CRMT's GDPR Bootcamp for Marketers Sept 2017

DELIVERING
MARKETING
OPERATIONS
EXCELLENCE
GDPR BOOTCAMP
FOR MARKETERS
WELCOME TO OUR
In collaboration with
@CRMTechnologies
#GDPRBootcamp

The Warm Up: What
Marketers need to know
about GDPR
Sarah Williamson, Partner
Boyes Turner LLP

Content
• GDPR Outline
• Consent
• Legitimate Interests
• Privacy Notices
• Profiling
• Expanded data subject rights
• Accountability and Governance
• Data Processors
• e-privacy Regulation
• Implications of getting it wrong

What is the General Data
Protection Regulation?
• Game changer!
• Regulation = directly effective
• In force from 25 May 2018
• “One stop shop”
• Expanded territorial reach

Overview of GDPR
• Did you know GDPR WILL affect your sales
and marketing
– Holding information about customers, suppliers, clients or website users
– Advertising and marketing
– Asking people to subscribe/unsubscribe to your website and marketing
material

“New” Principles
• Principle 1 – Lawfulness, fairness and transparency
• Principle 2 – Purpose limitation
• Principle 3 – Data minimisation
• Principle 4 – Accuracy
• Principle 5 – Data Retention
• Principle 6 - Security
A
C
C
O
U
N
T
A
B
I
L
I
T
Y

Lawfulness of Processing
• Consent
• Necessary for performance of a contract
• Necessary for compliance with a legal obligation
• Necessary in order to protect vital interests
• Necessary for performance of a task carried out
in the public interest
• Necessary for the purposes of legitimate interests
of controller

Consent
• Consent must be ….
– Freely given
– Specific and informed
– Unambiguous
• Consent can be withdrawn

Consent Guidance
• ICO’s GDPR Consent Guidance
- Positive opt-in
- Specific and Granular
- Unbundled
- Documented
- Easy to withdraw
- Named third parties
- Consider other lawful bases

Challenges to Consent
• ‘Personal Data’ wider scope
• Opt-out consent
• Buying third party data
• Privacy notices
• Legacy data

Legitimate Interests
“except where such interests are overridden by the
interests or fundamental rights and freedoms of the
data subject which require protection of personal data,
in particular where the data subject is a child”
Data Protection Network Guidance on
the use of Legitimate Interests under
the EU General Data Protection
Regulation
– Legitimate Interests Assessment
– Consent v Legitimate Interests

Privacy
Notices
Enhanced Fair
Transparent
Concise
Intelligible

Tackling Privacy Notices
1. Include information set out in Articles 13
or 14 (as appropriate).
2. Layering
3. Additional Notices
4. Avoid jargon
5. Consider using icons

Profiling
To “analyse or predict aspects concerning
that natural person’s performance at work,
economic situation, health, personal
preferences, interests, reliability, behaviour,
location or movements”

Data Subject Rights to…
• Information
• Access
• Rectification
• Object to direct marketing
• Restrict processing
• Data portability
• Erasure – “the right to be forgotten”

Accountability and
Governance
1. Privacy by Design and Default
2. Privacy Impact Assessments
3. Data Protection Officers
4. Record Keeping

• Direct obligations
• Record keeping
• Security
• Breach Notification
• Data Protection Officer
• Transfers to third countries
• Claims and sanctions
• Controller to processor contracts
Data Processors

Choosing a Processor
Controllers can only use processors …
“providing sufficient guarantees to implement
appropriate technical and organisational
measures so that the processing meets the
requirements of GDPR and ensures the
protection of the rights of data subjects.”

e-Privacy
• Applies to entities anywhere in the world
who provide publicly-available ‘Electronic
Communications Services’ to or gather
data from the devices of users in the EU
• Affects marketers in the use of direct
marketing and the use of cookies

Honda & Flybe
"Both companies sent emails asking for consent to
future marketing. In doing so they broke the law.
Sending emails to determine whether people want to
receive marketing without the right consent, is still
marketing and it is against the law."
- Steve Eckersley, ICO Head of Enforcement

Potentially Eye-Watering
Penalties
• New rules underpinned by tough penalties
• Maximum penalties for non-compliance
– EUR20 million OR
– 4% of WORLDWIDE turnover
Whichever is the higher

Brexit
Don’t disregard GDPR in light of Brexit!
• Data Protection Bill
“allow the UK to continue to set the gold
standard on data protection”

And Finally…..
“Customer-business relationships are a value
exchange and the benefits of getting this right are
greater than legal compliance. Who doesn’t value
customer trust?”
- Elizabeth Denham- the Information Commissioner

Jim Sneddon - Founder of Assuredata
CISSP & GDPR Certified Practitioner
www.assuredata.eu
FINALIST – Education and Training Provider
of the Year
Ready, Set, Go: Starting
the Journey for being fit
for GDPR

Breaches are bad, breaches are BIG !!!
Equifax Breach

General Data Protection Regulation
The Perception!

The Reality!

What Looks good to the Lead Supervisory Authorities?
• Organisation showing proactive positive commitment
• Gap Analysis and prioritisation of tasks
• DPIA’s (Data Protection Impact Assessments – 5 W & 1H)
• Building a plan and then executing against it
• Comprehensive technical and organisational security measures are in place
• Measurable Risk Reduction
• Documented facts and processes (checklists)

Considerations for Marketing Departments
• Consent Considerations
• Verify data you hold in likes of Hubspot, Marketo, Eloquo, Mailchimp…
• Managing Opt in / Initial Opt in / Re-checking Opt in & Opt out
• Maintaining accuracy of data
• Old Data ?
• Web Cookies

The Supply Chain
• Your may become GDPR compliant, but are your suppliers?
• Breach notification requirements put a greater emphasis on supply chain data security.
• Failure to audit suppliers regularly & probe the supply chain could have severe
consequences
• Tenders will demand clarity around GDPR compliance (ITT, RFP’s, etc)
• Cloud supply chains need relevant questioning to ensure (commitment to) compliance
statements are gathered

Some Actions For Organisations To Take Now –
Organisational

Organisational
• Form a cross business GDPR Team and give 1 person responsibility for leading
• Know where your data is and why you are processing it (Lawful Processing)
• Know the 5W’s & 1H
• Review who has access to data and should they?
• Classify your data
• Do a gap analysis

Organisational
• Build a GDPR culture within the organisation
• Train end users
• Get rid of data that you do not use
• Implement policies and procedures for Individuals rights and SAR’s requests
• Use your compliance for marketing & PR purposes

Organisational
• Become educated about GDPR through webinars, seminars like today’s
• GDPR Foundation training is highly recommended
• Conduct a GDPR gap analysis
• Data Protection Impact Assessments should be undertaken
• Build a GDPR plan and execute against it”?

Some Actions For Organisations To Take Now - Technical

• Shadow IT & It’s Implications
• Skype
• Evernote etc
• Cloud File Sharing
• Box
• Dropbox
• Mobile Devices & Data Synching
• Data Destruction

• Implement state of the art technologies where possible
• Encrypt and pseudonymise personal data
• Ensure policies are optimised, properly defined and configured on systems
• Ensure a good level of visibility on network (Reporting is Key)
• Effective malware technologies should be put in place
• Regularly update and patch systems

• Regularly test, evaluate and assess the security of systems
• Ensure disaster recovery and back up systems are in place
• Ensure that identity and access controls are in place
• Ensure data in the cloud is secured and get statements of compliance

Jim Sneddon
Founder - Assuredata
CISSP & GDPR Certified Practitioner
Twitter - @assuredata_eu
www.assuredata.eu
Bringing GDPR to Your
Customers -
Your Duty Of Care

DELIVERING
MARKETING
OPERATIONS
EXCELLENCE
The Last Lap: Marketing in a GDPR World
Sean Seelochan
sean.seelochan@crmtechnologies.com
+44 118 945 0038
WWW.CRMETECHNOLOGIES.COM

RECAP
Legal
Getting ready
What can
Marketers do
WWW.CRMTECHNOLOGIES.COM

THE MARKETING TECHNOLOGY LANDSCAPE
2012
2014
2015
2016
~350
~1,000
~2,000
~3,500
~5,000
2017

THE MA MARKET

MARKETING – DON’T FEAR CHANGE

• Aligning at a Corporate Level
• Auditing Existing Systems
• Consent Management
• Data Capture
• Preference Centres
• Maintenance and Renewal
• Data Deletion
• Education
• Roadmap to Compliance
MARKETERS - HOW TO APPROACH GDPR

CORPORATE ALIGNMENT
• Assessing risk
• Involve the correct teams
• Take legal counsel

AUDITS

Content
Marketing
Marketing
touchpoints
Social
Email
Marketing
Lead
Generation
Content
Syndication
Webinar
Promotion
List
Acquisition
CRM
Enrichment &
TargetingAUDITS
Website

CONSENT TO USE DATA
• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• Is the intended use likely to cause individuals to object or
complain?

CONSENT TO USE DATA

DATA CAPTURE
• Perform an audit analysis on existing data collection points you
are using
• Review how data from other sources is collected and used
• Are Sales complying with the new rules?
• 3rd party list lenders complying?

DATA CAPTURE

PREFERENCE CENTRES

DATA MAINTENANCE
• Continuously review data fields & data flows
• Create a culture of ownership and change
• Renew consent and preferences
• Subject Access Request

DATA RENEWAL

DATA DELETION
• Remove ‘un- engaged’ data
• Right to be forgotten
• Subject Access Request

DATA DELETION

EDUCATE YOUR TEAM

ROADMAP TO COMPLIANCE
Create a programme of work to meet compliance
Renew or remove data
Audit and assess technology, 3rd parties, policies
and procedures
Assess your risk

OUR APPROACH
1
2
3
4
EDUCATION &
PLANNING
GDPR AUDITS,
READINESS & IMPACT
ASSESSMENTS
PLANNING, BUILD
EXECUTION & ADOPT
DATA PROTECTION
OFFICER

CRMT's GDPR Bootcamp for Marketers Sept 2017

More Related Content

More from CRMT Digital

Recently uploaded

CRMT's GDPR Bootcamp for Marketers Sept 2017