IAF Comment Letter on ICO Draft Code of Practice for Direct Marketing
Read IAF Comment Letter
The Information Accountability Foundation (IAF) team is concerned that society is sleep walking into an era where knowledge discovery will be precluded by a restrictive reading of the data protection law, especially with respect to knowledge application. For that reason, the IAF filed comments on the UK ICO’s draft code of practice on direct marketing ("Draft Code").
Read IAF Comment Letter
Guidance needs to follow the basic premise of effective regulation in a digital age: controls should be proportional to the risk. The GDPR and the United Kingdom Data Protection Act of 2018 (“2018 ACT”) require organisations to differentiate their approach to the use of personal data according to levels of risk in many circumstances. The GDPR specifically differentiates and adds more requirements for profiling where there are legal and similarly significant effects and establishes different requirements for instances where the risk does not rise to that level. The IAF believes that many types of direct marketing are at a lower level of risk.
The IAF is concerned that the Draft Code suggests the mere processing of data to generate insights, without a sense of tangible negative effects, will be considered to have consequential effects. By extension, the requirements of the GDPR relative to these effects extend these same requirements to knowledge discovery where there is often less direct impact to individuals. stated earlier, observation has become overly ubiquitous in today’s society.
The IAF believes that the movement to limit third-party cookies will have some societal benefits in this area. However, even with those changes, the technology and processing behind market segmentation will be complex and understanding that process will not be most individuals’ main concern. So, the role of organisations and regulatory agencies becomes more important. Organisations must conduct assessments at almost every stage of the processing and must be able to demonstrate those assessments were conducted in an honest and competent fashion. Regulators most oversee and enforce laws so organisations believe the likelihood of enforcement is high.
While these comments are directed at the ICO, there are indications that other data protection authorities may have similar views. Knowledge discovery may create insights that are detrimental to individuals when used in an inappropriate fashion. This type of potential risk is why the GDPR is “risk based” and requires assessment of risk. But to restrict profiling and knowledge discovery to only where consent is an effective governance process creates reticence risk. The assessment and balancing of risks through processes as outlined in the GDPR, conducted honestly and competently, is the better answer.