transparency in marketing - international association of ... · transparency in marketing your...
TRANSCRIPT
Transparency in Marketing
Your Panel:
Paula Barrett, Head of Privacy & Information Law,
Eversheds LLP
Aurélie Pols, Privacy Advocate, Advisory Board
Member, MyPermissions
Yasmeen Rahman, EMEA Regional Coordinator, EU
Law, BMW Group
IAPP Europe Data Protection Intensive, London, 16 April 2015
BMW GROUP PRIVACY. TRANSPARENCY IN MARKETING: BMW GROUP, THE INSIDERS VIEW
BMW Group Privacy, IAPP European Intensive, April
2015
Section break title Verdana 32pt
Sub-heading Times New Roman italic 34pt
Transparency in Marketing
Drivers and impact assessments
Privacy Impact Assessments
tool for extracting facts
creates framework for
discussion
not just legal analysis -
assess against commercial risk appetite
and corporate ethos
mitigating actions to be
taken
PIA requirement
can be attached to
specific project gateways e.g. digital platform
changes
the outcome - business
enabler and greater
transparency
Conducting Impact Assessment
Understanding jurisdiction(s) and
applicable law
Identifying the players - data controllers and data
processors
Recognizing what personal data/private
information is processed
Work through application of principles, lawful reasons, fairness,
transfers, filings, etc
other relevant issues
•Other legislation/laws/torts!
•Culture and expectations
•Political/regulatory stance
PIA Report
• Consider actual and potential breaches
– Legal and practical consequences
– Likelihood of action and impact
• Business case justifying privacy intrusion/implications
– alternatives considered and rationale for decisions made
• Mitigation steps/design features
• Bear in mind legal privilege - this may become published/disclosable
• Consider separate annexes for sensitive elements.
Other Transparency Drivers
Consumer Rights Legislation
Tort – Misuse of Private
Information?
Privacy and Electronic
Communications Directive
General Data Protection Regulation
Consumer Protection • Unfair Commercial Practices Directive
• Local activity, UK Consumer Bill of Rights, Germany class action amendments
• Prohibits misleading acts/omissions and aggressive commercial practices
– false product information or deceptive presentation
– providing material information which is unclear, ambiguous or untimely
– failure to abide by commitments in a code of conduct
• Remedies
– not the same jurisdictional constraint on establishment of controller
– sanctions can include imprisonment
– burden of proof on trader
– policy non-compliance actionable as breach of contract?
• Could be applied to privacy practices - increasingly a significant factor in consumer entering into contract?
Misuse of Private Information
• UK Court of Appeal Judgement 27/03/2105 – Google Inc v Vidal-Hall, Hann and Bradshaw
• misuse of private information determined as a tort – distinct from breach of confidence
• consent required for use of “private information”
– other lawful reasons/exemptions not specified
PECD
• Stricter rules than DPD alone
• Consent – freely given, specific and informed AND:
– notified to the sender (not a third party?)
– that he consents for the time being (Ongoing?)
– to such communications (what type?)
– being sent by or at the instigation of the sender (third parties?)
• Inferring consent more difficult
• Driving greater transparency on consent obtained by or for third parties
GDPR Consent?
• Expansive definition of personal data
• Profiling
• Consent
– Data controller to bear the burden of proof
– right to withdraw his consent at any time
– purpose-limited - will lose its validity when purpose ceases to exist or as soon as processing is no longer necessary for carrying out the purpose for which they were originally collected.
– no bundling
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols Europe Data Protection Intensive – London 2015
Transparency in Marketing
T
o
o
l
s
A
n
a
l
y
t
i
c
s
P
e
r
m
i
s
s
i
o
n
s
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Customer relationship evolution
Slide borrowed from
Benjamin Mercier Senior Digital Analytics Manager
Barclays Personal & Corporate Banking eMetrics Summit London
Big Data for Marketing September 2014
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Marketing’s shiny new toys
Source: https://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Source: http://cdn.chiefmartec.com/wp-content/uploads/2015/01/marketing_technology_jan2015.png
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Source: http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Where each tool can
Collect data
Aggregate data
Share data
Calculate new data
Push data towards other systems
…
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
• Adhere to the Terms of Service, Terms of Use, … or not
• Align the use of these tools with your own policies… or not
• Find yourself in trouble due to some data use down the road.. or not
And your company could
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
1. When did Google last change it’s Privacy Policy?
2. Is your company using for eg. Google Analytics?
3. Bonus: who owns the data?
So let me ask you 2 simple questions
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
A EU perspective of marketing
Source: Amicus brief for the Digital Analytics Assocation (DAA), Should you measure when a user logs out? Author Aurélie Pols http://www.slideshare.net/AurliePols/privacy-ethics
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Technology is advancing Digital professionals look at vendors for Privacy answers
The power of tool vendors
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
And set-up terms to protect their (own) liability
within the data flows
You need to grasp and make marketing understand your shared liabilities!
Source: http://dynamical.biz/blog/technical-analytics/ collecting-ga-userid-into-ga-can-violate-google-analytics- tos-75.html
Vendors who get confused
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Remember those cookies?
How those Privacy Policies need to be kept up to date?
How about receiving an alert when they aren’t anymore?
It would trigger internal processes for follow-up
How? Tools to follow up on digital
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
How many mobile and cloud based apps is your company responsible for?
Which permissions on mobile are accessed?
BYOD: are company contacts accessed? What are the risks?
How? Tools to follow up on mobile
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
NIST’s Privacy Triad
Predictability: Enabling reliable assumptions about the rationale
for the collection of personal information and the data actions to
be taken with personal data
Confidentiality: Preserving authorized restrictions on
information access and disclosure, including means for protecting
personal Privacy and proprietary information
Manageability: Providing the capability for authorized modification of personal
information, including alteration, deletion, or selective disclosure
of personal information.
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
• Collaboration & Responsibility (not only legal)
– Privacy training & escalation procedures
• Data lineage & consent management
– Data origins & life cycle
– Manage individual choices & consent
We’re not even close!
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
• Change to the data value exchange
– Maintaining data quality (collected, processed & used)
• Commercial advantages
– Increased Trust; reduced Brand Erosion due to unsystematic Privacy management
– Better data governance, optimized use of Data Science
Sell this to Marketing!
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Data tension due to data leeching
Analytics capabilities
Customer feelings of creepiness
Harm?
Data quality?
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
Get down to the details. Else it’s just small talk!
Source: http://csrc.nist.gov/projects/privacy_engineering/nist_privacy_engr_objectives_risk_model_discussion_deck.pd
f
@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols
INTERESTED IN SCANNING THOSE MOBILE APPS? HTTP://WWW.MYPERMISSIONS.COM
Questions? Comments? Agree? Disagree?
Contact: [email protected]
LON_LIB1-#12304998
Our Top 5 Questions for Marketing
Rasmeen
• What is the background and business objectives of what you are doing?
• How will it impact the customer and customer relationship?
• Where are we getting the customer data from and what are going to do with it?
• In BMW and outside BMW, who is involved?
• What technologies, IT systems, and platforms are involved?
Paula
•What are you seeking to achieve?
•What data are you collecting?
•Are you working with a vendor or partner organisation to achieve this?
•What tools will be used to do this?
•Where is this data collection and analysis happening?
Aurélie
•What tools do you use?
•Which data do you collect, store & use in which tool?
•How does the data flow?
•Who has access?
•Which data do you create?