- Josh Dean discussed how Lancaster University approached data protection regulations in a positive way rather than panicking. - They focused on educating staff, designating GDPR representatives, and building internal tools to help control data access while giving people what they need. - Externally, they developed new privacy policies prioritizing students, only collecting necessary data, and providing contact options. - Now, Lancaster has addressed the fundamentals of being GDPR compliant while still being able to function and communicate through preference centers and dynamic content based on consent. - The future of data protection will involve increasingly complex laws internationally as systems strive to keep up and all organizations continue adapting to new regulations and technologies.

1. #TargetXSummit
Data Protection - How not to panic
and make it a positive
Josh Dean – Business Development Manager – Lancaster University

2. Who am I
- I’ve been working in Higher
Education for the past 7 years.
- Since 2017, I’ve been focused on
business development for our UK
and International Recruitment
teams.
- This involves oversight of strategic
important projects including new
systems and policy.

3. First up – A quick question(s)…

4. What am I going to talk about
• Why the “big deal” about Data Protection?
• The journey we’ve been on.
• Building trust in actions and words.
• How a CRM helps us achieve this.
• What I think the future holds…

5. Where was Lancaster
• One of the consistently ranked Top 10
Universities in the UK, with over
13,000 students from 120+ countries
• Teaching over 160 core programmes,
plus hundreds more variants and
Graduate options
• With campuses in Ghana, Malaysia,
China and soon Germany.
• Known for our sociable ducks and
amazing sunsets!
• Check out our Instagram @LancasterUni

10. Acronym Soup
- “General Data Protection Regulation” was introduced May 25th 2018.
- It’s an EU wide Data Protection regulation protecting all EU citizens.
- The EU felt people’s data was being abused and were ‘forced’ into agreeing
to access services.
- E.G Facebook is ”free” if you agree to share ‘something’ with them...
- The concept of purchased "lists” is not really used in the EU
- This, combined with the Privacy and Electronic Communications (PECR)
creates a significant consumer protection environment.
- Moves control and governance away from the companies to the people.

12. #TargetXSummit
GDPR – The basics
• There are basically 7 Key Principles to this regulation in being compliant
1. Obtain Consent – People have to Opt In to your marketing
2. Timely Breach Notification – You have to let customers/reporting bodies know within 72
hours
3. Right to access data – You have to provide a free and fully detailed dataset, as well as
how you are using it
4. Right to be forgotten – People can request to be removed from your dataset
5. Data Portability – Users have the right to their own data
6. Privacy By design – data protection must be built into all business processes
7. Designated Data Protection Officer(s) – Dedicated member of staff responsible.
• Of course, how these work in practice could take another 5 hours to explain

13. What could have made us panic

14. €20 million* or 4% Global Turnover
* that’s $22,424,841.08…
The headline…

15. What could have made
us panic?
• Fines. And big ones.
• Reputation – didn’t want to
be in the news!
• Our data was hard to
manage, and people did it
their own way.
• Trust – Hard won and easy
lost amongst our prospects
and their parents.

16. Reputation of the University…And it’s brand

17. Last week…
• Marriott was fined £99 million by the
UK Information Commissioners
Office for a breach originally in 20141
• But even on a smaller scale, a UK
University was fined £120,000 for
data protection breach, often due to
poorly designed systems.
• British Telecom was fined £77,000
for ”spam” emails to 5 million people.
• Many of these issues, Universities
are capable of falling into these traps
1. Techcrunch report

18. “Gen Z (those born after 1995) do not trust businesses
to act in the best interests of society…”
Report by Brand Consultancy BBMG on 2,000+ US consumers, May 2019 (link)

19. #TargetXSummit
”Trust” of the “consumer”
• Sometimes these are uncomfortable words for Higher Ed.
• They know their data is a commodity and are protective of it.
• Higher Ed traditionally were pretty poor at making use of.
commodity – think of all the data we collect, but don’t need?
• We are trusted with qualifications, family history, but how much
value did we place on that?
• One leak, one catastrophic unleashing of data – Could it be game
over?

20. Problem is – our approach is conflicted
The Good.
• CRM’s help democractise data
whilst controlling who and what is
visible
• We wanted people to be curious, to
make reports, to get “under the
skin”.
• Allows us quicker, more responsive
and socially engaged
communications.
The Bad.
• The GDPR myths went into overdrive
• You can’t just put a CRM in place and
watch all the bad habits go away.
• As soon as it gets in the way of
people’s jobs, you become the
enemy!
• Emphasis of people ‘Consenting’ to
their data being used

21. So how haven’t we panicked?

22. #TargetXSummit
So how haven’t we panicked
• We have made sure data protection is not a dirty word and we
train people to feel confident.
• Staff Development Portal for Data Protection.
• ”GDPR Reps” (Hello!) in each department to tackle queries quickly.
• Acknowledge it’s complicated, but that it doesn’t have to be scary
• It’s not about blaming individuals – it’s our job to build the tracks
for them to ride on.
• Needed to raise awareness of people did and did not need to
know.

23. We developed trust internally.
• Built the tools to control give people what they need
(Reports/Tableau)
• Clear up the myths
• For example, ”Do people need to consent to receive any emails
from us?”
• “Gentle” reinforcement, such as the Security Panda…

24. Apparently this is from an Anime, but I just thought I
was a cool Panda cop…

25. Externally, lots of things
have happened
• Developed completely new data and privacy policies
placing the student first
• Not just about covering our own backs legally.
• They have a right to their data, especially as it
gets more and more sensitive
• Collect what we need, when we need it.
• No more hording data because we ‘might’ need
it.
• Also give them a way to contact us
• Seems simple, but often missed.
• Means that we also know how they like to be
contacted

26. But we can still function within the regulation
• Some information we have to keep.
• Whether someone graduated and record of their degree.
• We also will still be able to contact people’s parents in the case of an
emergency.
• We can still post things to people (old school rules!)
• It becomes a flow chart of questions ‘What is it, what have they agreed to,
what would they reasonable expect?”

27. Example is our
preference center
• You’re seeing these pop up more and
more outside of the traditional web
services
• We are getting increase ways to
contact students, their parents
• UTM Tracking, Social Media etc
• Behavioral marketing
• Our real and digital presences are
being bombarded with information
• Made possible by CRM as we can
track every time someone opts in/out
• All our communications allow people
to choose how we speak to them

28. So where are we now?
• We’ve covered all the fundamentals.
• Education – Staff are more aware of what they do, and importantly, don’t have
to do under the GDPR.
• Though it’s a constant learning process.
• Gradually, we’ve come to understand it as holding us to an higher standard.
• We now think much more carefully about our ‘Transactional’ and ’Marketing’ Communications
• Opening the door for us to be much more sophisticated.
• “Opted in” dynamic content.
• Our awareness has had to keep up with our students.

29. So what does the future look like?

30. A shot from Blade Runner 2049 I particularly like…

31. What does the future of Data Protection look like?
• Increasingly complex legally to try and get to something simple and transparent.
• Increased accountability internationally– what do borders mean in the internet age?
• Some markets are a long way behind/it’s not in the culture.
• Issues in some markets such as Russia and China
• Our systems have yet to catch up.
• All organizations are struggling to adapt.
• Salesforce/other providers are continually upping the priority of this.
• There will be breaches and there will be crises.
• Other areas, such as Accessibility and Equality are also hugely important

32. Thank you for listening
Any Questions?
Questions?