Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR Briefing for marketers


Published on

Presented by Tim Roe of Redeye covering compliance requirements including consent, legitimate interests, profiling and privacy policies.

Published in: Business
  • Hi there! Essay Help For Students | Discount 10% for your first order! - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here

GDPR Briefing for marketers

  1. 1. Actionable GDPR Advice from the experts What does the GDPR mean for marketing? #DigitalPriorities Digital Marketing Priorities 2018 brought to you by
  2. 2. Recommended Smart Insights toolkit update Search ‘GDPR briefing’
  3. 3. One month to go!
  4. 4. Agenda What is personal data and special categories of data? What are the lawful basis for marketing? Consent, what it is and what it isn’t PECR Legitimate Interest and why not? Balancing tests and Privacy Impact assessments Profiling B2B The good bits about GDPR
  5. 5. About the speaker and partner • Tim Roe • Compliance Director for RedEye • British Computer Society Certified Data Protection Practitioner • Chair of the Direct Marketing Associations GDPR taskforce
  6. 6. - Not legal advice - Broad based practitioner guidance, drawn from ICO publications, DMA guidance and the WP29 guidance - Best advice, be cautious, document your decisions and cite your references - It will be unlikely that you will be caught out by genuinely trying to do the right thing
  7. 7. Before we start… house keeping A recording for the webinar will be sent via Email. Slides will be available via Smart Insights Slideshare Please get involved with the interactions: - Do ask questions at any point via the Questions panel
  8. 8. What data does the GDPR cover? What is personal data? What are special categories of data?
  9. 9. What is personal data? Personal data is "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier" ICO Name Email Address ID numbers Cookies IP addresses Profile information Segments they belong to
  10. 10. Special Categories of data • Race; • Ethnic origin; • Politics; • Religion; • Trade union membership; • Genetics; • Biometrics • Health; • Sex life; or Sexual orientation. Special Category data is more sensitive, and so needs more protection. Processing Special Categories of Data is generally Prohibited
  11. 11. Lawful basis, you need one To process personal data under GDPR, you require a legal basis: - Consent - To perform a contract - Legal compliance - Protection of vital interests of a person - Public interest or official authority - Legitimate Interest
  12. 12. Consent for GDPR What is consent? What does valid consent need? What if consent is too difficult? GDPR not e-Privacy
  13. 13. It’s all about consent!
  14. 14. What is consent? “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” ICO - “The GDPR sets a high standard for consent.”
  15. 15. What does valid consent need? Consent is not just a tick box: To be informed, enough information must be made available at the time. Segmentation, channels, tracking, profiling. Its got to be specific enough to be valid.
  16. 16. What if consent is too difficult to achieve? “Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.” The ICO
  17. 17. GDPR not e-Privacy (PECR) GDPR is not about permission to send electronic marketing (that’s another law)! Just because you’ve got a tick box for electronic marketing, doesn’t make you GDPR ready. Electronic marketing needs to be compliant with GDPR and Privacy and Electronic Communication Regulations
  18. 18. Do I need to reconsent my database? WP259 page 30 that states; “If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However this is a one off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another.” There may be no need to reconsent your database if there is no requirement for consent to that processing under GDPR.
  19. 19. Does electronic marketing need consent? Maybe not: If the contact details meet these requirements: - Gathered during the process of a sale or in the context of a sale - The marketing relates to similar goods or services - The individual was given the opportunity to opt out at the time - The individual has been given the opportunity to opt out since
  20. 20. Can I use another lawful basis? Privacy Impact Assessments Legitimate Interest The Balancing Test Using Legitimate Interest
  21. 21. Privacy Impact Assessments Once a detailed audit of your marketing data processing is undertaken. Privacy Impact Assessments are undertaken on the processing to determine the privacy risks to individuals. Justifications must be documented. Decisions relating to the most appropriate lawful basis, can only be made:
  22. 22. Legitimate Interests Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Rec 47
  23. 23. Balancing tests Marketing is a legitimate interest of the data controller, but: Is the processing necessary for the direct marketing? Is any third party processing necessary for the purpose of direct marketing? Is their another way of achieving your legitimate interest? Would the individual reasonably expect this processing?
  24. 24. Balancing tests Is the processing relevant to your relationship with the individual? Are you processing the minimum personal data required to meet your needs? Is this processing likely to harm or disadvantage the individual (what type of marketing are you doing??!!!)? Watch out for processing that leads to special categories of data
  25. 25. Using legitimate interest This right to object must be explicitly stated, prominently displayed and it’s easy to exercise that right Ensure you have a valid reason to process an individual’s personal data using your legal legitimate interests Collect the minimum data necessary and delete records after use “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Rec 47
  26. 26. The privacy notice Explain why you need an individual’s personal data Use a layered privacy notice/policy Make it easy for people to understand
  27. 27. Profiling The text of the regulation refers to profiling in Article 4(4) as: “…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
  28. 28. Profiling Example An airline studies the behaviour of its online customers. It examines what they search for, look at and how much time they spend considering each destination. This data will be combined with the location and route the customer is most likely to use based on their previous flight history. The profile will then be used to serve the customer with a marketing communication that highlights the destination and route they are most likely to be interested in.
  29. 29. Personal data in profiling The scope of personal is now much wider: 47 Internet search and browsing history Existing customer relationships and buying habits Credit cards, store cards and other transactions Credit scoring Consumer complaints or enquiries Location and lifestyle habits Social media Property ownership
  30. 30. Special categories of data Profiling can infer special categories of data​. Example, profiling food consumption or musical tastes might lead to the inference of ethnic origin or religion. If you infer special categories of data, the profiling may be prohibited without explicit consent.
  31. 31. How can profiling be a legitimate interest? Article 6(1) (f) – necessary for the legitimate interests pursued by the controller or by a third party Profiling is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. However, Article 6(1) (f) does not automatically apply just because the controller has a legitimate interest. The balancing test still needs to be undertaken.
  32. 32. How can profiling have a significant effect? Profiling can make ads more effective For example, if individuals believe that they receive advertising as a result of their online behaviour, an advert for diet products and gym membership might spur them on to join an exercise class and improve their fitness levels. Conversely it may make them feel that they are unhealthy or need to lose weight. This could potentially lead to feelings of low self- esteem. Ohio State University found that behaviourally targeted adverts can have psychological consequences and affect individuals’ self-perception.
  33. 33. What is the impact of B2B? has been personal data since 1998 GDPR covers personal data GDPR does not differentiate between B2B and B2C A business needs a legal basis to process personal data It could be either Legitimate Interest or Consent .
  34. 34. How does a B2B business use legitimate interest? To qualify to use LI, you must undertake the same Impact Assessment as B2C When the data is captured, you must prominently inform about direct marketing not hide it in T’s and C’s People must be told they can object and shown how to do it If you obtain personal data from a third party, you must contact within 30 days and tell them you are processing the data and they can object Remember, PECR is still not relevant for B2B
  35. 35. Is it all doom and gloom?
  36. 36. The great bits about GDPR! GDPR gives rights and protections to individuals 1. It is a positive step for people 2. We are all people! The GDPR is an opportunity to build trust: 1. Transparency will build trust 2. Transparency and trust could become a key differentiator in business relationships 3. More powerful even than “targeted campaigns and lifecycle marketing”
  37. 37. More great bits about GDPR Transparency and control 1. On the first contact and data exchange 2. And ongoing control of the data the individual is sharing. GDPR could educate people in their information rights 1. People become less tolerant of bad practice 2. More aware of organisations efforts to “do the right thing”
  38. 38. In conclusion It’s not all doom and gloom Marketers face some challenges in GDPR There is lots of advice from the ICO, DMA, DPN The first step is the marketing data audit. If you haven’t started yet, start one tomorrow.
  39. 39. Thank you for listening! Please ask questions via the Questions tab