dma - dpc workshop - 23 october 2013
DESCRIPTION
TRANSCRIPT
![Page 1: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/1.jpg)
Data protection 2013
Friday 8 February
#dmadata
Supported by
Data protection compliance workshopWednesday 23 October 2013
![Page 2: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/2.jpg)
Welcome and Overview
Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
![Page 3: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/3.jpg)
INTRODUCING THE DATA
PROTECTION ACT 1998
Lesley Tadgell-Foster
Shelfline
![Page 4: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/4.jpg)
Be Aware
The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd. nor by the Direct Marketing Association.
It does not make any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.
![Page 5: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/5.jpg)
The danger of better targeting meaning
more intrusion
• Customers worry about what happens to their information, how it can be used against them, and they fear to being sold to - but expect it
• High profile data losses – justified fears
• Concerns fuelled by the media – they know what’s in your shopping basket syndrome...
• Data collection meets record-keeping
![Page 6: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/6.jpg)
…continued
• Respect for customers’ rights to privacy and
discretion always vital in building
confidence, now enshrined in legislation
• The obligation of marketing to offer
explanations, reassurance and honesty
• Self-interest prevails – lose customer
confidence and expect them to cut contact
![Page 7: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/7.jpg)
Purpose of the 1998 Data
Protection Act• To safeguard the public from abuse in the
collection/storage and distribution of personal information
• Information relating to identifiable, living individuals only – not organisation
• Can be held on computer or system
• Or in a ‘relevant filing system’. Not your address book – but in a structured way – such as a card index
![Page 8: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/8.jpg)
…continued
• So manual records are included.
Transitional relief until October 2007 for
full compliance
• Can also include photographs and systems
such as CCTV
![Page 9: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/9.jpg)
RESPONSIBILITIES DEFINED
![Page 10: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/10.jpg)
The Data Controller:
• This is the ‘person’ deciding why/how personal data is processed
• More likely that the organisation is the Data Controller
• An individual employee only likes to ‘carry the can’ if shown to be ‘knowingly or recklessly contravening the employer’s policies and procedures. But....?
![Page 11: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/11.jpg)
The Data Processor:
• ‘Any person other than an employee of the
data controller who processes data on behalf
of…
- Computer bureaux
- Individual market researchers collecting
survey responses
![Page 12: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/12.jpg)
AND WHAT IS PROCESSING?
![Page 13: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/13.jpg)
Anything to do with personal
data from:
• Obtaining
• Using
• Holding/Storing
• Changing
• Disclosing
• Erasing
• Disposing
![Page 14: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/14.jpg)
The Eight Principles Reviewed
1. Personal data must be processed fairly and
lawfully
The concept of fairness implies using candour
and transparency in dealing with the acquisition
of customer’s personal information
Are they deceived or misled in any way about
your purposes for obtaining/using the data?
![Page 15: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/15.jpg)
The Eight Principles Reviewed
2. Personal data shall be obtained only for
one or more specified and lawful purposes
and shall not be further processed in any
manner incompatible with that purpose or
those purposes
Think purposes – not files
![Page 16: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/16.jpg)
The Eight Principles Reviewed
3. Personal data shall be adequate, relevant
and not excessive in relation to the
purpose or purposes for which they are
processed
Avoid ‘just in case’ information
Defer to the minimum
![Page 17: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/17.jpg)
The Eight Principles Reviewed
4. Personal data shall be accurate and where
necessary, kept up to date
Gives very frequent rise to customer
irritation, resentment and suspicion
![Page 18: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/18.jpg)
The Eight Principles Reviewed
5. Personal data processed for any purpose or
purposes shall not be kept for longer than
is necessary for that purpose or those
purposes
Depends on both data and application
![Page 19: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/19.jpg)
The Eight Principles Reviewed
6. Personal data shall be processed in
accordance with the rights of data subjects
under this Act
![Page 20: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/20.jpg)
The Eight Principles Reviewed
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data
Real emphasis on the integrity of data and reliability or operations
Data controller takes responsibility for ensuring that any agency (bureaux) maintains adequate security and is bound by contract
![Page 21: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/21.jpg)
The Eight Principles Reviewed
8. Personal data shall not be transferred to a
country or territory outside the EU unless
it ensures an adequate level of protection
for the rights and freedoms of data
subjects…
![Page 22: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/22.jpg)
The individual is an active part of
the ‘system’ of data protection
• this allows the right to know that processing
is being undertaken
• the right to inspect personal data
• the right to prevent processing in certain
circumstances (e.g. for direct marketing)
• the right to rectify, block or erase data
![Page 23: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/23.jpg)
Is data processed/amended
outside the EEA – possibly to be
returned to the UK later?
Does the country have ‘adequate’/mirror
legislation to ours?
• For USA can consider use of ‘safe harbors’
model contracts
• Everywhere else need tailored contracts for
contractor/company overseas to
demonstrate adherence to UK DP regime
![Page 24: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/24.jpg)
Sensitive Data – Opt in always
• Racial or ethnic data
• Political Opinions/Trade Union membership
• Religious or similar beliefs
• Physical/mental health
• Sexual Life
• Committed or alleged offences
![Page 25: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/25.jpg)
Customer Understanding and
Agreement
• The most onerous duty of all
• Must ‘signify’ consent – a positive communication
• Consent must be specific and informed
• The role of the ‘opt out’ box
• Depend on clarity of wording
• Cannot be given under duress
• Consent can be withdrawn
![Page 26: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/26.jpg)
So What Place Direct Marketing?
• The right to reject unsolicited marketing –
by whatever means
• So – media neutral!
• Define the nature and purpose of the contact
• Are they just saying ‘no’ to your material,
or are they also rejecting that from third
parties?
![Page 27: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/27.jpg)
…continued
• You may well need two opt out clauses
• Danger of combining into a single one?
• From time to time we may wish to contact
you with further information about our
products and those of other companies we
think may interest you. Please tick if you
do not wish this to happen
![Page 28: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/28.jpg)
Media Choices
Can you implement real choice every time,
without fail?
- Direct mail
- Telephone
- Fax
- SMS/text
![Page 29: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/29.jpg)
Almost all opt-out still....
Privacy & Electronic Communication
Regulations: ‘PECR’ - from 2004
Email Opt out OK for EXISTING
customers/similar products only (also
known as the soft opt-in)
SMS Same regime
Transfer to 3rd parties for them to undertake
marketing = Opt-in
![Page 30: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/30.jpg)
Anyone still using fax?
Has always been opt in for home users/
sole traders & partnerships
![Page 31: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/31.jpg)
More Concerns
• What exactly do you plan to send?
• Now – in the future?
• Will you change your media approaches over time?
• And what about new products/services?
• You don’t pass on your customer list at the moment – but might you at some point?
• OPT-IN ALWAYS FOR 3rd party Email/SMS transfers
![Page 32: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/32.jpg)
GOODBYE TO THE ELECTORAL
ROLL
Not entirely – but enough to lose complete
coverage
Two versions – opts out up to 46% in
Wandsworth
Credit Referencing use still OK – for now…
![Page 33: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/33.jpg)
Consent at the earliest
opportunity
• And there’s no going back…
• No means no
• The Boots Advantage Case
![Page 34: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/34.jpg)
What Information Do You Have
on Me?
• Subjects’ Right of Access
• Across all material/all databases/all departments
• Subjects can be internal as well as external for
data protection purposes
• Think Human Resources/Personnel records
• How easy/quick for you to collate all files held on
a single name?
![Page 35: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/35.jpg)
…continued
• Credit rejection based on inaccuracy or
scoring?
• How best to explain to customers your
decision making?
• Maximum fee £10
• Maximum period 40 days
![Page 36: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/36.jpg)
Don’t Box Yourself In
• What about CRM?
• How best to ensure continuity over time?
• What about changing lifestyles/lifestages?
• How much can/do you tell on future communications?
• Make is as enticing as possible – given space/truth, but don’t over-promise
• Optimise the opt-out to cleanse your list of the no-hopers
• Work through how to retain the best
![Page 37: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/37.jpg)
Other People’s Customers
• Are you using data across different divisions to
subsidiary companies?
• In the customer’s shoes – how closely related to
the known purpose for giving data?
• Running a Current Account is not the same as
using the ledger to cross-sell Life Insurance
• What if you start up a new venture and contact
existing customers with offers?
![Page 38: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/38.jpg)
…continued
• Ask questions about rented-in lists
• Have list warranties been obtained?
• Still run against the Preference Services
• Is it time to re-visit those who haven’t
opted-out with a new consent?
![Page 39: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/39.jpg)
Business to Business
Business lists with contact names capable of
identifying a living individual fall squarely
within the scope of the new Act
Offer marketing preferences in exactly the
same way to business prospects/customers
as for consumers
![Page 40: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/40.jpg)
The Preference Services
TPS & CTPS, for supressing numbers from
cold telephone canvassing
Mailing Preference Service for consumers
only – no business version
![Page 41: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/41.jpg)
And If You Get It Wrong?
• Customers have rights under the Act to challenge the accuracy of information held on them
• And to have it corrected or erased
• Plus they can claim compensation for both material loss and distress
• Not a big issue yet – perhaps the press haven’t discovered it!
![Page 42: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/42.jpg)
Starting Young
• How Data Protection affects children
• A bit confusing…
• No age described in the Act
• The Information Commissioner goes with
12 year olds for e-communication (Trust
UK standard)
![Page 43: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/43.jpg)
but…
• The Advertising Standards Authority CAP
Committee say 16 years on all
communication
![Page 44: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/44.jpg)
Implications:
• Must not use or rent lists of names unless
parental approval obtained in writing at the
time the information was collected
• Must be verifiable consent of the parent
(opt-in)
• Implies is it vital to determine age as soon
as possible
![Page 45: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/45.jpg)
…continued
• Not OK for web communication to gain
consent by a mouse click
• Postal communication needed to confirm
![Page 46: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/46.jpg)
The Information Commissioner
• Establishes and maintains a register of data
users
• Promotes compliance with the Data
Protection Principles
• Considers complaints and breaches, and
prosecutes offenders or serves notices
![Page 47: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/47.jpg)
A ‘NEW BROOM’ IN YOUR LIFE
Christopher Graham – new Information
Commissioner
Challenges and benefits of a ‘new face’
Looking for high profile cases + punishing worst
& persistent offenders
‘We need to be selective to be effective’ (Richard
Thomas, predecessor).
Increased fines up to £500,000 from April 2010
![Page 48: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/48.jpg)
Refreshment Break
![Page 49: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/49.jpg)
The role of the ICO
Sally Annereau, Data Protection Analyst, Taylor Wessing
![Page 50: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/50.jpg)
Sally Annereau
Data Protection Analyst
The Office of the Information
Commissioner (the ‘IC’)
Insert appropriate
image
15978330
![Page 51: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/51.jpg)
IC- status
> Appointed by the Crown
> Independent – not servant of the Crown
> Regulator of- The Data Protection Act 1998
- The Privacy and Electronic Communications Regulations 2003 (as updated)
- The Freedom of Information Act 2000
- The Environmental Information Regulations 2004
> 7 year appointment
> Appointment limited to one term of office
> Annual report to Parliament
![Page 52: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/52.jpg)
Duties of the Commissioner
> Promote observance of the Act
> Maintain the register of notifications
> Make assessments
> Conduct audits
> Disseminate information
> Prepare and encourage codes of practice
> Enforce the Act
> Report annually to Parliament
![Page 53: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/53.jpg)
Assessment considerations
> Includes- Does it concern the processing of personal data?
- Is it by a directly affected individual?
- Does the request raise a matter of substance?
- Is it made without undue delay?
- Has the individual raised their complaint with the controller?
- Could the matter be dealt with better by another body?
- Has the matter been resolved already?
![Page 54: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/54.jpg)
Individual complaints/queries
> 1989-90 - 2698
> 1990-91 - 2419
> 1991-92 - 1747
> 1992-93 - 4590
> 1993-94 - 2889
> 1994-95 - 2814
> 1995-96 - 2950
> 1996-97 - 3897
> 1997-98 - 4173
> 1998-99 - 3653
> 1999-00 - 4570
> 2000-01 - 8875
> 2001-02 - 12500
> 2002-03 - 12001
> 2003-04 - 11664
> 2004-05 - 19,460
> 2005-06 - 22,059
> 2006-07 - 23,988
> 2007-08 – 24,851
> 2008-09 – 25, 509
> 2009 -10 – 33,234
> 2010-11 – 26,227
> 2011-12 - 20, 080
(minus FOI casework)
Source: OIC
0
5000
10000
15000
20000
25000
30000
35000
1990-
1991
1993-
1994
1996-
1997
1999-
2000
2002-
2003
2005-
2006
2008-
2009
2011-
2012
Complaints
![Page 55: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/55.jpg)
UK Categories of complaint> Sectors
- Lenders- General business- Direct marketing- Local Government- Health- Central Government- Telecoms- Policing and criminal records- Debt collectors- Internet
> Popular complaint causes- Subject access- Inaccurate data- Disclosure of personal data- Tele-marketing calls- Security- Email and SMS
Source: OIC Annual report 2013
0
5
10
15
20
25
30
35
40
45
50
Causes
Subject access
Disclosure
Inaccurate data
Security
Use of data
Fair processing
Obtaining data
excessive irrelev't
0
2
4
6
8
10
12
14
16
18
Causes
Lenders
Local Gov
Health
Central Gov
Policing
Telecoms
Education
Insurance
Internet
Retail
![Page 56: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/56.jpg)
Investigations
> Can brief a regional investigating officer
> Can issue an ‘Information Notice’- (‘Special Information Notice – special purposes)
> Can obtain a search warrant from a judge- Warrants can be obtained with or without notice to the controller
- Offence to obstruct the execution of a warrant
![Page 57: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/57.jpg)
Powers
> Direct consequences- Prosecution
- Undertakings
- Enforcement- Conduct audits
power applies to public bodies
can be extended to certain types of private
body subject to an order by the Secretary of
State
- Monetary penalties (up to £500,000)
> Indirect consequences- Power of publicity
- Intervention by other regulators
- Risk of being sued
Compensation claims
Breach of contract
![Page 58: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/58.jpg)
When handling complaints
> Try and head off complaints before they reach the OIC
> Log all complaints received- Date of receipt
- Action dates
- Deadlines
> Try to find out what is behind the complaint
> Report up the details - Progress
- Outcomes
- Lessons/actions
> Respond promptly to all correspondence
![Page 59: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/59.jpg)
When the going gets tough
> Seek legal advice before agreeing to be interviewed by an investigating
officer!
> Be aware of the extent of the Commissioner’s powers
> Remember an Enforcement notice is for life - Do not allow an Enforcement Notice to be issued against you or sign an
Undertaking unless you understand the consequences
- Use your right to make representations wherever possible
![Page 60: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/60.jpg)
Data security and transfers
Sally Annereau, Data Protection Analyst, Taylor Wessing
![Page 61: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/61.jpg)
Sally Annereau
Data Protection Analyst
Keeping Data Safe
Insert appropriate
image
15973509
![Page 62: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/62.jpg)
Data in demand
> Increase in sharing of data
> Technological developments
> Black market in data
> Cultural ‘catch-up’ required among data users- Lack of value attached to data assets
- Absence of reporting lines and accountability
- Lack of awareness
- Lack of oversight
- Policies, often mere ‘window dressing’
![Page 63: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/63.jpg)
Data breaches - Incident sectors (UK ICO figures for 1 Apr - 30 June 2013)
![Page 64: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/64.jpg)
Regulatory Framework
> Data Protection Act 1998 (‘DPA’)- Seventh Principle
“Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data”
> Other non DPA specific rules
- FCA rules
- effective systems and controls for countering the risk
- Public sector - Government Security Policy Framework (‘SPF’)
![Page 65: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/65.jpg)
Why be concerned?
> Risk of enforcement action
> Risk of being prosecuted- Company, directors, secretaries and other officers
- Individual employee liability
> Risk of fines
> Risk of being sued
> Costs of managing
> Damage to reputation
> Risk of devalued assets
![Page 66: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/66.jpg)
Data protection UK: Enforcement in practice
> Feb 2011–Sep 2012 – Security
breaches- 600 ‘Self-notified’ security breaches
- Undertakings 99
- Monetary Penalties 22
Source ICO
Penalties in GBP
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
Feb-1
1Jun
e
Jan
-12
Mar
May
Jun
e
Sep
No
v
Feb
Jun
e
July
Aug
![Page 67: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/67.jpg)
Technical security measures - examples
> Passwords
> Firewalls
> Anti-virus software
> Secure internet payment systems
> Encryption
> Privacy enhancing technologies
![Page 68: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/68.jpg)
Organisational measures - examples
> Reliability of employees- Selection
- Education
- Written guidance and procedures
- Accountability and action
- Controls on access /physical and systems
> Secure storage
> Controls on data movement /sharing
> Multi-disciplinary approach
> Data protection officer
> Security policy
> Monitoring
![Page 69: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/69.jpg)
Using a data processor
> Definition- ‘any person (other than an employee of the data controller) who processes the
data on behalf of the data controller’
> Examples- insurance company and call centre;
- company and payroll bureau;
- group of related companies and subsidiary responsible for administration of
group-wide marketing campaigns; and
- company and secure data disposal agency
![Page 70: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/70.jpg)
Obligations when outsourcing
> Choose a processor providing guarantees of- Technical
- Organisational
- security measures
> Take reasonable steps to ensure compliance with above- Written agreement
Processor acts on controller’s instructions
Imposes obligations equivalent to the seventh principle
![Page 71: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/71.jpg)
Checklist for processor selection
> Does the processor have a data protection/information officer?
> How secure are the premises?
> What business continuity measures are in place?
> Does the processor have a written data protection/ security policy?
> What security standards does the processor adhere to?
> Does the processor conduct compliance and adequacy audits
> Have there been any security incidents?
> What steps are taken to ensure employee reliability?
> What training do employees receive in data protection?
> Other considerations- financial status, insurance cover, subcontracting and references?
![Page 72: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/72.jpg)
Security and IT system design
> Need for adequate security measures- “both at the time of the design of the processing system and at the time of the
processing itself”
> Are contractors/ developers aware of the implications of the Seventh
Principle for system design?
> Who is responsible for specifying security requirements- What do the tender documents say about security?
- What does the contract say about security?
> Consider the integrity of internal systems as well as preventing external
access (e.g the use of live data for systems testing)
![Page 73: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/73.jpg)
Notifying breaches – IC guidance
> When to notify – consider- the potential harm to affected individuals
- the volume of data lost
- the sensitivity of the data lost
> What to tell the IC’s office/affected individuals- What happened
- What information was involved
- What steps have been taken/are taking to mitigate the risks
- Contact points
- Self-help steps (in the case of affected individuals)
![Page 74: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/74.jpg)
Anticipating the worst
> Security reporting and escalation processes
> Implement a breach management plan- Key stages
Containment and recovery
Assessing the risks
Notification of breaches
Evaluate handling and response and implement changes
- Identify and list the actions required within each stage
- Allocate responsibility for each action
- Identify the response time for each action
- Train relevant staff and test the plan
- Publicise the plan
![Page 75: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/75.jpg)
Sally Annereau
Data Protection Analyst
Data transfers
Insert appropriate
image
15973509
![Page 76: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/76.jpg)
When might a transfer occur?
For example…
> Employee data to US headquarters
> Customer data to a South American call centre
> Use of a data bureau in India
> Multi-national central CRM database
> Supply of customer orders to Japanese distributor
![Page 77: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/77.jpg)
The Eighth Principle
“Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data”
![Page 78: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/78.jpg)
Take a ‘bite-sized’ approach to the problem - 1
> Is personal data involved?
> Is the personal data going beyond the European Economic Area
(“EEA”)*?
> Is a transfer taking place?
* The member countries of the European Union together with Norway, Iceland
and Liechtenstein.
![Page 79: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/79.jpg)
Adequate Protection?
> Has the European Commission ruled that the destination country is
adequate?
> Is the transfer to a US business signed up to the Safe Harbour Scheme?
> Does an exception to the Eighth Principle apply?
![Page 80: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/80.jpg)
Existing EC adequacy findings*
> Hungary
> Switzerland
> Canada
> Argentina
> Guernsey, Jersey or Isle of Man
> Faroe Islands
> Andorra
> Israel
> Uruguay
> New Zealand
* Details of adequacy decisions can be found at:
http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm
![Page 81: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/81.jpg)
Safe Harbour
> A US self-regulatory scheme
> US companies certify to comply with 7 principles
> Not all US companies can participate
> It is possible to check a public register of members
http://www.export.gov/safeHarbor
> Non compliance actionable by US Government or affected individuals
![Page 82: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/82.jpg)
Exceptions under the Eighth Principle
Including:
> The data subject consents to the transfer
> The transfer is necessary for the performance of a contract with the data
subject(s).
> The transfer is necessary to implement pre-contractual measures at the
request of the data subject.
> There is a contract in placed based on EU approved terms between the
exporter and importer of the data*
*http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm
![Page 83: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/83.jpg)
Binding Corporate Rules (“BCR”)
> Intra-group solution for international transfers
> Use of group wide enforceable data handling policies
> Required content for submission of BCR
> Supervisory co-operation for approval process
> NOT for the faint hearted!
![Page 84: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/84.jpg)
Presumption of Adequacy?
Consider:
> the nature of the personal data
> the country of origin of the personal data
> the country of destination
> the purposes of the intended processing
> the law/relevant codes in force in the destination country
![Page 85: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/85.jpg)
Practical Considerations
> To what extent do you transfer personal data outside the EEA?
> Do you have international subsidiaries?
> Consider the potential for transfers down the line and collect data with
that possibility in mind
> Consider carefully the wording of consent notices and contract terms
> Don’t under estimate the potential impact of non-compliance
![Page 86: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/86.jpg)
E marketing and Cookies
Sally Annereau, Data Protection Analyst, Taylor Wessing
![Page 88: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/88.jpg)
The current law in the UK
> Data Protection Act 1998
> Privacy and Electronic Communications Regulations 2003- Came into force on 11 December 2003
- Do not apply solely to marketing by e-mail or SMS
- rules also cover marketing by telephone, fax and automated calling
systems
- Need to think about this AND the Data Protection Act 1998
> The Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011- These come from European Directives
- Similar (but not exactly the same…) laws throughout Europe
![Page 89: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/89.jpg)
Marketing by e-mail and SMS – the rules
(1)
Privacy and Electronic Communications Regulations 2003
> No unsolicited e-mail or SMS marketing to individuals unless:- Recipient has consented
OR
- (1) you obtained contact details “in the course of the sale or negotiations for
the sale of a product or service”;
- (2) you are marketing your own similar goods or services to them; AND
- (3) opportunity to opt out (free of charge) given at the point of collection and at
the time of each subsequent communication
![Page 90: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/90.jpg)
Marketing by e-mail and SMS – the
rules (2)
> You cannot disguise yourself
and
> You have to provide a valid return path
![Page 91: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/91.jpg)
How do I go about getting consent?
> There is no set way of getting it, but the law says that it must be
informed, freely given (i.e. revocable) and…
> For e-mail or SMS marketing, consent has to be positive, so…
“I would like to send you information by e-mail. Please tick this box if
you do not want me to do so”
but
“I would like to send you information by e-mail. Please tick this box if
you are happy for me to do so”
? “By submitting this form, you will be indicating your consent to receiving
e-mail marketing messages from us unless you have indicated an
objection to receiving such messages by ticking the above box”
> Don’t necessarily need a classic tick-box
![Page 92: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/92.jpg)
Mobile marketing
> “Live”/voice marketing calls- TPS list – every 28 days
- CTPS
- In-house telephone suppression lists
> Text, picture and video mobile marketing is governed by the rules
previously discussed
![Page 93: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/93.jpg)
Some tricky areas…
> Legal problems- What is “in the course of the sale or negotiations for the sale”?
- Not simply registering an interest at/visiting a web site
- What are “similar” products and services?
- What would someone reasonably expect?
- Viral marketing
> Technical and marketing problems- How long does consent last?
- What about pre-existing e-mail or SMS marketing lists?
- Hw d U fit all info U nd in2 160 krctz?
![Page 94: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/94.jpg)
Automated calls and Fax marketing
Automated calls
> Prior express consent of any recipient required
> Where consent provided then communication must include:- Identity of caller
- Contact address or free phone number
Fax marketing
> Prior consent of individual subscribers required
> Corporate subscribers- not if opt-out or if registered on the Fax Preference Service register
> Where can legitimately communicate then this must include:- Identity of caller
- Contact address or free phone number
![Page 95: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/95.jpg)
Cookies
> A piece of information that includes a unique reference code that a
website transfers to your device to store and sometimes track
information about you.
Can be:
> First / third party
> Session or persistent
> ‘Flash’ or ‘super’
And don’t forget web beacons/gifs.
![Page 96: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/96.jpg)
Regulation 6 ‘PECAR’
No storage or access to information stored, in the terminal equipment of a subscriber or user unless the user or subscriber:
a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
b) has given his consent.
Exception where storage or access is:
> for the sole purposes of carrying out the transmission of a communication over an electronic communications network; or
> strictly necessary for the provision of an information society service requested by the user or subscriber
![Page 97: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/97.jpg)
Key considerations
> Move from old law notice and ‘opt-out’ to notice and consent
> Applies to equivalent technologies
> No legal distinctions between different types of cookies
> Applies to all equipment capable of receiving cookies
> Clear and comprehensive information about cookies needs to be
provided about purposes of cookies
> Limited exceptions
![Page 98: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/98.jpg)
IC Guidance
Initial guidance – no firm view on what kinds of consent will be enough but:
> Browser settings – unlikely to work
> Pop-ups and similar techniques?
> Terms and conditions?
> Settings/Feature led consent?
> Functional uses?
> Third party cookies?
Update guidance
explicit consent allows for regulatory certainty (and will be the most
appropriate way to comply in some circumstances)
“this does not mean that implied consent cannot be valid” although it
must still be informed.
![Page 99: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/99.jpg)
Other viewpoints
> IAB
> Article 29 Working Party
> ICC
> ‘Do Not Track’
![Page 100: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/100.jpg)
Enforcement
> 12 month compliance amnesty (ended 26 May 2012)
> Post May 2012 - Possible action including enforcement notices or fines
subject to an assessment of the impact of the breach on the privacy and
other rights of user.
Considerations likely to include:
> The intrusiveness of the cookie?
> Is data passed to an organisation the individual would not expect?
> Will any sensitive data be held in profiles?
> Is the website being “cavalier” or “tricksy”?
![Page 101: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/101.jpg)
Steps to take (if playing catch-up) (1)
1. Identify- Websites?- Types of cookies (or other tools)?- Purpose of the cookie?- When deployed?- Who deploys (first or third party)?- Who can read the cookie?- How long is the cookie stored? - Are profiles of users browsing activity being created?
2. Assess- Is the cookie necessary to underpin a service requested by the user?- What is the impact of the cookie on the user?- Session only or persistent?- Is a third party tracking the user across this and other websites?- Are profiles of browsing activity being created?
![Page 102: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/102.jpg)
Next steps (2)
3. Implement- Is sign-up or registration required to access the website?
- Do users initiate a function or setting that uses a cookie?
- Do users need to be alerted on first arriving on the website?
- Review, enhance and introduce notices and privacy policies
- Consider both specific and ‘holistic’ approach to solutions
![Page 103: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/103.jpg)
So what are businesses doing?
> Confusion persists over what level of consent is enough
> Genuine reluctance to embrace clear consent mechanisms
> Yet doing nothing is not an option
> Evidence that most UK online businesses have: - cariried out internal audits
- raised the bar on transparency and information
- implemented changes to terms and conditions, privacy ‘and cookies’ policy
- Applied landing page alerts / actions / notices
![Page 104: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/104.jpg)
Examples
![Page 105: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/105.jpg)
![Page 106: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/106.jpg)
![Page 107: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/107.jpg)
Light box approach
![Page 108: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/108.jpg)
Enhanced privacy policies
![Page 109: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/109.jpg)
Consent in policies & terms?
> “When you create or log in to a online account you agree to our privacy and cookies notice. Otherwise, by continuing to use our websites or mobile services you agree to the use of cookies as described in this notice. Please see our cookies notice.”
> By using the site you accept this privacy and cookie policy (our “privacy and cookie policy”). If you do not agree with any term in this privacy and cookie policy, please do not use our site or submit any personal data through it.
> By clicking the "I Agree" button on the registration form, you agree that you:-
1. have read the web site terms of your privacy policy;2. consent to our use of your information in accordance with our privacy policy;3. consent to the use of cookies as disclosed to you in our cookies policyand;4. agree to bound by these terms and conditions.
If you do not agree, please leave this website now.
![Page 110: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/110.jpg)
Lunch
![Page 111: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/111.jpg)
The proposals for new data protection law
Sally Annereau, Data Protection Analyst, Taylor Wessing
![Page 112: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/112.jpg)
The Proposed European
Data Protection Framework
Sally Annereau
Data Protection
![Page 113: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/113.jpg)
Data Protection Laws
> Current Landscape
> New Horizon
> The Reform Journey
- Published Proposals, 25 January 2012
- Parliament and Council
First Reading
Second Reading
- Entry into Force - Regulation
![Page 114: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/114.jpg)
Proposed new EU framework
> Regulation
2014?
2 Year Implementation Period?
2016?
> Evolution or revolution?
Upgrade
New
> The final picture?
Ambiguity
Delegated Acts
Harmonisation
![Page 115: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/115.jpg)
Territorial Scope
> Establishment in the EU
> Extended to those who are not in EU if processing relates to
- The offer of goods or services to data subjects within the EU
- The monitoring of EU data subject’s behaviour
> Home Authority
> Prior Authorisation
> Forum Shopping
![Page 116: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/116.jpg)
Definitions
Similar base point
> Data Subject
> Personal Data Breach
> Binding Corporate Roles
> Sensitive Personal Data
![Page 117: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/117.jpg)
Personal Data Processing Principles
> Lawful, fair and transparent
> Collected for a specified, explicit and legitimate purpose
> Adequate, relevant and limited to the minimum necessary
> Accurate and kept up-to-date
> Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes
> Ensuring compliance with the provisions of the regulation
![Page 118: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/118.jpg)
Consent
> Burden of proof
> Written declarations
> Withdrawal of consent
> Significant imbalance
> Personal data relating to a child
![Page 119: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/119.jpg)
Special/Sensitive Personal Data
> Prohibition:
- the processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited
> Consent
> Employment law
> Vital interests
> Legal
> Public interest
> Health purposes
![Page 120: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/120.jpg)
Transparency
> Transparent and easily accessible policies
- Processing of personal data
- Exercise of data subject’s rights
> Intelligible form
> Clear and plain language
> Adapted to the data subject
![Page 121: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/121.jpg)
Subject Access Requests
> Information to be provided to the data subject
> Rights of access
> Electronic form
> Standard forms and procedures
> Timings
> Fee?
![Page 122: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/122.jpg)
Right to be forgotten
> Right to rectification
- Inaccurate personal data; and
- Completion of incomplete personal data
> Right to be forgotten and a right to erasure
Where:
no longer necessary to the purpose of collection
the subject has withdrawn their consent
the subject objects
the processing is in breach of the Regulations
> Erasure without delay
> Restrict processing of disputed data
> Commission can specify further rules
![Page 123: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/123.jpg)
Data Portability
> Obtaining a copy of data
> Format to be supplied
> Automated processing
> Technical standards, modalities and procedures for transmission
![Page 124: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/124.jpg)
Marketing and Profiling
> Right to object to processing
- where based on
– vital interests
– public interest
– legitimate interests
> Right to object to direct marketing
> Rights in relation to measures based on profiling
Extended to include health, personal preferences, reliability and
behaviour
> Consent?
![Page 125: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/125.jpg)
Responsibilities of the Data Controller
> Policies and implementation
> Documentation
> Security obligations
> Data protection impact assessment
> Prior authorisation
> Data Protection Officer
> Implement compliance mechanisms and ensure verification
> Data Protection
- Design
- Default
![Page 126: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/126.jpg)
Data Processor
> Due diligence and sufficient guarantees
> Contractual measures required
> Documenting the controller’s instructions and the processor’s obligations
> Shifting from processor to controller
![Page 127: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/127.jpg)
Data Security
> Obligations of the data controller and the data processor
> Appropriate technical and organisational measures
> Notification of a personal data breach
- Notify the supervisory authority
- Within 24 hours
- Reason justification for 24 hours plus
> Data processor obligations to inform the data controller
> Content of the notification
> Notifying data subjects
![Page 128: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/128.jpg)
Data Protection Impact Assessment
> Controller or Processor?
> Trigger points
> Considerations within the impact assessment
> Data subject liaison
> Prior authorisation and prior consultation
![Page 129: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/129.jpg)
Data Protection Officer
> Designation of the DPO
> Tasks of the DPO
> Minimum term
> Different to current DPO roles
![Page 130: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/130.jpg)
Data Transfers to Third Countries
> General principles
> Adequacy decisions
> Transfers by way of appropriate safeguards
> Binding corporate rules
> Derogations
![Page 131: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/131.jpg)
Remedies
> Complaint to the supervisory authority
> Civil action against
- supervisory authority
- controller
- processor
> Right to compensation
![Page 132: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/132.jpg)
Proposed new EU framework: Fines
First tier
€250,000 or 0.5%
Second tier
€500,000 or 1%
Third tier
€1m or 2%
> Subject access request breaches
> Rules on transparency
> Rectification
> Right to be forgotten
> Data subject’s objections
> Compliance (required documentation)
> Processes data without a legal basis
> International data transfers
> Compliance (appropriate internal policies)
> Impact assessments
> EU representative
Who’s in the firing line….“Anyone who …”
![Page 133: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/133.jpg)
Food for thought
> Further Standards and Delegated Acts
> Commission reserved power to specify standard forms and procedures
Including: methods to obtain a child’s consent
forms and procedures for access requests and communicating information and data
electronic format of supplied data
technical standards for protection by design or default
> Wide Commission powers to adopt delegated acts
Including: specifying lawful processing conditions
specifying sensitive data and how it is safeguarded
the detail of fair processing information to data subjects
additional data controller responsibilities & conditions for audits
> Member state safeguards and rules
![Page 134: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/134.jpg)
Food for thought
> Compliance benchmark must be raised
- DPO
- Documentation
- Evidential trail
- May be published
> Vendor management processes must change
- Due diligence
- Contracts
- Liability
![Page 135: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/135.jpg)
Data protection compliance and marketing: getting the right balance
Penny Champion, Data Protection Manager, NSPCC
![Page 136: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/136.jpg)
Data protection compliance workshop
23 October 2013 - DMA
Data protection compliance and
marketing - Getting the right balance
Some practical challenges for charities
Penny Champion, Data Protection [email protected]
www.NSPCC.org.uk
NSPCC 23 October 2013
![Page 137: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/137.jpg)
At the NSPCC in the year 2012-2013
Source: Annual Reports and Accounts
Regular and one-off donations
income of £110.7m
- That was 85.6% of our income
Letter from Santa alone raised £1.8m
Why direct marketing matters to charities
2
![Page 138: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/138.jpg)
Contexts for charities: the marketing environment-1
Supporter data not always in one database
Often goes back decades, reflecting supporter loyalty, but data
quality and currency may be uncertain
Donors from all sectors of society – from individual giving at £2
a month all the way up to wealthy individuals and large
corporates
Participation in events – fundraising balls, sponsored walks,
bike rides, ascent of the Gherkin, HACK walks
Participation in externally organised events – London Marathon,
Belfast Marathon
Legacies
Supporter relationship management can be challenging!
3
![Page 139: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/139.jpg)
Contexts for charities: the marketing environment-2
Supporters are respected and valued
Aim is to have sustainable relationships with all sectors of
donors
Data protection and privacy law and regulation really matters
when it comes to successful donor recruitment and retention
Cost of fundraising across different channels:
Telephone tends to be more effective – people respond to
the human voice
Email is a very cost effective way of communicating
But you need the right consents in place!
What do supporters think they’ve agreed to by way of direct
marketing communications?
4
![Page 140: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/140.jpg)
Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’
The scenarios are fictitious but could come up at any major UK
charity. You are responsible for advising the Director of
Fundraising what to do in the following circumstances:
1 Bringing gift aid declarations up to date
2 A local committee decides to run a Christmas Fair to raise
funds for National Charity
3 A major corporate supporter – BigTelCo – is supporting a Big
Run. The runners are its staff, their families, and friends. The
CEO wants to email all entrants to say ‘thank you’
4 TV advert – Text CHILD2013 to donate £4. You’d like to phone
donors later and see if you can convert them to regular givers
5
![Page 141: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/141.jpg)
Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 1 of 4
Bringing gift aid declarations up to date – repairing defective data
o There’s been a major review and clean up of Gift Aid
declarations for existing supporters
o For some of the older ones, the original declaration can’t be
found, or there is a technical problem eg no forename initial is
held. As a result you have had to mark the donations as ‘No Gift
Aid’ and cannot claim back from HMRC
o Can we telephone or email these supporters to ask if they can
give a new Gift Aid declaration?
The scenario is fictitious but could come up at any major UK charity
6
![Page 142: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/142.jpg)
Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 2 of 4
A local committee decides to run a Christmas Fair to raise funds
for National Charity
o They want a website – how can that best be managed?
(cookies compliance, privacy notices, who is the data controller
anyway?)
o Committee members want to email their personal contacts –
local businesses and their friends to generate interest from
potential stallholders. So do the PEC Regs apply?
The scenario is fictitious but could come up at any major UK charity
7
![Page 143: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/143.jpg)
Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 3 of 4A major corporate supporter – BigTelCo – is supporting a Big Run.
o National Charity is BigTelCo’s charity of the year. There’s going
to be a BigTelco Run. It’s been promoted to staff on the
company’s intranet – they are encouraged to get family and
friends to enter.
o Entry is on-line – a special webpage set up by National Charity
– and over 400 people have signed up. National Charity is the
data controller for their personal data.
o The CEO is thrilled – she decides she wants to email all
entrants after the Run to say thank you from BigTelCo. But
National Charity did not tell entrants that their email addresses
would be passed to BigTelCo. What are the options and risks?
The scenario is fictitious but could come up at any major UK charity
8
![Page 144: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/144.jpg)
Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 4 of 4TV advert – Text CHILD2013 to donate £4. You’d like to phone
donors later and see if you can convert them to regular givers
o CAP Code compliance is OK - the advert complies with the
standards for what is displayed on screen and how many
seconds it’s up there. People are told how much of the £4 the
charity gets and National Charity (registered number, website
address) is shown.
o Donors get a ‘thank you’ text from National Charity. It includes a
link to the Gift Aid declaration webpage. We want to phone
donors to see if we can convert them to regular givers. Can we
give them the telephone opt-out opportunity in the thank-you
text?
The scenario is fictitious but could come up at any major UK charity
9
![Page 145: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/145.jpg)
Conclusions – not always easy answers
Quality of data gives rise to problems. Is the Gift Aid approach
administrative or direct marketing in purpose? How will the
supporters perceive it?
Who’s the data controller? Volunteers doing their own thing
may well be fine, but how can National Charity manage the
privacy compliance risks to itself?
Privacy statements – retro-fitting consents to disclose is hard. Is
the CEO thank-you direct marketing? Will the BigTelCo Run
entrants object?
Unless you obliterate the ad with ‘small print’ you’re going to
have to find another way to deliver the telephone opt-out.
What’s fair and best for the donors?
The scenarios are fictitious but could come up at any major UK charity
10
![Page 146: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/146.jpg)
And finally ……. Look out for companies who claim to offer a marketing blocking
service to consumers (Opt Out UK Ltd, Data Protection House).
You (probably) do not have to agree to their demands. Talk to
the DMA.
Wider privacy issues – it’s not just about supporters.
Use of ‘real life stories’ in marketing materials
Personal data in the charity’s Facebook page or other social
media
Your thoughts and questions?
Penny Champion, Data Protection Manager
11
![Page 147: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/147.jpg)
Practical session & feedback
Sally Annereau, Data Protection Analyst, Taylor Wessing
![Page 148: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/148.jpg)
Refreshment break
![Page 149: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/149.jpg)
Privacy statements
Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
![Page 150: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/150.jpg)
Be Aware
The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd., nor by Charity Confidential.Neither makes any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.
![Page 151: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/151.jpg)
The Ever Willing Customer?
‘The key to modern direct marketing is the capture of individual customer details at the first sale, so that the marketer can begin a relationship with the customer’Tapp (1998) Principles of Direct & Database Marketing
![Page 152: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/152.jpg)
Trust Me, It’s The 121 World Now
‘Trust is more important than it ever was before. If you violate it, you will be outed’Peppers (2008) IDM Insights
![Page 153: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/153.jpg)
Lack of Privacy Control
Control over the personal information held
Control over personalised marketing
Control over data accuracyEvans, O’Malley & Patterson (2004) Exploring Direct and Customer Relationship Marketing
![Page 154: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/154.jpg)
Privacy Statement Checklist
How easy is it to find – online/offline?
Is it true?
Does it make sense?
How does it cover marketing contact?
What else is desirable?
Is it future-proofed?
Does it reassure – inspire trust & confidence?
![Page 155: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/155.jpg)
![Page 156: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/156.jpg)
Real Voices
‘What if I don’t tick the terms & conditions. Do they still have my details? I don’t know how it works?
(Jess aged 22)
‘I always think that’s just legal stuff they have to put it, even if they don’t want to’. (Marcos aged 25)
![Page 157: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/157.jpg)
More Voices
‘If it’s short they could get out of any little situation, there’s no way they’ve covered everything’ (Mollie aged 23)
‘The longer they are the more suspicious I am’ (John aged 56)
‘I think it’s a load of blurb really’
(Judy aged 42)
![Page 158: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/158.jpg)
Frequency of Reading Privacy Policies
45% claim never to read
28% rarely read
18% sometimes read
5% always read
Source: Sophie Warren, BA International Marketing Student, Bournemouth University, January 2009
![Page 159: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/159.jpg)
![Page 160: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/160.jpg)
Don’t Tell People The Obvious
Something a reasonable person would anticipate and agree to if asked
Necessary to carry out the transaction requested
Has no unforeseen consequences
![Page 161: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/161.jpg)
Sharing Information
No unjustified adverse effects
Within the same group – provide back up details if asked
When the sharing is unexpected
![Page 162: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/162.jpg)
![Page 163: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/163.jpg)
![Page 164: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/164.jpg)
Saying what you mean, and playing fair
‘From time to time we may wish to contact you with further information about our products and those of other carefully selected companies we think may be of interest to you. Please write to xxxxxx if you do not wish this to happen’
![Page 165: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/165.jpg)
![Page 166: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/166.jpg)
![Page 167: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/167.jpg)
![Page 168: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/168.jpg)
Let’s Get Personal: [email protected]
![Page 169: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/169.jpg)
Test
Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
![Page 170: DMA - DPC Workshop - 23 October 2013](https://reader031.vdocuments.site/reader031/viewer/2022020115/54b88de24a795980408b495d/html5/thumbnails/170.jpg)
Close