DMA - DPC Workshop - 23 October 2013

1,239 views

Published on

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,239
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DMA - DPC Workshop - 23 October 2013

  1. 1. Data protection 2013 Data protection compliance workshop Friday 8 February Wednesday 23 October 2013 #dmadata Supported by
  2. 2. Welcome and Overview Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
  3. 3. INTRODUCING THE DATA PROTECTION ACT 1998 Lesley Tadgell-Foster Shelfline
  4. 4. Be Aware The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd. nor by the Direct Marketing Association. It does not make any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.
  5. 5. The danger of better targeting meaning more intrusion • Customers worry about what happens to their information, how it can be used against them, and they fear to being sold to - but expect it • High profile data losses – justified fears • Concerns fuelled by the media – they know what’s in your shopping basket syndrome... • Data collection meets record-keeping
  6. 6. …continued • Respect for customers’ rights to privacy and discretion always vital in building confidence, now enshrined in legislation • The obligation of marketing to offer explanations, reassurance and honesty • Self-interest prevails – lose customer confidence and expect them to cut contact
  7. 7. Purpose of the 1998 Data Protection Act • To safeguard the public from abuse in the collection/storage and distribution of personal information • Information relating to identifiable, living individuals only – not organisation • Can be held on computer or system • Or in a ‘relevant filing system’. Not your address book – but in a structured way – such as a card index
  8. 8. …continued • So manual records are included. Transitional relief until October 2007 for full compliance • Can also include photographs and systems such as CCTV
  9. 9. RESPONSIBILITIES DEFINED
  10. 10. The Data Controller: • This is the ‘person’ deciding why/how personal data is processed • More likely that the organisation is the Data Controller • An individual employee only likes to ‘carry the can’ if shown to be ‘knowingly or recklessly contravening the employer’s policies and procedures. But....?
  11. 11. The Data Processor: • ‘Any person other than an employee of the data controller who processes data on behalf of… - Computer bureaux - Individual market researchers collecting survey responses
  12. 12. AND WHAT IS PROCESSING?
  13. 13. Anything to do with personal data from: • • • • • • • Obtaining Using Holding/Storing Changing Disclosing Erasing Disposing
  14. 14. The Eight Principles Reviewed 1. Personal data must be processed fairly and lawfully The concept of fairness implies using candour and transparency in dealing with the acquisition of customer’s personal information Are they deceived or misled in any way about your purposes for obtaining/using the data?
  15. 15. The Eight Principles Reviewed 2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes Think purposes – not files
  16. 16. The Eight Principles Reviewed 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Avoid ‘just in case’ information Defer to the minimum
  17. 17. The Eight Principles Reviewed 4. Personal data shall be accurate and where necessary, kept up to date Gives very frequent rise to customer irritation, resentment and suspicion
  18. 18. The Eight Principles Reviewed 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes Depends on both data and application
  19. 19. The Eight Principles Reviewed 6. Personal data shall be processed in accordance with the rights of data subjects under this Act
  20. 20. The Eight Principles Reviewed 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data Real emphasis on the integrity of data and reliability or operations Data controller takes responsibility for ensuring that any agency (bureaux) maintains adequate security and is bound by contract
  21. 21. The Eight Principles Reviewed 8. Personal data shall not be transferred to a country or territory outside the EU unless it ensures an adequate level of protection for the rights and freedoms of data subjects…
  22. 22. The individual is an active part of the ‘system’ of data protection • this allows the right to know that processing is being undertaken • the right to inspect personal data • the right to prevent processing in certain circumstances (e.g. for direct marketing) • the right to rectify, block or erase data
  23. 23. Is data processed/amended outside the EEA – possibly to be returned to the UK later? Does the country have ‘adequate’/mirror legislation to ours? • For USA can consider use of ‘safe harbors’ model contracts • Everywhere else need tailored contracts for contractor/company overseas to demonstrate adherence to UK DP regime
  24. 24. Sensitive Data – Opt in always • • • • • • Racial or ethnic data Political Opinions/Trade Union membership Religious or similar beliefs Physical/mental health Sexual Life Committed or alleged offences
  25. 25. Customer Understanding and Agreement • • • • • • • The most onerous duty of all Must ‘signify’ consent – a positive communication Consent must be specific and informed The role of the ‘opt out’ box Depend on clarity of wording Cannot be given under duress Consent can be withdrawn
  26. 26. So What Place Direct Marketing? • The right to reject unsolicited marketing – by whatever means • So – media neutral! • Define the nature and purpose of the contact • Are they just saying ‘no’ to your material, or are they also rejecting that from third parties?
  27. 27. …continued • You may well need two opt out clauses • Danger of combining into a single one? • From time to time we may wish to contact you with further information about our products and those of other companies we think may interest you. Please tick if you do not wish this to happen
  28. 28. Media Choices Can you implement real choice every time, without fail? - Direct mail - Telephone - Fax - Email - SMS/text
  29. 29. Almost all opt-out still.... Privacy & Electronic Communication Regulations: ‘PECR’ - from 2004 Email Opt out OK for EXISTING customers/similar products only (also known as the soft opt-in) SMS Same regime Transfer to 3rd parties for them to undertake marketing = Opt-in
  30. 30. Anyone still using fax? Has always been opt in for home users/ sole traders & partnerships
  31. 31. More Concerns • What exactly do you plan to send? • Now – in the future? • Will you change your media approaches over time? • And what about new products/services? • You don’t pass on your customer list at the moment – but might you at some point? • OPT-IN ALWAYS FOR 3rd party Email/SMS transfers
  32. 32. GOODBYE TO THE ELECTORAL ROLL Not entirely – but enough to lose complete coverage Two versions – opts out up to 46% in Wandsworth Credit Referencing use still OK – for now…
  33. 33. Consent at the earliest opportunity • And there’s no going back… • No means no • The Boots Advantage Case
  34. 34. What Information Do You Have on Me? • Subjects’ Right of Access • Across all material/all databases/all departments • Subjects can be internal as well as external for data protection purposes • Think Human Resources/Personnel records • How easy/quick for you to collate all files held on a single name?
  35. 35. …continued • Credit rejection based on inaccuracy or scoring? • How best to explain to customers your decision making? • Maximum fee £10 • Maximum period 40 days
  36. 36. Don’t Box Yourself In • • • • What about CRM? How best to ensure continuity over time? What about changing lifestyles/lifestages? How much can/do you tell on future communications? • Make is as enticing as possible – given space/truth, but don’t over-promise • Optimise the opt-out to cleanse your list of the nohopers • Work through how to retain the best
  37. 37. Other People’s Customers • Are you using data across different divisions to subsidiary companies? • In the customer’s shoes – how closely related to the known purpose for giving data? • Running a Current Account is not the same as using the ledger to cross-sell Life Insurance • What if you start up a new venture and contact existing customers with offers?
  38. 38. …continued • • • • Ask questions about rented-in lists Have list warranties been obtained? Still run against the Preference Services Is it time to re-visit those who haven’t opted-out with a new consent?
  39. 39. Business to Business Business lists with contact names capable of identifying a living individual fall squarely within the scope of the new Act Offer marketing preferences in exactly the same way to business prospects/customers as for consumers
  40. 40. The Preference Services TPS & CTPS, for supressing numbers from cold telephone canvassing Mailing Preference Service for consumers only – no business version
  41. 41. And If You Get It Wrong? • Customers have rights under the Act to challenge the accuracy of information held on them • And to have it corrected or erased • Plus they can claim compensation for both material loss and distress • Not a big issue yet – perhaps the press haven’t discovered it!
  42. 42. Starting Young • • • • How Data Protection affects children A bit confusing… No age described in the Act The Information Commissioner goes with 12 year olds for e-communication (Trust UK standard)
  43. 43. but… • The Advertising Standards Authority CAP Committee say 16 years on all communication
  44. 44. Implications: • Must not use or rent lists of names unless parental approval obtained in writing at the time the information was collected • Must be verifiable consent of the parent (opt-in) • Implies is it vital to determine age as soon as possible
  45. 45. …continued • Not OK for web communication to gain consent by a mouse click • Postal communication needed to confirm
  46. 46. The Information Commissioner • Establishes and maintains a register of data users • Promotes compliance with the Data Protection Principles • Considers complaints and breaches, and prosecutes offenders or serves notices
  47. 47. A ‘NEW BROOM’ IN YOUR LIFE Christopher Graham – new Information Commissioner Challenges and benefits of a ‘new face’ Looking for high profile cases + punishing worst & persistent offenders ‘We need to be selective to be effective’ (Richard Thomas, predecessor). Increased fines up to £500,000 from April 2010
  48. 48. Refreshment Break
  49. 49. The role of the ICO Sally Annereau, Data Protection Analyst, Taylor Wessing
  50. 50. The Office of the Information Commissioner (the ‘IC’) Insert appropriate image Sally Annereau Data Protection Analyst 15978330
  51. 51. IC- status > Appointed by the Crown > Independent – not servant of the Crown > Regulator of - The Data Protection Act 1998 The Privacy and Electronic Communications Regulations 2003 (as updated) The Freedom of Information Act 2000 The Environmental Information Regulations 2004 > 7 year appointment > Appointment limited to one term of office > Annual report to Parliament
  52. 52. Duties of the Commissioner > Promote observance of the Act > Maintain the register of notifications > Make assessments > Conduct audits > Disseminate information > Prepare and encourage codes of practice > Enforce the Act > Report annually to Parliament
  53. 53. Assessment considerations > Includes - Does it concern the processing of personal data? Is it by a directly affected individual? Does the request raise a matter of substance? Is it made without undue delay? Has the individual raised their complaint with the controller? Could the matter be dealt with better by another body? Has the matter been resolved already?
  54. 54. Individual complaints/queries > > > > > > > > > > > > > > > > > > > > > > > 1989-90 - 2698 1990-91 - 2419 1991-92 - 1747 1992-93 - 4590 1993-94 - 2889 1994-95 - 2814 1995-96 - 2950 1996-97 - 3897 1997-98 - 4173 1998-99 - 3653 1999-00 - 4570 2000-01 - 8875 2001-02 - 12500 2002-03 - 12001 2003-04 - 11664 2004-05 - 19,460 2005-06 - 22,059 2006-07 - 23,988 2007-08 – 24,851 2008-09 – 25, 509 2009 -10 – 33,234 2010-11 – 26,227 2011-12 - 20, 080 (minus FOI casework) Source: OIC 35000 30000 25000 20000 15000 10000 5000 0 1990- 1993- 1996- 1999- 2002- 2005- 2008- 20111991 1994 1997 2000 2003 2006 2009 2012 Complaints
  55. 55. UK Categories of complaint > Sectors - Lenders - General business - Direct marketing - Local Government - Health - Central Government - Telecoms - Policing and criminal records - Debt collectors - Internet > Popular complaint causes - Subject access - Inaccurate data - Disclosure of personal data - Tele-marketing calls - Security - Email and SMS Source: OIC Annual report 2013 18 16 Lenders Local Gov Health Central Gov Policing T elecoms Education Insurance Internet Retail 14 12 10 8 6 4 2 0 Causes 50 45 40 35 30 25 20 15 10 5 0 Subject access Disclosure Inaccurate data Security Use of data Fair processing Obtaining data excessive irrelev't Causes
  56. 56. Investigations > Can brief a regional investigating officer > Can issue an ‘Information Notice’ - (‘Special Information Notice – special purposes) > Can obtain a search warrant from a judge - Warrants can be obtained with or without notice to the controller - Offence to obstruct the execution of a warrant
  57. 57. Powers > Direct consequences - Prosecution - Undertakings - Enforcement - Conduct audits  power applies to public bodies  can be extended to certain types of private body subject to an order by the Secretary of State - Monetary penalties (up to £500,000) > Indirect consequences - Power of publicity - Intervention by other regulators - Risk of being sued  Compensation claims  Breach of contract
  58. 58. When handling complaints > Try and head off complaints before they reach the OIC > Log all complaints received - Date of receipt - Action dates - Deadlines > Try to find out what is behind the complaint > Report up the details - Progress - Outcomes - Lessons/actions > Respond promptly to all correspondence
  59. 59. When the going gets tough > Seek legal advice before agreeing to be interviewed by an investigating officer! > Be aware of the extent of the Commissioner’s powers > Remember an Enforcement notice is for life - Do not allow an Enforcement Notice to be issued against you or sign an Undertaking unless you understand the consequences - Use your right to make representations wherever possible
  60. 60. Data security and transfers Sally Annereau, Data Protection Analyst, Taylor Wessing
  61. 61. Keeping Data Safe Insert appropriate image Sally Annereau Data Protection Analyst 15973509
  62. 62. Data in demand > Increase in sharing of data > Technological developments > Black market in data > Cultural ‘catch-up’ required among data users - Lack of value attached to data assets Absence of reporting lines and accountability Lack of awareness Lack of oversight Policies, often mere ‘window dressing’
  63. 63. Data breaches - Incident sectors (UK ICO figures for 1 Apr - 30 June 2013)
  64. 64. Regulatory Framework > Data Protection Act 1998 (‘DPA’) - Seventh Principle  “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” > Other non DPA specific rules - FCA rules - effective systems and controls for countering the risk - Public sector - Government Security Policy Framework (‘SPF’)
  65. 65. Why be concerned? > Risk of enforcement action > Risk of being prosecuted - Company, directors, secretaries and other officers - Individual employee liability > Risk of fines > Risk of being sued > Costs of managing > Damage to reputation > Risk of devalued assets
  66. 66. Data protection UK: Enforcement in practice 250,000 200,000 150,000 100,000 50,000 Source ICO Penalties in GBP July Aug Feb June Nov Sep Mar May June 0 Jan-12 - 600 ‘Self-notified’ security breaches - Undertakings 99 - Monetary Penalties 22 300,000 Feb-11 June > Feb 2011–Sep 2012 – Security breaches 350,000
  67. 67. Technical security measures - examples > Passwords > Firewalls > Anti-virus software > Secure internet payment systems > Encryption > Privacy enhancing technologies
  68. 68. Organisational measures - examples > Reliability of employees - Selection Education Written guidance and procedures Accountability and action Controls on access /physical and systems > Secure storage > Controls on data movement /sharing > Multi-disciplinary approach > Data protection officer > Security policy > Monitoring
  69. 69. Using a data processor > Definition - ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’ > Examples - insurance company and call centre; - company and payroll bureau; - group of related companies and subsidiary responsible for administration of group-wide marketing campaigns; and - company and secure data disposal agency
  70. 70. Obligations when outsourcing > Choose a processor providing guarantees of - Technical - Organisational - security measures > Take reasonable steps to ensure compliance with above - Written agreement  Processor acts on controller’s instructions  Imposes obligations equivalent to the seventh principle
  71. 71. Checklist for processor selection > Does the processor have a data protection/information officer? > How secure are the premises? > What business continuity measures are in place? > Does the processor have a written data protection/ security policy? > What security standards does the processor adhere to? > Does the processor conduct compliance and adequacy audits > Have there been any security incidents? > What steps are taken to ensure employee reliability? > What training do employees receive in data protection? > Other considerations - financial status, insurance cover, subcontracting and references?
  72. 72. Security and IT system design > Need for adequate security measures - “both at the time of the design of the processing system and at the time of the processing itself” > Are contractors/ developers aware of the implications of the Seventh Principle for system design? > Who is responsible for specifying security requirements - What do the tender documents say about security? - What does the contract say about security? > Consider the integrity of internal systems as well as preventing external access (e.g the use of live data for systems testing)
  73. 73. Notifying breaches – IC guidance > When to notify – consider - the potential harm to affected individuals - the volume of data lost - the sensitivity of the data lost > What to tell the IC’s office/affected individuals - What happened What information was involved What steps have been taken/are taking to mitigate the risks Contact points Self-help steps (in the case of affected individuals)
  74. 74. Anticipating the worst > Security reporting and escalation processes > Implement a breach management plan - Key stages     - Containment and recovery Assessing the risks Notification of breaches Evaluate handling and response and implement changes Identify and list the actions required within each stage Allocate responsibility for each action Identify the response time for each action Train relevant staff and test the plan Publicise the plan
  75. 75. Data transfers Insert appropriate image Sally Annereau Data Protection Analyst 15973509
  76. 76. When might a transfer occur? For example… > Employee data to US headquarters > Customer data to a South American call centre > Use of a data bureau in India > Multi-national central CRM database > Supply of customer orders to Japanese distributor
  77. 77. The Eighth Principle “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
  78. 78. Take a ‘bite-sized’ approach to the problem - 1 > Is personal data involved? > Is the personal data going beyond the European Economic Area (“EEA”)*? > Is a transfer taking place? * The member countries of the European Union together with Norway, Iceland and Liechtenstein.
  79. 79. Adequate Protection? > Has the European Commission ruled that the destination country is adequate? > Is the transfer to a US business signed up to the Safe Harbour Scheme? > Does an exception to the Eighth Principle apply?
  80. 80. Existing EC adequacy findings* > Hungary > Switzerland > Canada > Argentina > Guernsey, Jersey or Isle of Man > Faroe Islands > Andorra > Israel > Uruguay > New Zealand * Details of adequacy decisions can be found at: http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm
  81. 81. Safe Harbour > A US self-regulatory scheme > US companies certify to comply with 7 principles > Not all US companies can participate > It is possible to check a public register of members http://www.export.gov/safeHarbor > Non compliance actionable by US Government or affected individuals
  82. 82. Exceptions under the Eighth Principle Including: > The data subject consents to the transfer > The transfer is necessary for the performance of a contract with the data subject(s). > The transfer is necessary to implement pre-contractual measures at the request of the data subject. > There is a contract in placed based on EU approved terms between the exporter and importer of the data* *http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm
  83. 83. Binding Corporate Rules (“BCR”) > Intra-group solution for international transfers > Use of group wide enforceable data handling policies > Required content for submission of BCR > Supervisory co-operation for approval process > NOT for the faint hearted!
  84. 84. Presumption of Adequacy? Consider: > the nature of the personal data > the country of origin of the personal data > the country of destination > the purposes of the intended processing > the law/relevant codes in force in the destination country
  85. 85. Practical Considerations > To what extent do you transfer personal data outside the EEA? > Do you have international subsidiaries? > Consider the potential for transfers down the line and collect data with that possibility in mind > Consider carefully the wording of consent notices and contract terms > Don’t under estimate the potential impact of non-compliance
  86. 86. E marketing and Cookies Sally Annereau, Data Protection Analyst, Taylor Wessing
  87. 87. E-Marketing and cookies Insert appropriate image Sally Annereau s.annereau@taylorwessing.com
  88. 88. The current law in the UK > Data Protection Act 1998 > Privacy and Electronic Communications Regulations 2003 - Came into force on 11 December 2003 - Do not apply solely to marketing by e-mail or SMS - rules also cover marketing by telephone, fax and automated calling systems - Need to think about this AND the Data Protection Act 1998 > The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 - These come from European Directives - Similar (but not exactly the same…) laws throughout Europe
  89. 89. Marketing by e-mail and SMS – the rules (1) Privacy and Electronic Communications Regulations 2003 > No unsolicited e-mail or SMS marketing to individuals unless: - Recipient has consented OR - (1) you obtained contact details “in the course of the sale or negotiations for the sale of a product or service”; - (2) you are marketing your own similar goods or services to them; AND - (3) opportunity to opt out (free of charge) given at the point of collection and at the time of each subsequent communication
  90. 90. Marketing by e-mail and SMS – the rules (2) > You cannot disguise yourself and > You have to provide a valid return path
  91. 91. How do I go about getting consent? > There is no set way of getting it, but the law says that it must be informed, freely given (i.e. revocable) and… > For e-mail or SMS marketing, consent has to be positive, so… “I would like to send you information by e-mail. Please tick this box if you do not want me to do so” but “I would like to send you information by e-mail. Please tick this box if you are happy for me to do so”  ? “By submitting this form, you will be indicating your consent to receiving e-mail marketing messages from us unless you have indicated an objection to receiving such messages by ticking the above box” > Don’t necessarily need a classic tick-box
  92. 92. Mobile marketing > “Live”/voice marketing calls - TPS list – every 28 days - CTPS - In-house telephone suppression lists > Text, picture and video mobile marketing is governed by the rules previously discussed
  93. 93. Some tricky areas… > Legal problems - What is “in the course of the sale or negotiations for the sale”? - Not simply registering an interest at/visiting a web site - What are “similar” products and services? - What would someone reasonably expect? - Viral marketing > Technical and marketing problems - How long does consent last? - What about pre-existing e-mail or SMS marketing lists? - Hw d U fit all info U nd in2 160 krctz?
  94. 94. Automated calls and Fax marketing Automated calls > Prior express consent of any recipient required > Where consent provided then communication must include: - Identity of caller - Contact address or free phone number Fax marketing > Prior consent of individual subscribers required > Corporate subscribers - not if opt-out or if registered on the Fax Preference Service register > Where can legitimately communicate then this must include: - Identity of caller - Contact address or free phone number
  95. 95. Cookies > A piece of information that includes a unique reference code that a website transfers to your device to store and sometimes track information about you. Can be: > First / third party > Session or persistent > ‘Flash’ or ‘super’ And don’t forget web beacons/gifs.
  96. 96. Regulation 6 ‘PECAR’ No storage or access to information stored, in the terminal equipment of a subscriber or user unless the user or subscriber: a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b) has given his consent. Exception where storage or access is: > > for the sole purposes of carrying out the transmission of a communication over an electronic communications network; or strictly necessary for the provision of an information society service requested by the user or subscriber
  97. 97. Key considerations Move from old law notice and ‘opt-out’ to notice and consent Applies to equivalent technologies No legal distinctions between different types of cookies Applies to all equipment capable of receiving cookies Clear and comprehensive information about cookies needs to be provided about purposes of cookies > Limited exceptions > > > > >
  98. 98. IC Guidance Initial guidance – no firm view on what kinds of consent will be enough but: > > > > > > Browser settings – unlikely to work Pop-ups and similar techniques? Terms and conditions? Settings/Feature led consent? Functional uses? Third party cookies? Update guidance explicit consent allows for regulatory certainty (and will be the most appropriate way to comply in some circumstances) “this does not mean that implied consent cannot be valid” although it must still be informed.
  99. 99. Other viewpoints > IAB > Article 29 Working Party > ICC > ‘Do Not Track’
  100. 100. Enforcement > 12 month compliance amnesty (ended 26 May 2012) > Post May 2012 - Possible action including enforcement notices or fines subject to an assessment of the impact of the breach on the privacy and other rights of user. Considerations likely to include: > The intrusiveness of the cookie? > Is data passed to an organisation the individual would not expect? > Will any sensitive data be held in profiles? > Is the website being “cavalier” or “tricksy”?
  101. 101. Steps to take (if playing catch-up) (1) 1. Identify - Websites? Types of cookies (or other tools)? Purpose of the cookie? When deployed? Who deploys (first or third party)? Who can read the cookie? How long is the cookie stored? Are profiles of users browsing activity being created? 2. Assess - Is the cookie necessary to underpin a service requested by the user? What is the impact of the cookie on the user? Session only or persistent? Is a third party tracking the user across this and other websites? Are profiles of browsing activity being created?
  102. 102. Next steps (2) 3. Implement - Is sign-up or registration required to access the website? Do users initiate a function or setting that uses a cookie? Do users need to be alerted on first arriving on the website? Review, enhance and introduce notices and privacy policies Consider both specific and ‘holistic’ approach to solutions
  103. 103. So what are businesses doing? > Confusion persists over what level of consent is enough > Genuine reluctance to embrace clear consent mechanisms > Yet doing nothing is not an option > Evidence that most UK online businesses have: - cariried out internal audits raised the bar on transparency and information implemented changes to terms and conditions, privacy ‘and cookies’ policy Applied landing page alerts / actions / notices
  104. 104. Examples
  105. 105. Light box approach
  106. 106. Enhanced privacy policies
  107. 107. Consent in policies & terms? > “When you create or log in to a online account you agree to our privacy and cookies notice. Otherwise, by continuing to use our websites or mobile services you agree to the use of cookies as described in this notice. Please see our cookies notice.” > By using the site you accept this privacy and cookie policy (our “privacy and cookie policy”). If you do not agree with any term in this privacy and cookie policy, please do not use our site or submit any personal data through it. > By clicking the "I Agree" button on the registration form, you agree that you:1. have read the web site terms of your privacy policy; 2. consent to our use of your information in accordance with our privacy policy; 3. consent to the use of cookies as disclosed to you in our cookies policy and; 4. agree to bound by these terms and conditions. If you do not agree, please leave this website now.
  108. 108. Lunch
  109. 109. The proposals for new data protection law Sally Annereau, Data Protection Analyst, Taylor Wessing
  110. 110. Data Protection The Proposed European Data Protection Framework Sally Annereau
  111. 111. Data Protection Laws > Current Landscape > New Horizon > The Reform Journey - Published Proposals, 25 January 2012 - Parliament and Council  First Reading  Second Reading - Entry into Force - Regulation
  112. 112. Proposed new EU framework > Regulation  2014?  2 Year Implementation Period?  2016? > Evolution or revolution?  Upgrade  New > The final picture?  Ambiguity  Delegated Acts  Harmonisation
  113. 113. Territorial Scope > Establishment in the EU > Extended to those who are not in EU if processing relates to - The offer of goods or services to data subjects within the EU - The monitoring of EU data subject’s behaviour > Home Authority > Prior Authorisation > Forum Shopping
  114. 114. Definitions Similar base point > Data Subject > Personal Data Breach > Binding Corporate Roles > Sensitive Personal Data
  115. 115. Personal Data Processing Principles > Lawful, fair and transparent > Collected for a specified, explicit and legitimate purpose > Adequate, relevant and limited to the minimum necessary > Accurate and kept up-to-date > Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes > Ensuring compliance with the provisions of the regulation
  116. 116. Consent > Burden of proof > Written declarations > Withdrawal of consent > Significant imbalance > Personal data relating to a child
  117. 117. Special/Sensitive Personal Data > Prohibition: - the processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited > Consent > Employment law > Vital interests > Legal > Public interest > Health purposes
  118. 118. Transparency > Transparent and easily accessible policies - Processing of personal data - Exercise of data subject’s rights > Intelligible form > Clear and plain language > Adapted to the data subject
  119. 119. Subject Access Requests > Information to be provided to the data subject > Rights of access > Electronic form > Standard forms and procedures > Timings > Fee?
  120. 120. Right to be forgotten > Right to rectification - Inaccurate personal data; and - Completion of incomplete personal data > Right to be forgotten and a right to erasure Where:     no longer necessary to the purpose of collection the subject has withdrawn their consent the subject objects the processing is in breach of the Regulations > Erasure without delay > Restrict processing of disputed data > Commission can specify further rules
  121. 121. Data Portability > Obtaining a copy of data > Format to be supplied > Automated processing > Technical standards, modalities and procedures for transmission
  122. 122. Marketing and Profiling > Right to object to processing - where based on – vital interests – public interest – legitimate interests > Right to object to direct marketing > Rights in relation to measures based on profiling  Extended to include health, personal preferences, reliability and behaviour > Consent?
  123. 123. Responsibilities of the Data Controller > Policies and implementation > Documentation > Security obligations > Data protection impact assessment > Prior authorisation > Data Protection Officer > Implement compliance mechanisms and ensure verification > Data Protection - Design - Default
  124. 124. Data Processor > Due diligence and sufficient guarantees > Contractual measures required > Documenting the controller’s instructions and the processor’s obligations > Shifting from processor to controller
  125. 125. Data Security > Obligations of the data controller and the data processor > Appropriate technical and organisational measures > Notification of a personal data breach - Notify the supervisory authority - Within 24 hours - Reason justification for 24 hours plus > Data processor obligations to inform the data controller > Content of the notification > Notifying data subjects
  126. 126. Data Protection Impact Assessment > Controller or Processor? > Trigger points > Considerations within the impact assessment > Data subject liaison > Prior authorisation and prior consultation
  127. 127. Data Protection Officer > Designation of the DPO > Tasks of the DPO > Minimum term > Different to current DPO roles
  128. 128. Data Transfers to Third Countries > General principles > Adequacy decisions > Transfers by way of appropriate safeguards > Binding corporate rules > Derogations
  129. 129. Remedies > Complaint to the supervisory authority > Civil action against - supervisory authority - controller - processor > Right to compensation
  130. 130. Proposed new EU framework: Fines First tier €250,000 or 0.5% > Subject access request breaches Second tier €500,000 or 1% > Rules on transparency > Rectification > Right to be forgotten > Data subject’s objections > Compliance (required documentation) Third tier €1m or 2% > Processes data without a legal basis > International data transfers > Compliance (appropriate internal policies) > Impact assessments > EU representative Who’s in the firing line….“Anyone who …”
  131. 131. Food for thought > Further Standards and Delegated Acts > Commission reserved power to specify standard forms and procedures Including:  methods to obtain a child’s consent  forms and procedures for access requests and communicating information and data  electronic format of supplied data  technical standards for protection by design or default > Wide Commission powers to adopt delegated acts Including:     specifying lawful processing conditions specifying sensitive data and how it is safeguarded the detail of fair processing information to data subjects additional data controller responsibilities & conditions for audits > Member state safeguards and rules
  132. 132. Food for thought > Compliance benchmark must be raised - DPO - Documentation - Evidential trail - May be published > Vendor management processes must change - Due diligence - Contracts - Liability
  133. 133. Data protection compliance and marketing: getting the right balance Penny Champion, Data Protection Manager, NSPCC
  134. 134. Data protection compliance workshop 23 October 2013 - DMA Data protection compliance and marketing - Getting the right balance Some practical challenges for charities Penny Champion, Data Protection Manager penny.champion@nspcc.org.uk www.NSPCC.org.uk NSPCC 23 October 2013
  135. 135. Why direct marketing matters to charities At the NSPCC in the year 2012-2013 Source: Annual Reports and Accounts Regular and one-off donations income of £110.7m - That was 85.6% of our income Letter from Santa alone raised £1.8m 2
  136. 136. Contexts for charities: the marketing environment-1  Supporter data not always in one database  Often goes back decades, reflecting supporter loyalty, but data quality and currency may be uncertain  Donors from all sectors of society – from individual giving at £2 a month all the way up to wealthy individuals and large corporates  Participation in events – fundraising balls, sponsored walks, bike rides, ascent of the Gherkin, HACK walks  Participation in externally organised events – London Marathon, Belfast Marathon  Legacies Supporter relationship management can be challenging! 3
  137. 137. Contexts for charities: the marketing environment-2  Supporters are respected and valued  Aim is to have sustainable relationships with all sectors of donors  Data protection and privacy law and regulation really matters when it comes to successful donor recruitment and retention  Cost of fundraising across different channels:  Telephone tends to be more effective – people respond to the human voice  Email is a very cost effective way of communicating  But you need the right consents in place!  What do supporters think they’ve agreed to by way of direct marketing communications? 4
  138. 138. Practical scenarios from the Data Protection Manager’s in-box at ‘National Charity’ The scenarios are fictitious but could come up at any major UK charity. You are responsible for advising the Director of Fundraising what to do in the following circumstances: 1 Bringing gift aid declarations up to date 2 A local committee decides to run a Christmas Fair to raise funds for National Charity 3 A major corporate supporter – BigTelCo – is supporting a Big Run. The runners are its staff, their families, and friends. The CEO wants to email all entrants to say ‘thank you’ 4 TV advert – Text CHILD2013 to donate £4. You’d like to phone donors later and see if you can convert them to regular givers 5
  139. 139. Practical scenarios from the Data Protection Manager’s in-box at ‘National Charity’ 1 of 4 Bringing gift aid declarations up to date – repairing defective data o There’s been a major review and clean up of Gift Aid declarations for existing supporters o For some of the older ones, the original declaration can’t be found, or there is a technical problem eg no forename initial is held. As a result you have had to mark the donations as ‘No Gift Aid’ and cannot claim back from HMRC o Can we telephone or email these supporters to ask if they can give a new Gift Aid declaration? The scenario is fictitious but could come up at any major UK charity 6
  140. 140. Practical scenarios from the Data Protection Manager’s in-box at ‘National Charity’ 2 of 4 A local committee decides to run a Christmas Fair to raise funds for National Charity o They want a website – how can that best be managed? (cookies compliance, privacy notices, who is the data controller anyway?) o Committee members want to email their personal contacts – local businesses and their friends to generate interest from potential stallholders. So do the PEC Regs apply? The scenario is fictitious but could come up at any major UK charity 7
  141. 141. Practical scenarios from the Data Protection Manager’s in-box at ‘National Charity’ 3 of 4 A major corporate supporter – BigTelCo – is supporting a Big Run. o National Charity is BigTelCo’s charity of the year. There’s going to be a BigTelco Run. It’s been promoted to staff on the company’s intranet – they are encouraged to get family and friends to enter. o Entry is on-line – a special webpage set up by National Charity – and over 400 people have signed up. National Charity is the data controller for their personal data. o The CEO is thrilled – she decides she wants to email all entrants after the Run to say thank you from BigTelCo. But National Charity did not tell entrants that their email addresses would be passed to BigTelCo. What are the options and risks? The scenario is fictitious but could come up at any major UK charity 8
  142. 142. Practical scenarios from the Data Protection Manager’s in-box at ‘National Charity’ 4 of 4 TV advert – Text CHILD2013 to donate £4. You’d like to phone donors later and see if you can convert them to regular givers o CAP Code compliance is OK - the advert complies with the standards for what is displayed on screen and how many seconds it’s up there. People are told how much of the £4 the charity gets and National Charity (registered number, website address) is shown. o Donors get a ‘thank you’ text from National Charity. It includes a link to the Gift Aid declaration webpage. We want to phone donors to see if we can convert them to regular givers. Can we give them the telephone opt-out opportunity in the thank-you text? The scenario is fictitious but could come up at any major UK charity 9
  143. 143. Conclusions – not always easy answers  Quality of data gives rise to problems. Is the Gift Aid approach administrative or direct marketing in purpose? How will the supporters perceive it?  Who’s the data controller? Volunteers doing their own thing may well be fine, but how can National Charity manage the privacy compliance risks to itself?  Privacy statements – retro-fitting consents to disclose is hard. Is the CEO thank-you direct marketing? Will the BigTelCo Run entrants object?  Unless you obliterate the ad with ‘small print’ you’re going to have to find another way to deliver the telephone opt-out. What’s fair and best for the donors? The scenarios are fictitious but could come up at any major UK charity 10
  144. 144. And finally …….  Look out for companies who claim to offer a marketing blocking service to consumers (Opt Out UK Ltd, Data Protection House). You (probably) do not have to agree to their demands. Talk to the DMA.  Wider privacy issues – it’s not just about supporters.  Use of ‘real life stories’ in marketing materials  Personal data in the charity’s Facebook page or other social media Your thoughts and questions? Penny Champion, Data Protection Manager penny.champion@nspcc.org.uk 11
  145. 145. Practical session & feedback Sally Annereau, Data Protection Analyst, Taylor Wessing
  146. 146. Refreshment break
  147. 147. Privacy statements Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
  148. 148. Be Aware The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd., nor by Charity Confidential. Neither makes any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.
  149. 149. The Ever Willing Customer?  ‘The key to modern direct marketing is the capture of individual customer details at the first sale, so that the marketer can begin a relationship with the customer’ Tapp (1998) Principles of Direct & Database Marketing
  150. 150. Trust Me, It’s The 121 World Now  ‘Trust is more important than it ever was before. If you violate it, you will be outed’ Peppers (2008) IDM Insights
  151. 151. Lack of Privacy Control  Control over the personal information held  Control over personalised marketing  Control over data accuracy Evans, O’Malley & Patterson (2004) Exploring Direct and Customer Relationship Marketing
  152. 152. Privacy Statement Checklist        How easy is it to find – online/offline? Is it true? Does it make sense? How does it cover marketing contact? What else is desirable? Is it future-proofed? Does it reassure – inspire trust & confidence?
  153. 153. Real Voices  ‘What if I don’t tick the terms & conditions. Do they still have my details? I don’t know how it works? (Jess aged 22)  ‘I always think that’s just legal stuff they have to put it, even if they don’t want to’. (Marcos aged 25)
  154. 154. More Voices  ‘If it’s short they could get out of any little situation, there’s no way they’ve covered everything’ (Mollie aged 23)  ‘The longer they are the more suspicious I am’ (John aged 56)  ‘I think it’s a load of blurb really’ (Judy aged 42)
  155. 155. Frequency of Reading Privacy Policies     45% claim never to read 28% rarely read 18% sometimes read 5% always read Source: Sophie Warren, BA International Marketing Student, Bournemouth University, January 2009
  156. 156. Don’t Tell People The Obvious  Something a reasonable person would anticipate and agree to if asked  Necessary to carry out the transaction requested  Has no unforeseen consequences
  157. 157. Sharing Information  No unjustified adverse effects  Within the same group – provide back up details if asked  When the sharing is unexpected
  158. 158. Saying what you mean, and playing fair  ‘From time to time we may wish to contact you with further information about our products and those of other carefully selected companies we think may be of interest to you. Please write to xxxxxx if you do not wish this to happen’
  159. 159. Let’s Get Personal: shelfline@btinternet.com
  160. 160. Test Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy
  161. 161. Close

×