5) how charities can protect themselves against data reform - ‘emerging digital trends &...
TRANSCRIPT
THINGSTO COVER
Data protection laws regulate the use of personal information and marketing.
These laws have changed and are continuing to change
What is the impact of these changes to email and direct marketing?
What early steps can be taken?
DATA PROTECTION ACTPersonal data must be used fairly and lawfully
Personal data must only be used for specified purposes
Stored personal data must be adequate, relevant and not excessive
Continued >
DATA PROTECTION ACTPersonal data must be kept accurate and up to date
Personal data must not be kept longer than necessary
Individuals must have the right to understand and change how their personal data is used
OECD
CORE PRINCIPLES
• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
• OpennessRef:OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
1. Opt-in consent for all marketing, including for B2B marketing, post and telephone marketing
2. The end of unprovable/undocumented third-party marketing lists
3. The Right to be Forgotten
EU GDPR:DATA REFORM
4. Clear language
5. Individual right to claim compensation
6. Fines up to €100 million or 5% annual income (whichever is larger)
EU GDPR:DATA REFORM
7. Enforcement régime instead of self-regulation
8. International co-operation and enforcement
EU GDPR:DATA REFORM
1. Our guide to what’s coming
2. Data collection & consent
3. Processing & storing data
4. What campaigns can you send?
5. Translating the changes to your donors
6. The right to be forgotten
FULL DETAILS ONLINE
communicatorcorp.com/resources
Results in
• Increased risk of
legal/financial claim
• Higher costs of
legal/financial claim
Which means you need
to
• Be transparent
• Use simple language
• Data collection
methods which are
traceable
• Record and store proof
for quick response
WHAT THIS MEANS
Changes
• Fines by default
• Clear consumers rights
• Easier compensation
HIGHER FINES
WHAT THIS MEANSTHE RIGHT TO BE FORGOTTEN
Results in
Must be able to delete:
• Donor Names
• Address
• Purchase
• Browsing & Payment Details
From:
• Websites
• Accounts
• Stock Systems
• Analytics
• Marketing & Databases
Consider
• Guest donations and purchases
• 3rd Party payment services
• Profile creation should be based on value
Changes
• Donors have the right
to make anonymous
donations and
purchases
• Donors have the right to
have their information
deleted
Onus on decision makers• More responsibility and
accountability for managers and directors
• More powers for ICO
• Self-regulate or get more regulation + enforcement
Google v. Vidal-Hall
• No need for proof of financial harm
• IP and device are “personal information”
3rd party data focus• 6 month cap on 3rd
party data consent
• “Chain unsubscribe” process required (unsubscribe from all underlying source lists)
IoF and FRSB
• Following its rules will be compulsory
• Standardised opt-out statements
• “OUGHT” to be “MUST”
Court and ICO Powers
• Unlimited fines for firms and individuals
• More powers for ICO
• 45 Investigations, 7 firms being monitored and 20 third-party data notices
Exposé into Data Industry
• Not just fines, but criminal investigation
• ICO Investigation into websites and high street brands supplying data
UK DATA PROTECTION NEWS
TIMELINE
NEXT2014LATE
Investigation into nuisance calls and spam texts
More enforcement powers
Focus on marketing data industry
Where else collects, sells or uses consumer data?
High street brands and popular websites
Focus on Charity Industry
2015MAY
2015JUNE
• Reliance on volunteers: • High turnover• Understanding of Data
Protection issues
• Only about a third of charities provided data protection notices
• Over half didn’t have data retention/deletion processes
• A third of charities lacked processes to maintain accuracy and relevancy
Specific Challenges
• For any personal data you store and use, you must have a clear business need or explicit permission
• When relying on permission, make sure you can prove it
• The older the data, or the more removed it is from that original purpose, the more difficult it is to prove that consent is valid
GENERAL RULES
• Where do you collect your donor data?
• What personal, preference, behavioural or purchase data do you collect about, or from your donor?
• How much of that data is actually used?
• Do your donors know that you collect and use their data in that way?
• When do you delete that data?
THINGS TO CONSIDER NOW
• How do your donors subscribe or opt in?
• Specifically, for what does your consent cover?
• Is subscription or opt-in a genuine choice?
• Does consent cover how you actually use your donor data?
• Do you use 3rd party data, or supply data vendors?
• If you were asked today, what consent can you prove?
THINGS TO CONSIDER NOW
• Collect explicit consent for new donors
• Re-confirm consent and preferences for existing donors
THINGS TO CONSIDER NOW
• B2B Opt-in
• IP address and other identifiers as personal data
• Clear language
• Anonymous reporting data to allow data deletion
• The right to be forgotten
• Anonymous purchases
THINGS TO CONSIDER NOW
BIG HEADLINES
NOT BIG CHANGES
NEW FINES AND ENFORCEMENT MEAN YOU MUST BE ABLE TO JUSTIFY DATA USE AND PROVE CONSENT.
IOF CODE Reform