of company turnover.

Together, the Council, Commission and Parliament form the ‘trilogue’ that
are involved in the legislative process of debating what will be included
in the GDPR. The next step is for the Council and Parliament to agree on
the final version through monthly trilogue meetings until the end of the
year.

> See also: The great GDPR knowledge gap – why many businesses will fail to
comply

The latest news out of these meetings reveals that even stricter practices
are likely to be introduced, including tightening of consent levels and
restrictions on web analytics and profiling.

Based on the new developments, the GDPR is now being estimated to cost UK
companies £47 billion in lost sales, and £2.73 billion in preparation –
averaging £76,000 per company.

However, the averaging of the figures is deceptive because the majority of
UK companies are small and many barely be effected, if at all.  The cost
for those that rely on data will be substantially more than the average
figure.

Agencies and third-party data processors face a particular problem. With
staff training predicted to be £7,500 per person, and the need for anyone
involved in the use of data to be familiar with the complexities of GDPR,
the costs will be high.

There is an added incentive for agencies to get compliance preparation
right. The Information Commissioners Office (ICO), which enforces data
regulation, has now stated that it will target brands as well as third
parties if the latter have been responsible for breaching rules.

This means any irregularities that occur within agencies while utilising
client data will be considered the responsibility of the client – agency or
third-party processor – and both will be subject to fines and resulting
publicity.

Third parties of all descriptions that bring sanctions upon clients,
including agencies, may find it difficult to survive the damage to
reputation and finances.

The key areas the trilogue have so far tightened up on during recent
discussions include the level of consent required to use personal
information.

Consent is now agreed as having to be freely given, specific, informed and
an explicit indication of a consumer’s wishes. It must be given by a
statement or clear affirmative action.

The burden of proof to demonstrate the correct consent conditions were
obtained will be on the brand owner or agency – it will not be up to the
consumer or ICO to prove negligence.

The amendment to the draft of the law also takes opt-in conditions from the
level of ‘specific’ informed indication of subject’s wishes’ to a new and
higher level.

Another key point being examined, and crucial to digital marketers, is that
the definition of personal data could be extended to cover some IP
addresses and cookies as ‘online identifiers’. Web analytics and profiling
would be made much more difficult, if not impossible if this were to happen.

It is the European Parliament that is pushing to introduce consent for all
profiling, and additionally justice and home affairs ministers consider
pseudonymous data should be treated as a sub set of personal data.

If these wishes are applied there will be huge implications involved for
digital marketers, the least of which may include the need to amend wording
on privacy policy and data collection notices.

’With agreement being reached on key subject areas such as consent, we can
see the law will be tougher than was previously considered as far as
marketing data and communication is concerned,’ said Dene Walsh, operations
and compliance director at Verso Group. ‘For years, short-term commercial
advantage has been with those that ignore the rules with limited chance of
sanctions.

> See also: Countdown to the EU General Data Protection Regulation: 5 steps
to prepare

‘When the new regulations come in it should switch to those that respect
consumers, and as members of the public begin to understand their new
rights they will recognise brands that adhere to them. The new law will
give competitive advantage to those that follow good data practice.’

The rules on data breaches are likely to be changed to informing the ICO of
problems within 24 hours, and consumer within 72 hours. The nature of the
breach, number of data subjects, categories of data and proposed mitigation
will also have to be reported.

Other changes include the need for companies to prepare for members of the
public requesting full information held on them. Currently a maximum fee of
£10 can be charged for this, which collectively costs £50 million a year,
but ‘Subjects Access Requests’ will be free under the new law – and as this
becomes widely known, certain sectors should be prepared for requests on a
large scale, such as finance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!