The biggest overhaul of data privacy regulation in the history of the internet will come into force on Friday as businesses scramble to comply with the new rules.
From May 25, the new General Data Protection Regulation (GDPR) will give people in the EU new powers to access and control their personal data.
The new rules also give regulators greater power to levy fines on firms who mishandle data or fail to be transparent in how they collect and use personal information.
In the build-up to the rollout, the Information Commissioner’s Office (ICO) has moved to calm confusion among some businesses over the need to get fresh consent from customers in order to comply with the regulations.
As part of GDPR, company requests for consent on gathering data must be “clear and distinguishable” in easy-to-follow language, and provide a simple way to withdraw consent.
This has lead to dozens of firms sending out emails asking customers to confirm they have their consent to continue to contact them.
But while the ICO said GDPR does “set the bar high” for consent, the regulator has warned that in some cases, sending further emails could risk non-compliance through difficult to follow messages, breaching new openness and transparency rules.
“Where you have an existing relationship with customers who have purchased goods or services from you, it may not be necessary to obtain fresh consent,” deputy information commissioner Steve Wood said in a recent blog post.
“It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
The new laws also strengthen the jurisdiction of EU regulators, with the regulation applying to all companies and data controllers who handle the data of EU citizens, regardless of where the company itself is based.
The rules will also give people the right to access the data firms have gathered on them, as well as request it be deleted should they so wish.
GDPR will roll out at a sensitive time for large technology firms and interest in data privacy, following a number of scandals around how it is collected and used, including Facebook’s Cambridge Analytica incident.