Data collection is a potential minefield for businesses looking to collect or monetise user’s data. MEF Policy & Initiatives Advisor Simon Bates shares the key take aways from a new series of regional guides for businesses, and the regulatory issues around data collection.
Everyone knows how important it is to comply with the law, but regulation can be an intimidating prospect for mobile entrepreneurs and industry executives who simply don’t have time to wrap their head around pages and pages of legal jargon.
In both the UK and Germany consent to collect data must be given freely, with relevant information on how it’s to be used readily available. It’s worth bearing in mind that new regulations proposed by the EU would tighten these rules, requiring that consent must be freely given, specific, informed and explicit.
That’s why last week MEF published two Business Guides to Data Regulation in Germany and the UK. These explain in simple business language the rules that govern what to do and what not to do with the data you collect from users and share with other companies. Here are some of the highlights.
Why should I care about this?
There are tough penalties in place to deter businesses from breaking the rules. In the UK you can face a fine of up to £500,000. In Germany, businesses can be fined up to €300,000 and individuals can even face jail terms of up to two years!
Who do I report to?
The European Union creates a harmonized approach which is then implemented into local law by national governments. In the UK the Data Protection Act is enforced by the Information Commissioner’s Office (ICO). The German Federal Data Protection Act is enforced by individual federal states and their individual Data Protection Authorities.
Do I need to register with someone if I want to collect data?
In the UK anyone who collects data is required to register with the ICO. Failure to do so is a criminal offence. In Germany, you don’t need to register but any company with more than nine people involved or with access to personal data must appoint a Data Protection Officer who is responsible for making sure that company behaves properly in accordance with the law.
Do I need a user’s consent to collect their personal information?
In both the UK and Germany consent to collect data must be given freely, with relevant information on how it’s to be used readily available.
It’s worth bearing in mind that new regulations proposed by the EU would tighten these rules, requiring that consent must be freely given, specific, informed and explicit.
What information do I need to provide when I am collecting data?
When collecting personal information in both the UK and Germany you must be clear about:
- Who you are (the identity of the data controller)
- Why you are collecting data
Can I transfer user data from the UK/Germany to another country?
Not unless you are sending it to counties in the EEA (European Economic Area) or to a region or country that is deemed as having an adequate levels of data protection.
These include Switzerland; Canada; Argentina; Guernsey; The Isle of Man; Andorra; Jersey; Israel (with some limitations); The Faroe Islands (with some limitations); New Zealand; and Uruguay.
For more information, members can download the Business Guides to Data Regulation.
If you have more detailed questions, or are unsure about these rules and how they relate to a specific service, you should always consult a qualified legal expert.
MEF thanks Dentons and Prieskel & Co for their help and guidance in compiling the Guides.
Senior Advisor, Policy & Initatives