21st March 2017

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The EU’s long awaited General Data Protection Regulation (GDPR) was supposed to have passed into law by now, but European legislators have not yet even agreed on the final text of the bill, let alone how individual cases should be policed. In the meantime, however, there has been plenty of progress in the European courts on issues such as the right to be forgotten, requiring search engines to delete results that link to pages with out-of-date or incomplete information on individuals. The UK parliament has also changed the law to make it easier to prosecute direct marketers who bombard consumers with nuisance telephone calls and text messages. Companies can now be fined up to £500,000 and the Information Commissioner’s Officer, which enforces the rules, only has to prove nuisance, annoyance, inconvenience or anxiety have been caused, rather than "substantial distress or substantial damage" as before.

What to watch out for

Brands still have a right to process personal data for the purposes of ‘legitimate interests’ such as advertising, but in future the brand’s interests will be balanced against consumer rights that could include the following.

The ‘right to be forgotten’

The European Court of Justice judged in 2014 that search engine results linking to incomplete or out-of-date personal information must be removed at the person’s request. Meanwhile, the current text of the EU’s General Data Protection Regulation (GDPR) – adopted by the European Parliament last year but still yet to become law – suggests that brands could become responsible for deleting personal data that they hold or have passed to third parties if a consumer withdraws consent for processing it.


Information Commissioner Christopher Graham says: “I want it to be absolutely clear that only marketing that has been specifically requested can be considered solicited. That’s going to become even more important under the [forthcoming] Regulation.” The GDPR as it stands could spell the end of tick-boxes asking consumers to opt out of marketing and data processing – instead they may have to be asked to opt in.


Brands are awaiting clarity on whether profiling, which could include behavioural analysis for the purposes of targeted advertising, will require a consumer’s consent, but the GDPR’s current text suggests this is possible. Aimia data governance manager Andrew Bridges warns: “A move to consent-based profiling could present a profound challenge to advertisers when it comes to implementation.”


The GDPR is likely to offer brands protection in the processing of ‘pseudonymous’ data, where personal identifiers such as names are replaced with a randomly generated ID key. As long as an individual can’t be identified, pseudonymous data processing would be assumed not to affect a consumer’s rights.

We will keep you updated when we know more.

« Back