Can you afford a €20m fine?
From 25 May the GDPR will make more people liable for financial penalties if they mishandle customers’ personal data. Stuart McMaster of Mishcon de Reya explains how to be fully compliant before then
If personal data is the lifeblood of the digital economy, how do you balance the interests of consumers against the interests of a thriving affiliate marketing business? Steve Wood, deputy commissioner of the Information Commissioner’s Office, has said: “As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority.”
This is one of the great questions of the modern marketing age, and affiliates should be aware that the General Data Protection Regulation (GDPR), which will apply on 25 May, 2018 with immediate effect, is designed to give individuals greater control over their personal data.
Many of the GDPR’s principles are already contained in our existing data protection laws. However, one of the major changes is that GDPR will have global reach. Any affiliate that handles personal data relating to end users located in the EU will need to comply with GDPR, regardless of where the affiliate is located. And GDPR will also apply to any affiliate that is located in the EU, even if they handle only personal data relating to end users located outside the EU.
GDPR also widens the net in terms of who can be liable if data is handled incorrectly. Previously only “data controllers” were exposed to the risk of fines. Under GDPR, the data protection regulators will be able to go after “data processors” as well.
This is a significant change for any affiliates who act only as data processors (for example, because they process personal data only in accordance with the instructions of a gambling operator), because they will need to dedicate resources to ensuring they comply with GDPR.
Affiliates who act as data controllers are already required to comply with data protection laws. However, GDPR is likely to mean that they also invest more heavily in compliance. The fines that can be imposed if data is handled incorrectly could increase significantly under GDPR, and operators are likely to place a greater emphasis on ensuring that affiliates deal with data in a responsible manner.
So, how does an affiliate marketing business ensure compliance with GDPR? The starting point is to conduct a data audit in order to identify what personal data your business holds, how it is being used, why it is needed and how it was obtained.
When conducting this audit, it is important to note that “personal data” doesn’t just include names, telephone numbers and addresses. It actually includes any information that relates to an identifiable individual (if the individual could, with reasonable effort, be identified directly or indirectly from it).
So data sets that can be organised by IP addresses, MAC addresses, or cookie identifiers may count as lists of personal data where they can be used to create profiles of end users and identify them. Although this is, to some extent, already reflected in current law, GDPR confirms the point by clarifying that even location data can constitute personal data in certain circumstances. GDPR does not apply to properly anonymised data, however.
Once it is introduced, GDPR will apply to almost anything that an affiliate can do with personal data, including collecting it, using it or transferring it to others. It will also cover more basic actions such as simply storing the data or erasing it. Each of those actions counts as the “processing” of personal data and each action must be carried out in accordance with GDPR’s data protection principles.
One of the main principles is that each processing action must be carried out fairly and lawfully. This will only be the case if certain conditions are met. In practice, this means that you must have legitimate grounds for collecting and using personal data, not use the data in ways that could have unjustified adverse effects on the individuals concerned, and be transparent about how you intend to use the data.
Legitimate grounds for collecting and processing personal data could include compliance with legal or contractual obligations, or situations where you have express consent from an end user. However, in relation to the latter, GDPR makes it more difficult for affiliates to rely on consent as a lawful basis for their processing activities. First, the end user must be easily able to withdraw their consent at any time. And secondly, pre-ticked consent boxes will no longer be considered valid consent.
This means that if you have historically relied on them, you may need to refresh these consents, and this may lead to a decline in the number of end users who choose to consent.
The Article 29 Working Party (WP29) has recently published draft guidelines regarding consent. These state that:
a. Consent must be freely given. Consent will only be on an appropriate lawful basis if an end user is offered control and a genuine choice between accepting or declining the terms of the consent.
b. Consent must be specific, informed, and granular. Where data is processed for more than one purpose, the end users should be free to choose which of those purpose(s) they consent to.
c. The underlying processing must be fair. Even if processing is based on consent, this will not be valid if the underlying processing is inherently unfair.
Given these constraints, it may be that most affiliates will rely on the legitimate interest grounds as the lawful basis for their processing activities, rather than consent. (But note that consent is still required for certain forms of direct marketing.)
The “legitimate interest” grounds provide that processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the affiliate, unless such interests are outweighed by the fundamental rights, freedoms or interests of the data subject.
To rely on these grounds, you may need to conduct formal privacy impact assessments to assess any possible risks for the end users, so that those risks can be balanced against the interests of the business. Records of these assessments will become critical in the event of investigation or disputes with end users, because they will be needed in order to demonstrate compliance.
Another key principle of GDPR is that end users must be told in explicit terms how their personal data will be used, and it must not be used for any other purpose. WP29 recently published guidelines about this, and indicated that it regards many existing privacy policies as too vague.
For example, it believes that commonly used phrases such as “We may use your personal data to offer personalised services” are not sufficiently transparent, because they do not explain what personalisation entails.
GDPR also introduces a number of other concepts, such as new rights for individuals to have their data erased or transferred to other businesses. With GDPR coming into force on 25 May, 2018, affiliates will be spending the next few months considering how exactly they will implement these new rights, as well as ensuring that they have updated privacy policies ready to launch.
With the maximum fines being increased from £500k up to €20m (or, if higher, 4% of group annual turnover), non-compliance could have significant consequences.
Stuart McMaster is a partner in the corporate department of Mishcon de Reya LLP. He has extensive experience in the betting and gaming sector and specialises in corporate finance, mergers and acquisitions, and regulatory issues within the sector.