You are viewing your 1 free article this month. Login to read more articles.
Publishers are being urged to reassess how they process personal data ahead of new European regulations set to come into force in May next year regardless of Brexit, with fines as much as €20m levied on those who don't comply.
The new European General Data Protection Regulation (GDPR), adopted earlier this year after four years of negotiations, marks one of the biggest shake up of European data protection laws in a generation, according to Shireen Peermohamed, partner at media and entertainment law firm Harbottle & Lewis.
She told The Bookseller businesses, including publishers and booksellers, will be required to comply with the new sweeping reforms, which take effect on 25th May 2018, even after the UK leaves the European Union (EU). This is because reform of UK data protection law is unlikely to be high on the government agenda post-Brexit and because it will still apply to non-EU based businesses offering goods or services to individuals in the EU.
Some publishers are asking subscribers for permission to use their personal data again ahead of the new regulation. They will also have data protection responsibilities in respect of their own employees' data too.
"It's a really big deal," explained Peermohamed. "We're getting a lot of questions about this because the consequences of getting it wrong are so severe."
The highest fine under the regulation is €20m or 4% of a company's global annual turnover.
"One thing I've heard from people is 'Oh we don't need to worry about this, because it's a European regulation' - and that's wrong," Peermohamed continued. "It effects people who are basically dealing with data in the EU. But in any event, the regulation comes into force in May next year, so it will be relevant. There is a little bit of a misunderstanding [it might not be relevant] because it comes from Europe, but it absolutely is."
Senior associate at Harbottle & Lewis Alex Hardy said global publishers in particular have a "big job" on their hands. The kinds of data they may collect could include IP addresses and device identifiers, which might be collected via cookies on a website; names, addresses and email addresses, which might be collected for marketing purposes; and, in the case of retailers, who may also be affected if they operate an e-commerce service collecting personal data, any credit card details, whether collected by the retailer or by a third party payment service provider.
Hardy explained: "What [the regulation] requires companies to do is comply with existing data protection law principles, but above and beyond that it introduces a requirement to demonstrate compliance - so organisations of a certain size, more than 250 employees, have to record all the types of data that they are processing and they have to record all those processing activities, which, as you can imagine, is a big job.
"They have to also be prepared for an increase in fines that are available for data breaches and an increase in contractual requirements with their data processors (third company parties that deal with data on their behalf). There is quite a bit of work to do on that and a number of publishers are engaged in that process at the moment," she said. "It's cross-jurisdictional too. So even if you're a US company processing the data of a European national in Europe, then you'll be caught by the legislation. So it's got implications in particular for global publishers."
Practical measures being undertaken at Penguin Random House to ensure it is compliant and ready for the changes in law in 2018 include making sure all data collection carries the required consent, particularly on its children’s lists, asking subscribers for permission again where required and guaranteeing its data capture forms meet new opt-in requirements. This is due to an accompanying increase in requirements for transparency in terms of how consent is obtained, effective as of 25h May 2018.
Hachette and Pan Macmillan also said the issue was on their radars. A Hachette spokesperson said: "We are taking it seriously. We have been training all our staff about the changes to the laws and processes."