Call Girls In Panjim North Goa 9971646499 Genuine Service
GDPR Briefing for marketers
1. Actionable GDPR Advice from the experts
What does the GDPR mean for marketing?
#DigitalPriorities Digital Marketing Priorities 2018 brought to you by
4. Agenda
What is personal data and special categories of data?
What are the lawful basis for marketing?
Consent, what it is and what it isn’t
PECR
Legitimate Interest and why not?
Balancing tests and Privacy Impact assessments
Profiling
B2B
The good bits about GDPR
5. About the speaker and partner
• Tim Roe
• Compliance Director for RedEye
• British Computer Society Certified Data
Protection Practitioner
• Chair of the Direct Marketing
Associations GDPR taskforce
6. - Not legal advice
- Broad based practitioner guidance, drawn from ICO publications,
DMA guidance and the WP29 guidance
- Best advice, be cautious, document your decisions and cite your
references
- It will be unlikely that you will be caught out by genuinely trying
to do the right thing
7. Before we start… house keeping
A recording for the webinar will be sent via
Email.
Slides will be available via Smart Insights
Slideshare
Please get involved with the interactions:
- Do ask questions at any point via the
Questions panel
8. What data does the GDPR cover?
What is personal data?
What are special categories of data?
9. What is personal data?
Personal data is "any information
relating to an identifiable person
who can be directly or indirectly
identified in particular by reference
to an identifier" ICO
Name
Email Address
ID numbers
Cookies
IP addresses
Profile information
Segments they belong to
10. Special Categories of data
• Race;
• Ethnic origin;
• Politics;
• Religion;
• Trade union membership;
• Genetics;
• Biometrics
• Health;
• Sex life; or Sexual orientation.
Special Category data is more sensitive,
and so needs more protection.
Processing Special Categories
of Data is generally Prohibited
11. Lawful basis, you need one
To process personal data under GDPR, you
require a legal basis:
- Consent
- To perform a contract
- Legal compliance
- Protection of vital interests of a person
- Public interest or official authority
- Legitimate Interest
12. Consent for GDPR
What is consent?
What does valid consent need?
What if consent is too difficult?
GDPR not e-Privacy
14. What is consent?
“any freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement
to the processing of personal data relating to him or her”
ICO - “The GDPR sets a high standard for consent.”
15. What does valid consent need?
Consent is not just a tick box:
To be informed, enough
information must be made
available at the time.
Segmentation, channels,
tracking, profiling.
Its got to be specific
enough to be valid.
16. What if consent is too difficult to achieve?
“Remember – you don’t always need consent. If
consent is too difficult, look at whether another lawful
basis is more appropriate.” The ICO
17. GDPR not e-Privacy (PECR)
GDPR is not about permission
to send electronic marketing
(that’s another law)!
Just because you’ve got a tick box for
electronic marketing, doesn’t make
you GDPR ready.
Electronic marketing needs
to be compliant with GDPR
and Privacy and Electronic
Communication Regulations
18. Do I need to reconsent my database?
WP259 page 30 that states;
“If a controller finds that the consent
previously obtained under the old legislation
will not meet the standard of GDPR consent,
then controllers must assess whether the
processing may be based on a different lawful
basis, taking into account the conditions set by
the GDPR. However this is a one off situation
as controllers are moving from applying the
Directive to applying the GDPR. Under the
GDPR, it is not possible to swap between one
lawful basis and another.”
There may be no need to
reconsent your database if there
is no requirement for consent to
that processing under GDPR.
19. Does electronic marketing need consent?
Maybe not:
If the contact details meet these requirements:
- Gathered during the process of a sale or in the context of a sale
- The marketing relates to similar goods or services
- The individual was given the opportunity to opt out at the time
- The individual has been given the opportunity to opt out since
20. Can I use another lawful basis?
Privacy Impact Assessments Legitimate Interest
The Balancing Test Using Legitimate Interest
21. Privacy Impact Assessments
Once a detailed audit of your marketing data processing is undertaken.
Privacy Impact Assessments are undertaken on the processing to
determine the privacy risks to individuals.
Justifications must be documented.
Decisions relating to the most appropriate
lawful basis, can only be made:
22. Legitimate Interests
Necessary for the purposes of legitimate interests pursued by the
controller or a third party, except where such interests are overridden by
the interests, rights or freedoms of the data subject
“the processing of personal data for direct marketing purposes may be
regarded as carried out for a legitimate interest.”
Rec 47
23. Balancing tests
Marketing is a legitimate interest of the data
controller, but:
Is the processing necessary for the direct marketing?
Is any third party processing necessary for the purpose
of direct marketing?
Is their another way of achieving your legitimate
interest?
Would the individual reasonably expect this
processing?
24. Balancing tests
Is the processing relevant to your relationship with
the individual?
Are you processing the minimum personal data
required to meet your needs?
Is this processing likely to harm or disadvantage the
individual (what type of marketing are you
doing??!!!)?
Watch out for processing that leads to special
categories of data
25. Using legitimate interest
This right to object must
be explicitly stated,
prominently displayed
and it’s easy to exercise
that right
Ensure you have a valid
reason to process an
individual’s personal
data using your legal
legitimate interests
Collect the minimum
data necessary and
delete records after use
“The processing of personal data for direct marketing purposes
may be regarded as carried out for a legitimate interest.”
Rec 47
26. The privacy notice
Explain why you need an individual’s personal
data
Use a layered privacy notice/policy
Make it easy for people to understand
27. Profiling
The text of the regulation refers to profiling in
Article 4(4) as:
“…any form of automated processing of
personal data consisting of the use of personal
data to evaluate certain personal aspects
relating to a natural person, in particular to
analyse or predict aspects concerning that
natural person’s performance at work,
economic situation, health, personal
preferences, interests, reliability, behaviour,
location or movements.”
28. Profiling Example
An airline studies the behaviour of its online
customers. It examines what they search for,
look at and how much time they spend
considering each destination. This data will
be combined with the location and route the
customer is most likely to use based on their
previous flight history. The profile will then
be used to serve the customer with a
marketing communication that highlights
the destination and route they are most
likely to be interested in.
29. Personal data in profiling
The scope of personal is now much wider:
47
Internet search and
browsing history
Existing customer
relationships and
buying habits
Credit cards, store
cards and other
transactions
Credit scoring Consumer complaints
or enquiries
Location and
lifestyle habits
Social media Property ownership
30. Special categories of data
Profiling can infer special categories of data.
Example, profiling food consumption or musical tastes
might lead to the inference of ethnic origin or religion.
If you infer special categories of data, the profiling may be
prohibited without explicit consent.
31. How can profiling be a legitimate interest?
Article 6(1) (f) – necessary for the legitimate interests
pursued by the controller or by a third party Profiling is
allowed if it is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party.
However, Article 6(1) (f) does not automatically apply just
because the controller has a legitimate interest.
The balancing test still needs to be undertaken.
32. How can profiling have a significant effect?
Profiling can make ads more effective
For example, if individuals believe that they
receive advertising as a result of their online
behaviour, an advert for diet products and
gym membership might spur them on to join
an exercise class and improve their fitness
levels. Conversely it may make them feel that
they are unhealthy or need to lose weight. This
could potentially lead to feelings of low self-
esteem.
Ohio State University found that
behaviourally targeted adverts can
have psychological consequences and
affect individuals’ self-perception.
33. What is the impact of B2B?
tim.roe@redeye.com has been personal data since 1998
GDPR covers personal data
GDPR does not differentiate between B2B and B2C
A business needs a legal basis to process personal data
It could be either Legitimate Interest or Consent
.
34. How does a B2B business
use legitimate interest?
To qualify to use LI, you must undertake the same Impact Assessment as B2C
When the data is captured, you must prominently inform about direct
marketing not hide it in T’s and C’s
People must be told they can object and shown how to do it
If you obtain personal data from a third party, you must contact within 30 days
and tell them you are processing the data and they can object
Remember, PECR is still not relevant for B2B
36. The great bits about GDPR!
GDPR gives rights and protections to individuals
1. It is a positive step for people
2. We are all people!
The GDPR is an opportunity to build trust:
1. Transparency will build trust
2. Transparency and trust could become a key differentiator in business
relationships
3. More powerful even than “targeted campaigns and lifecycle
marketing”
37. More great bits about GDPR
Transparency and control
1. On the first contact and data exchange
2. And ongoing control of the data the
individual is sharing.
GDPR could educate people in their
information rights
1. People become less tolerant of bad practice
2. More aware of organisations efforts to “do the
right thing”
38. In conclusion
It’s not all doom and gloom
Marketers face some challenges in GDPR
There is lots of advice from the ICO, DMA, DPN
The first step is the marketing data audit. If you haven’t
started yet, start one tomorrow.
39. Thank you for listening!
Please ask questions via the
Questions tab
Editor's Notes
Regulation has been law for almost 2 years
Loads of time to prepare
Christopher Graham, if you are doing all you need to under DP98, you don’t have far to go to be GDPR ready
Loads of advice out there, not all good
Involved in data protection and e-privacy since 2010
Not legal advice
Broad based practitioner guidance, drawn from ICO publications, DMA guidance and the WP29 guidance.
Best advice, be cautious, document your decisions and cite your references.
It will be unlikely that you will be caught out by genuinely trying to do the right thing
Data protection is a complex subject
Absence of case law on GDPR makes giving advice difficult
Knowledge of the subject requires a great deal of reading and study and input from industry organisations and the regulator
Lots of authoritative advice from the ICO, WP29, DMA
GDPR is quite specific about what personal data actually is.
The scope has broadened considerably
Personal data is "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier" ICO
The scope of personal data is broad and will adapt to include new types of personal data collected or created
Location data is personal data
Name
Email Address
ID numbers
Cookies
IP addresses
Profile information
Segments they belong to
“Special categories” of data have replaced “sensitive personal data”
Special category data is more sensitive, and so needs more protection. Processing Special Categories
of Data is generally Prohibited
Race;
Ethnic origin;
Politics;
Religion;
Trade union membership;
Genetics;
Biometrics
Health;
Sex life; or Sexual orientation.
Important to ensure that this is not being processed inadvertently
Can be processed for marketing under consent
You need to have a legal basis for processing personal or special categories of data
To process personal data under GDPR, you require a legal basis:
Consent
To perform a contract
Legal compliance
Protection of vital interests of a person
Public interest or official authority
Legitimate Interest
Each of the legal basis, have certain qualifying criteria
For marketing, the two most appropriate basis are Consent or Legitimate Interest
You must have a legal basis for the processing to be a lawful one. It also needs to be documented
Lets talk about consent for marketing first
What is consent
What does valid consent need
What if consent is too difficult?
And what about e-privacy, and why GPDR has led many businesses to reconsent under a different law
Lets face it, its all about consent at the moment
Presentations, emails, webinars
Consent seems to be the most popular answer to most questions on GDPR
Sometimes it is appropriate, sometimes it is not
So, what is consent
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The ICO states that the GDPR has set a high standard for consent.
You have to ensure that your consent is valid if challenged and you need to be able to prove it
What is valid consent?
To be informed, enough information must be made available at the time
This can be in a layered privacy policy, but enough information must be available clearly at the time to be considered to be informed.
Detail can go into lower layers, but not the key points
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge and build trust and engagement
Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Explicit consent requires a very clear and specific statement of consent.
Keep your consent requests separate from other terms and conditions.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Name any third party controllers who will rely on the consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
If changes are made to your processing activities, you might need new consent
You should also avoid making consent a precondition of a service, such as brochure downloads.
The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
Look for another basis that works.
The impact of choosing the wrong basis could be:
1/ The loss of up to 80% of the marketing database in reconsenting campaigns
2/ The legal basis is so difficult to achieve, that the consent achieved is invalid
In as much as it is not informed enough or specific enough to be valid
And remember, GDPR is not the Privacy and Electronic Communications Regulations
GDPR is not about permission to send electronic marketing.
Electronic marketing needs to be compliant with GDPR and Privacy and Electronic Communication Regulations.
Segmentation, profiling, targeting is not strictly necessary to send email marketing, SMS or social campaigns.
You need a legal basis to do this under GDPR.
Just because you’ve got a tick box for electronic marketing, doesn’t make you GDPR ready.
Many brands have undertaken re-consenting campaigns, which will get them great consent to send email.
Do you really need to reconsent your database
There maybe no need to reconsent your database if there is no requirement for consent to that processing under GDPR.
WP259 page 30 that states;
“If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However this is a one off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another.”
So the answer might be that you don’t need to reconsent your database
Maybe not:
If the contact details meet these requirements:
- Gathered during the process of a sale or in the context of a sale or in the process of negotiation for goods or services
- The marketing relates to similar goods or services
- The individual was given the opportunity to opt out at the time
- The individual has been given the opportunity to opt out since.
Can you use another lawful basis
How can you decide and what do you need to document to make your decisions valid
So now, lets talk about privacy impact assessments, balancing tests and how legitimate interest can be used
Decisions relating to the most appropriate lawful basis, should only be made once a detailed audit of your marketing data processing is undertaken.
Check the different processing that you are doing for marketing
Are you collecting more data that is necessary for the marketing that you are doing?
What profiling do you do?
Do you use social media?
Once you have this information, you will be able to undertake a privacy impact assessment on the processing
Privacy Impact Assessments are undertaken on the processing to determine the privacy risks to individuals.
The process of the assessment should be documented and show how you have come to your decisions.
Justifications must be documented.
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
“the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Rec 47
This isn’t an automatic legal basis for processing marketing data
You need to undertake a balancing test where you will balance the impact of processing you are doing, against the rights and freedoms of the individual.
Marketing is a legitimate interest of the data controller, but:
Is the processing necessary for the direct marketing?
Is any third party processing necessary for the purpose of direct marketing?
Is their another way of achieving your legitimate interest?
Would the individual reasonably expect this processing?
Is the processing relevant to your relationship with the individual?
Are you processing the minimum personal data required to meet your needs?
Is this processing likely to harm or disadvantage the individual (what type of marketing are you doing??!!!)
Watch out for processing that leads to special categories of data
This right to object must be explicitly stated, prominently displayed and it’s easy to exercise that right
Collect the minimum data necessary and delete records after use
Ensure you have a valid reason to process an individual’s personal data using your legal legitimate interests
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Rec 47
Explain why you need an individual’s personal data
You’ve done the audit, you now know what processing you are doing.
Explain what data you hold about people
Why do you hold PI
Where do you get PI from, for example social media
What profiling is done on the PI and what is the purpose of the profiling
Use a layered privacy notice/policy
Make it easy for people to understand
What is profiling
“…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
For marketing, the key words are personal preferences, interests, behaviour, and location.
Depending on the context, profiling can also be quite intrusive if it includes online tracking.
Here is a typical example of profiling, used to make sure that the content of marketing and some web pages, are made as relevant to the recipient
An airline studies the behaviour of its online customers. It examines what they search for, look at and how much time they spend considering each destination. This data will be combined with the location and route the customer is most likely to use based on their previous flight history. The profile will then be used to serve the customer with a marketing communication that highlights the destination and route they are most likely to be interested
As soon as we start to profile, we are creating new personal data that relates to the individual. This “profile” could include data from many sources
Website search and browsing history
Customer relationships and buying habits
Credit card, store card and transactional history
Credit scoring
Complaints, feedback or enquiries
Location
Lifecycle habits
Social media
Property ownership
Profiling can trip you up
Profiling can sometimes infer special categories of data
Example, profiling food consumption or musical tastes might lead to the inference of ethnic origin or religion.
If you infer special categories of data, the profiling maybe prohibited without explicit consent.
This is why it is important to undertake privacy impact assessments when any new processing activity
If privacy risks are identified, you can mitigate those risks by changing the process, or using a more appropriate legal basis, such as explicit consent
Its possible that much of the profiling that is done for marketing, can be undertaken using legitimate interest.
This is because it is unlikely to cause a legal or significant effect on the individual.
The article 29 working party says:
Article 6(1) (f) – necessary for the legitimate interests pursued by the controller or by a third party Profiling is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. However, Article 6(1) (f) does not automatically apply just because the controller has a legitimate interest.
The balancing test still needs to be undertaken
Its also possible for the profiling to stray into the realms of having a significant effect.
The ICO has cited some research that shows it is possible to for harm or a significant effect to be caused by profiling.
Ohio State University found that behaviourally targeted adverts can have psychological consequences and affect individuals’ self-perception.
For example, if individuals believe that they receive advertising as a result of their online behaviour, an advert for diet products and gym membership might spur them on to join an exercise class and improve their fitness levels. Conversely it may make them feel that they are unhealthy or need to lose weight. This could potentially lead to feelings of low self-esteem.
Profiling can make ads more effective and have a greater impact on the individual. This was one of the key concerns about the issues with Cambridge Analytica’s use of Facebook data, where the hidden profiling has allegedly been used to influence voting preferences.
GDPR will impact on B2B processing of personal data, tim.roe@redeye.com has been personal data since 1998.
All businesses, B2B or B2C will need to choose the most appropriate legal basis for their processing
If its marketing related, it is likely to be either Legitimate Interest or Consent.
What are the main differences between what happens now and GDPR?
B2B will still need to use the Privacy Impact Assessment to see if the data processing is LI
Context will be very important in the assessment. Where did you get the data, was the data made available by the data subject for the purpose you are using it for?
Whenever personal data is captured, that is going to be used for marketing, you must prominently inform the data subject that you will be using the data in this way and telling them they can object.
If you are obtaining the data from a third party, you must contact the data subjects within 30 days to tell them you have their data and they an object if they wish.
B2B electronic marketing (email, SMS, social) are not caught under PECR, but there is a chance that under the new e-privacy regulations, they will apply the same as B2C. That means consent.
Is this the end to all the fun we’ve been having in marketing?
Is it doom and gloom now?
Is the Data Protection Officer also the Sales Prevention Officer?
Lets take a look at some great bits about GDPR!
GDPR gives rights and protections to individuals
1) It is a positive step for people:
The law has been created to protect people and ensure that our technology and developments, serve mankind and not harm it
2) We are all people:
So we should be happy about this law, it is protecting us!
The GDPR is an opportunity to build trust
1) Transparency will build trust
The GDPR demands that firms become more transparent in their dealings with peoples personal data.
2) Transparency and trust could become a key differentiator in business relationships
Transparency will become a key element used to build relationships with our customers. It will become another trust building opportunity, people prefer to deal with brands they trust
3) More powerful than “targeted campaigns and lifecycle marketing”.
In building real one to one relationships with your customer, could the GDPR actually become the driver behind a different type of customer centric marketing strategy?
Transparency and control
1) On the first contact and data exchange
GDPR compliance will help break down the concern with exchanging data with brands, more customers willing to open accounts rather than using the guest checkout.
2) And ongoing control of the data the individual is sharing.
Allowing the individual ongoing control over their data, should be more likely to instil confidence and foster long term customer relationships
GDPR could educate people in their information rights
People become less tolerant of bad practice
Businesses that do not demonstrate proper compliance with GDPR, will loose the trust of customers and find it harder to turn prospects into customers.
2) More aware of organisations efforts to “do the right thing
Customers will start to “look” for the pointers of compliance, transparent statements at point of data capture, banners relating to tracking cookies.
Overall, GDPR should be seen as an opportunity for business and an opportunity to build stronger and more profitable relationships with their customers.
Its not all doom and gloom
Marketers face some challenges in GDPR
There is lots of advice from the ICO, DMA, DPN
Take off the marketing hat, how would your customers feel about what you are doing?
If you are doing something that your customers might not expect or like, you are probably doing something wrong
The first step is the data audit, if you haven’t started yet, start one tomorrow.