This document summarizes a workshop on data protection compliance based on the UK Data Protection Act of 1998. It introduces the key concepts of data controllers, data processors, and the eight principles of the Act, including obtaining consent, keeping data accurate and up-to-date, retaining data only as long as necessary, and protecting individuals' rights. The document also discusses issues around direct marketing, sensitive personal data, individuals' rights to access their data, and implications for handling children's personal data.

1. Data protection 2013
Data protection
compliance workshop
Friday 8 February
Wednesday 23 October 2013
#dmadata
Supported by

2. Welcome and Overview
Lesley Tadgell-Foster, Managing Director,
Shelfline Promotional Consultancy

3. INTRODUCING THE DATA
PROTECTION ACT 1998
Lesley Tadgell-Foster
Shelfline

4. Be Aware
The information contained in this presentation ad
provided verbally is not intended as legal
advice/counsel and is not represented as such by
Shelfline Promotional Consultancy Ltd. nor by the
Direct Marketing Association.
It does not make any warranties or statements
regarding the acceptability of the information
provided Whenever taking any action related to the
law obtain advice from legal counsel.

5. The danger of better targeting meaning
more intrusion
• Customers worry about what happens to
their information, how it can be used
against them, and they fear to being sold to
- but expect it
• High profile data losses – justified fears
• Concerns fuelled by the media – they know
what’s in your shopping basket syndrome...
• Data collection meets record-keeping

6. …continued
• Respect for customers’ rights to privacy and
discretion always vital in building
confidence, now enshrined in legislation
• The obligation of marketing to offer
explanations, reassurance and honesty
• Self-interest prevails – lose customer
confidence and expect them to cut contact

7. Purpose of the 1998 Data
Protection Act
• To safeguard the public from abuse in the
collection/storage and distribution of personal
information
• Information relating to identifiable, living
individuals only – not organisation
• Can be held on computer or system
• Or in a ‘relevant filing system’. Not your address
book – but in a structured way – such as a card
index

8. …continued
• So manual records are included.
Transitional relief until October 2007 for
full compliance
• Can also include photographs and systems
such as CCTV

9. RESPONSIBILITIES DEFINED

10. The Data Controller:
• This is the ‘person’ deciding why/how
personal data is processed
• More likely that the organisation is the Data
Controller
• An individual employee only likes to ‘carry
the can’ if shown to be ‘knowingly or
recklessly contravening the employer’s
policies and procedures. But....?

11. The Data Processor:
• ‘Any person other than an employee of the
data controller who processes data on behalf
of…
- Computer bureaux
- Individual market researchers collecting
survey responses

12. AND WHAT IS PROCESSING?

13. Anything to do with personal
data from:
•
•
•
•
•
•
•
Obtaining
Using
Holding/Storing
Changing
Disclosing
Erasing
Disposing

14. The Eight Principles Reviewed
1. Personal data must be processed fairly and
lawfully
The concept of fairness implies using candour
and transparency in dealing with the acquisition
of customer’s personal information
Are they deceived or misled in any way about
your purposes for obtaining/using the data?

15. The Eight Principles Reviewed
2. Personal data shall be obtained only for
one or more specified and lawful purposes
and shall not be further processed in any
manner incompatible with that purpose or
those purposes
Think purposes – not files

16. The Eight Principles Reviewed
3. Personal data shall be adequate, relevant
and not excessive in relation to the
purpose or purposes for which they are
processed
Avoid ‘just in case’ information
Defer to the minimum

17. The Eight Principles Reviewed
4. Personal data shall be accurate and where
necessary, kept up to date
Gives very frequent rise to customer
irritation, resentment and suspicion

18. The Eight Principles Reviewed
5. Personal data processed for any purpose or
purposes shall not be kept for longer than
is necessary for that purpose or those
purposes
Depends on both data and application

19. The Eight Principles Reviewed
6. Personal data shall be processed in
accordance with the rights of data subjects
under this Act

20. The Eight Principles Reviewed
7. Appropriate technical and organisational
measures shall be taken against unauthorised or
unlawful processing or personal data and against
accidental loss or destruction of, or damage to,
personal data
Real emphasis on the integrity of data and
reliability or operations
Data controller takes responsibility for ensuring
that any agency (bureaux) maintains adequate
security and is bound by contract

21. The Eight Principles Reviewed
8. Personal data shall not be transferred to a
country or territory outside the EU unless
it ensures an adequate level of protection
for the rights and freedoms of data
subjects…

22. The individual is an active part of
the ‘system’ of data protection
• this allows the right to know that processing
is being undertaken
• the right to inspect personal data
• the right to prevent processing in certain
circumstances (e.g. for direct marketing)
• the right to rectify, block or erase data

23. Is data processed/amended
outside the EEA – possibly to be
returned to the UK later?
Does the country have ‘adequate’/mirror
legislation to ours?
• For USA can consider use of ‘safe harbors’
model contracts
• Everywhere else need tailored contracts for
contractor/company overseas to
demonstrate adherence to UK DP regime

24. Sensitive Data – Opt in always
•
•
•
•
•
•
Racial or ethnic data
Political Opinions/Trade Union membership
Religious or similar beliefs
Physical/mental health
Sexual Life
Committed or alleged offences

25. Customer Understanding and
Agreement
•
•
•
•
•
•
•
The most onerous duty of all
Must ‘signify’ consent – a positive communication
Consent must be specific and informed
The role of the ‘opt out’ box
Depend on clarity of wording
Cannot be given under duress
Consent can be withdrawn

26. So What Place Direct Marketing?
• The right to reject unsolicited marketing –
by whatever means
• So – media neutral!
• Define the nature and purpose of the contact
• Are they just saying ‘no’ to your material,
or are they also rejecting that from third
parties?

27. …continued
• You may well need two opt out clauses
• Danger of combining into a single one?
• From time to time we may wish to contact
you with further information about our
products and those of other companies we
think may interest you. Please tick if you
do not wish this to happen

28. Media Choices
Can you implement real choice every time,
without fail?
- Direct mail
- Telephone
- Fax
- Email
- SMS/text

29. Almost all opt-out still....
Privacy & Electronic Communication
Regulations: ‘PECR’ - from 2004
Email Opt out OK for EXISTING
customers/similar products only (also
known as the soft opt-in)
SMS Same regime
Transfer to 3rd parties for them to undertake
marketing = Opt-in

30. Anyone still using fax?
Has always been opt in for home users/
sole traders & partnerships

31. More Concerns
• What exactly do you plan to send?
• Now – in the future?
• Will you change your media approaches over
time?
• And what about new products/services?
• You don’t pass on your customer list at the
moment – but might you at some point?
• OPT-IN ALWAYS FOR 3rd party Email/SMS
transfers

32. GOODBYE TO THE ELECTORAL
ROLL
Not entirely – but enough to lose complete
coverage
Two versions – opts out up to 46% in
Wandsworth
Credit Referencing use still OK – for now…

33. Consent at the earliest
opportunity
• And there’s no going back…
• No means no
• The Boots Advantage Case

34. What Information Do You Have
on Me?
• Subjects’ Right of Access
• Across all material/all databases/all departments
• Subjects can be internal as well as external for
data protection purposes
• Think Human Resources/Personnel records
• How easy/quick for you to collate all files held on
a single name?

35. …continued
• Credit rejection based on inaccuracy or
scoring?
• How best to explain to customers your
decision making?
• Maximum fee £10
• Maximum period 40 days

36. Don’t Box Yourself In
•
•
•
•
What about CRM?
How best to ensure continuity over time?
What about changing lifestyles/lifestages?
How much can/do you tell on future
communications?
• Make is as enticing as possible – given
space/truth, but don’t over-promise
• Optimise the opt-out to cleanse your list of the nohopers
• Work through how to retain the best

37. Other People’s Customers
• Are you using data across different divisions to
subsidiary companies?
• In the customer’s shoes – how closely related to
the known purpose for giving data?
• Running a Current Account is not the same as
using the ledger to cross-sell Life Insurance
• What if you start up a new venture and contact
existing customers with offers?

38. …continued
•
•
•
•
Ask questions about rented-in lists
Have list warranties been obtained?
Still run against the Preference Services
Is it time to re-visit those who haven’t
opted-out with a new consent?

39. Business to Business
Business lists with contact names capable of
identifying a living individual fall squarely
within the scope of the new Act
Offer marketing preferences in exactly the
same way to business prospects/customers
as for consumers

40. The Preference Services
TPS & CTPS, for supressing numbers from
cold telephone canvassing
Mailing Preference Service for consumers
only – no business version

41. And If You Get It Wrong?
• Customers have rights under the Act to
challenge the accuracy of information held
on them
• And to have it corrected or erased
• Plus they can claim compensation for both
material loss and distress
• Not a big issue yet – perhaps the press
haven’t discovered it!

42. Starting Young
•
•
•
•
How Data Protection affects children
A bit confusing…
No age described in the Act
The Information Commissioner goes with
12 year olds for e-communication (Trust
UK standard)

43. but…
• The Advertising Standards Authority CAP
Committee say 16 years on all
communication

44. Implications:
• Must not use or rent lists of names unless
parental approval obtained in writing at the
time the information was collected
• Must be verifiable consent of the parent
(opt-in)
• Implies is it vital to determine age as soon
as possible

45. …continued
• Not OK for web communication to gain
consent by a mouse click
• Postal communication needed to confirm

46. The Information Commissioner
• Establishes and maintains a register of data
users
• Promotes compliance with the Data
Protection Principles
• Considers complaints and breaches, and
prosecutes offenders or serves notices

47. A ‘NEW BROOM’ IN YOUR LIFE
Christopher Graham – new Information
Commissioner
Challenges and benefits of a ‘new face’
Looking for high profile cases + punishing worst
& persistent offenders
‘We need to be selective to be effective’ (Richard
Thomas, predecessor).
Increased fines up to £500,000 from April 2010

48. Refreshment Break

49. The role of the ICO
Sally Annereau, Data Protection Analyst,
Taylor Wessing

50. The Office of the Information
Commissioner (the ‘IC’)
Insert appropriate
image
Sally Annereau
Data Protection Analyst
15978330

51. IC- status
> Appointed by the Crown
> Independent – not servant of the Crown
> Regulator of
-
The Data Protection Act 1998
The Privacy and Electronic Communications Regulations 2003 (as updated)
The Freedom of Information Act 2000
The Environmental Information Regulations 2004
> 7 year appointment
> Appointment limited to one term of office
> Annual report to Parliament

52. Duties of the Commissioner
> Promote observance of the Act
> Maintain the register of notifications
> Make assessments
> Conduct audits
> Disseminate information
> Prepare and encourage codes of practice
> Enforce the Act
> Report annually to Parliament

53. Assessment considerations
> Includes
-
Does it concern the processing of personal data?
Is it by a directly affected individual?
Does the request raise a matter of substance?
Is it made without undue delay?
Has the individual raised their complaint with the controller?
Could the matter be dealt with better by another body?
Has the matter been resolved already?

54. Individual complaints/queries
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1989-90 - 2698
1990-91 - 2419
1991-92 - 1747
1992-93 - 4590
1993-94 - 2889
1994-95 - 2814
1995-96 - 2950
1996-97 - 3897
1997-98 - 4173
1998-99 - 3653
1999-00 - 4570
2000-01 - 8875
2001-02 - 12500
2002-03 - 12001
2003-04 - 11664
2004-05 - 19,460
2005-06 - 22,059
2006-07 - 23,988
2007-08 – 24,851
2008-09 – 25, 509
2009 -10 – 33,234
2010-11 – 26,227
2011-12 - 20, 080
(minus FOI casework)
Source: OIC
35000
30000
25000
20000
15000
10000
5000
0
1990- 1993- 1996- 1999- 2002- 2005- 2008- 20111991 1994 1997 2000 2003 2006 2009 2012
Complaints

55. UK Categories of complaint
> Sectors
- Lenders
- General business
- Direct marketing
- Local Government
- Health
- Central Government
- Telecoms
- Policing and criminal records
- Debt collectors
- Internet
> Popular complaint causes
- Subject access
- Inaccurate data
- Disclosure of personal data
- Tele-marketing calls
- Security
- Email and SMS
Source: OIC Annual report 2013
18
16
Lenders
Local Gov
Health
Central Gov
Policing
T elecoms
Education
Insurance
Internet
Retail
14
12
10
8
6
4
2
0
Causes
50
45
40
35
30
25
20
15
10
5
0
Subject access
Disclosure
Inaccurate data
Security
Use of data
Fair processing
Obtaining data
excessive irrelev't
Causes

56. Investigations
> Can brief a regional investigating officer
> Can issue an ‘Information Notice’
- (‘Special Information Notice – special purposes)
> Can obtain a search warrant from a judge
- Warrants can be obtained with or without notice to the controller
- Offence to obstruct the execution of a warrant

57. Powers
> Direct consequences
- Prosecution
- Undertakings
- Enforcement
- Conduct audits
 power applies to public bodies
 can be extended to certain types of private
body subject to an order by the Secretary of
State
- Monetary penalties (up to £500,000)
> Indirect consequences
- Power of publicity
- Intervention by other regulators
- Risk of being sued
 Compensation claims
 Breach of contract

58. When handling complaints
> Try and head off complaints before they reach the OIC
> Log all complaints received
- Date of receipt
- Action dates
- Deadlines
> Try to find out what is behind the complaint
> Report up the details
- Progress
- Outcomes
- Lessons/actions
> Respond promptly to all correspondence

59. When the going gets tough
> Seek legal advice before agreeing to be interviewed by an investigating
officer!
> Be aware of the extent of the Commissioner’s powers
> Remember an Enforcement notice is for life
- Do not allow an Enforcement Notice to be issued against you or sign an
Undertaking unless you understand the consequences
- Use your right to make representations wherever possible

60. Data security and transfers
Sally Annereau, Data Protection Analyst,
Taylor Wessing

61. Keeping Data Safe
Insert appropriate
image
Sally Annereau
Data Protection Analyst
15973509

62. Data in demand
> Increase in sharing of data
> Technological developments
> Black market in data
> Cultural ‘catch-up’ required among data users
-
Lack of value attached to data assets
Absence of reporting lines and accountability
Lack of awareness
Lack of oversight
Policies, often mere ‘window dressing’

63. Data breaches - Incident sectors (UK ICO figures for 1 Apr - 30 June 2013)

64. Regulatory Framework
> Data Protection Act 1998 (‘DPA’)
- Seventh Principle
 “Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data”
> Other non DPA specific rules
- FCA rules
- effective systems and controls for countering the risk
- Public sector - Government Security Policy Framework (‘SPF’)

65. Why be concerned?
> Risk of enforcement action
> Risk of being prosecuted
- Company, directors, secretaries and other officers
- Individual employee liability
> Risk of fines
> Risk of being sued
> Costs of managing
> Damage to reputation
> Risk of devalued assets

66. Data protection UK: Enforcement in practice
250,000
200,000
150,000
100,000
50,000
Source ICO
Penalties in GBP
July
Aug
Feb
June
Nov
Sep
Mar
May
June
0
Jan-12
- 600 ‘Self-notified’ security breaches
- Undertakings 99
- Monetary Penalties 22
300,000
Feb-11
June
> Feb 2011–Sep 2012 – Security
breaches
350,000

67. Technical security measures - examples
> Passwords
> Firewalls
> Anti-virus software
> Secure internet payment systems
> Encryption
> Privacy enhancing technologies

68. Organisational measures - examples
> Reliability of employees
-
Selection
Education
Written guidance and procedures
Accountability and action
Controls on access /physical and systems
> Secure storage
> Controls on data movement /sharing
> Multi-disciplinary approach
> Data protection officer
> Security policy
> Monitoring

69. Using a data processor
> Definition
- ‘any person (other than an employee of the data controller) who processes the
data on behalf of the data controller’
> Examples
- insurance company and call centre;
- company and payroll bureau;
- group of related companies and subsidiary responsible for administration of
group-wide marketing campaigns; and
- company and secure data disposal agency

70. Obligations when outsourcing
> Choose a processor providing guarantees of
- Technical
- Organisational
- security measures
> Take reasonable steps to ensure compliance with above
- Written agreement
 Processor acts on controller’s instructions
 Imposes obligations equivalent to the seventh principle

71. Checklist for processor selection
> Does the processor have a data protection/information officer?
> How secure are the premises?
> What business continuity measures are in place?
> Does the processor have a written data protection/ security policy?
> What security standards does the processor adhere to?
> Does the processor conduct compliance and adequacy audits
> Have there been any security incidents?
> What steps are taken to ensure employee reliability?
> What training do employees receive in data protection?
> Other considerations
- financial status, insurance cover, subcontracting and references?

72. Security and IT system design
> Need for adequate security measures
- “both at the time of the design of the processing system and at the time of the
processing itself”
> Are contractors/ developers aware of the implications of the Seventh
Principle for system design?
> Who is responsible for specifying security requirements
- What do the tender documents say about security?
- What does the contract say about security?
> Consider the integrity of internal systems as well as preventing external
access (e.g the use of live data for systems testing)

73. Notifying breaches – IC guidance
> When to notify – consider
- the potential harm to affected individuals
- the volume of data lost
- the sensitivity of the data lost
> What to tell the IC’s office/affected individuals
-
What happened
What information was involved
What steps have been taken/are taking to mitigate the risks
Contact points
Self-help steps (in the case of affected individuals)

74. Anticipating the worst
> Security reporting and escalation processes
> Implement a breach management plan
- Key stages




-
Containment and recovery
Assessing the risks
Notification of breaches
Evaluate handling and response and implement changes
Identify and list the actions required within each stage
Allocate responsibility for each action
Identify the response time for each action
Train relevant staff and test the plan
Publicise the plan

75. Data transfers
Insert appropriate
image
Sally Annereau
Data Protection Analyst
15973509

76. When might a transfer occur?
For example…
> Employee data to US headquarters
> Customer data to a South American call centre
> Use of a data bureau in India
> Multi-national central CRM database
> Supply of customer orders to Japanese distributor

77. The Eighth Principle
“Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data”

78. Take a ‘bite-sized’ approach to the problem - 1
> Is personal data involved?
> Is the personal data going beyond the European Economic Area
(“EEA”)*?
> Is a transfer taking place?
* The member countries of the European Union together with Norway, Iceland
and Liechtenstein.

79. Adequate Protection?
> Has the European Commission ruled that the destination country is
adequate?
> Is the transfer to a US business signed up to the Safe Harbour Scheme?
> Does an exception to the Eighth Principle apply?

80. Existing EC adequacy findings*
> Hungary
> Switzerland
> Canada
> Argentina
> Guernsey, Jersey or Isle of Man
> Faroe Islands
> Andorra
> Israel
> Uruguay
> New Zealand
* Details of adequacy decisions can be found at:
http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm

81. Safe Harbour
> A US self-regulatory scheme
> US companies certify to comply with 7 principles
> Not all US companies can participate
> It is possible to check a public register of members
http://www.export.gov/safeHarbor
> Non compliance actionable by US Government or affected individuals

82. Exceptions under the Eighth Principle
Including:
> The data subject consents to the transfer
> The transfer is necessary for the performance of a contract with the data
subject(s).
> The transfer is necessary to implement pre-contractual measures at the
request of the data subject.
> There is a contract in placed based on EU approved terms between the
exporter and importer of the data*
*http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm

83. Binding Corporate Rules (“BCR”)
> Intra-group solution for international transfers
> Use of group wide enforceable data handling policies
> Required content for submission of BCR
> Supervisory co-operation for approval process
> NOT for the faint hearted!

84. Presumption of Adequacy?
Consider:
> the nature of the personal data
> the country of origin of the personal data
> the country of destination
> the purposes of the intended processing
> the law/relevant codes in force in the destination country

85. Practical Considerations
> To what extent do you transfer personal data outside the EEA?
> Do you have international subsidiaries?
> Consider the potential for transfers down the line and collect data with
that possibility in mind
> Consider carefully the wording of consent notices and contract terms
> Don’t under estimate the potential impact of non-compliance

86. E marketing and Cookies
Sally Annereau, Data Protection Analyst,
Taylor Wessing

87. E-Marketing and cookies
Insert appropriate
image
Sally Annereau
s.annereau@taylorwessing.com

88. The current law in the UK
> Data Protection Act 1998
> Privacy and Electronic Communications Regulations 2003
- Came into force on 11 December 2003
- Do not apply solely to marketing by e-mail or SMS
- rules also cover marketing by telephone, fax and automated calling
systems
- Need to think about this AND the Data Protection Act 1998
> The Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011
- These come from European Directives
- Similar (but not exactly the same…) laws throughout Europe

89. Marketing by e-mail and SMS – the rules
(1)
Privacy and Electronic Communications Regulations 2003
> No unsolicited e-mail or SMS marketing to individuals unless:
- Recipient has consented
OR
- (1) you obtained contact details “in the course of the sale or negotiations for
the sale of a product or service”;
- (2) you are marketing your own similar goods or services to them; AND
- (3) opportunity to opt out (free of charge) given at the point of collection and at
the time of each subsequent communication

90. Marketing by e-mail and SMS – the
rules (2)
> You cannot disguise yourself
and
> You have to provide a valid return path

91. How do I go about getting consent?
> There is no set way of getting it, but the law says that it must be
informed, freely given (i.e. revocable) and…
> For e-mail or SMS marketing, consent has to be positive, so…
“I would like to send you information by e-mail. Please tick this box if
you do not want me to do so”
but
“I would like to send you information by e-mail. Please tick this box if
you are happy for me to do so”

? “By submitting this form, you will be indicating your consent to receiving
e-mail marketing messages from us unless you have indicated an
objection to receiving such messages by ticking the above box”
> Don’t necessarily need a classic tick-box

92. Mobile marketing
> “Live”/voice marketing calls
- TPS list – every 28 days
- CTPS
- In-house telephone suppression lists
> Text, picture and video mobile marketing is governed by the rules
previously discussed

93. Some tricky areas…
> Legal problems
- What is “in the course of the sale or negotiations for the sale”?
- Not simply registering an interest at/visiting a web site
- What are “similar” products and services?
- What would someone reasonably expect?
- Viral marketing
> Technical and marketing problems
- How long does consent last?
- What about pre-existing e-mail or SMS marketing lists?
- Hw d U fit all info U nd in2 160 krctz?

94. Automated calls and Fax marketing
Automated calls
> Prior express consent of any recipient required
> Where consent provided then communication must include:
- Identity of caller
- Contact address or free phone number
Fax marketing
> Prior consent of individual subscribers required
> Corporate subscribers
- not if opt-out or if registered on the Fax Preference Service register
> Where can legitimately communicate then this must include:
- Identity of caller
- Contact address or free phone number

95. Cookies
> A piece of information that includes a unique reference code that a
website transfers to your device to store and sometimes track
information about you.
Can be:
> First / third party
> Session or persistent
> ‘Flash’ or ‘super’
And don’t forget web beacons/gifs.

96. Regulation 6 ‘PECAR’
No storage or access to information stored, in the terminal equipment of a
subscriber or user unless the user or subscriber:
a) is provided with clear and comprehensive information about the purposes of the
storage of, or access to, that information; and
b) has given his consent.
Exception where storage or access is:
>
>
for the sole purposes of carrying out the transmission of a communication over
an electronic communications network; or
strictly necessary for the provision of an information society service requested
by the user or subscriber

97. Key considerations
Move from old law notice and ‘opt-out’ to notice and consent
Applies to equivalent technologies
No legal distinctions between different types of cookies
Applies to all equipment capable of receiving cookies
Clear and comprehensive information about cookies needs to be
provided about purposes of cookies
> Limited exceptions
>
>
>
>
>

98. IC Guidance
Initial guidance – no firm view on what kinds of consent will be enough but:
>
>
>
>
>
>
Browser settings – unlikely to work
Pop-ups and similar techniques?
Terms and conditions?
Settings/Feature led consent?
Functional uses?
Third party cookies?
Update guidance
explicit consent allows for regulatory certainty (and will be the most
appropriate way to comply in some circumstances)
“this does not mean that implied consent cannot be valid” although it
must still be informed.

99. Other viewpoints
> IAB
> Article 29 Working Party
> ICC
> ‘Do Not Track’

100. Enforcement
> 12 month compliance amnesty (ended 26 May 2012)
> Post May 2012 - Possible action including enforcement notices or fines
subject to an assessment of the impact of the breach on the privacy and
other rights of user.
Considerations likely to include:
> The intrusiveness of the cookie?
> Is data passed to an organisation the individual would not expect?
> Will any sensitive data be held in profiles?
> Is the website being “cavalier” or “tricksy”?

101. Steps to take (if playing catch-up) (1)
1. Identify
-
Websites?
Types of cookies (or other tools)?
Purpose of the cookie?
When deployed?
Who deploys (first or third party)?
Who can read the cookie?
How long is the cookie stored?
Are profiles of users browsing activity being created?
2. Assess
-
Is the cookie necessary to underpin a service requested by the user?
What is the impact of the cookie on the user?
Session only or persistent?
Is a third party tracking the user across this and other websites?
Are profiles of browsing activity being created?

102. Next steps (2)
3. Implement
-
Is sign-up or registration required to access the website?
Do users initiate a function or setting that uses a cookie?
Do users need to be alerted on first arriving on the website?
Review, enhance and introduce notices and privacy policies
Consider both specific and ‘holistic’ approach to solutions

103. So what are businesses doing?
> Confusion persists over what level of consent is enough
> Genuine reluctance to embrace clear consent mechanisms
> Yet doing nothing is not an option
> Evidence that most UK online businesses have:
-
cariried out internal audits
raised the bar on transparency and information
implemented changes to terms and conditions, privacy ‘and cookies’ policy
Applied landing page alerts / actions / notices

104. Examples

107. Light box approach

108. Enhanced privacy policies

109. Consent in policies & terms?
>
“When you create or log in to a online account you agree to our privacy and cookies
notice. Otherwise, by continuing to use our websites or mobile services you agree to the
use of cookies as described in this notice. Please see our cookies notice.”
>
By using the site you accept this privacy and cookie policy (our “privacy and cookie
policy”). If you do not agree with any term in this privacy and cookie policy, please do not
use our site or submit any personal data through it.
>
By clicking the "I Agree" button on the registration form, you agree that you:1. have read the web site terms of your privacy policy;
2. consent to our use of your information in accordance with our privacy policy;
3. consent to the use of cookies as disclosed to you in our
cookies policy
and;
4. agree to bound by these terms and conditions.
If you do not agree, please leave this website now.

110. Lunch

111. The proposals for new data
protection law
Sally Annereau, Data Protection Analyst,
Taylor Wessing

112. Data Protection
The Proposed European
Data Protection Framework
Sally Annereau

113. Data Protection Laws
> Current Landscape
> New Horizon
> The Reform Journey
- Published Proposals, 25 January 2012
- Parliament and Council
 First Reading
 Second Reading
- Entry into Force - Regulation

114. Proposed new EU framework
> Regulation
 2014?
 2 Year Implementation Period?
 2016?
> Evolution or revolution?
 Upgrade
 New
> The final picture?
 Ambiguity
 Delegated Acts
 Harmonisation

115. Territorial Scope
> Establishment in the EU
> Extended to those who are not in EU if processing relates to
- The offer of goods or services to data subjects within the EU
- The monitoring of EU data subject’s behaviour
> Home Authority
> Prior Authorisation
> Forum Shopping

116. Definitions
Similar base point
> Data Subject
> Personal Data Breach
> Binding Corporate Roles
> Sensitive Personal Data

117. Personal Data Processing Principles
> Lawful, fair and transparent
> Collected for a specified, explicit and legitimate purpose
> Adequate, relevant and limited to the minimum necessary
> Accurate and kept up-to-date
> Kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes
> Ensuring compliance with the provisions of the regulation

118. Consent
> Burden of proof
> Written declarations
> Withdrawal of consent
> Significant imbalance
> Personal data relating to a child

119. Special/Sensitive Personal Data
> Prohibition:
- the processing of personal data, revealing race or ethnic origin,
political opinions, religion or beliefs, trade union membership, and the
processing of genetic data or data concerning health or sex life or
criminal convictions or related security measures shall be prohibited
> Consent
> Employment law
> Vital interests
> Legal
> Public interest
> Health purposes

120. Transparency
> Transparent and easily accessible policies
- Processing of personal data
- Exercise of data subject’s rights
> Intelligible form
> Clear and plain language
> Adapted to the data subject

121. Subject Access Requests
> Information to be provided to the data subject
> Rights of access
> Electronic form
> Standard forms and procedures
> Timings
> Fee?

122. Right to be forgotten
> Right to rectification
- Inaccurate personal data; and
- Completion of incomplete personal data
> Right to be forgotten and a right to erasure
Where:




no longer necessary to the purpose of collection
the subject has withdrawn their consent
the subject objects
the processing is in breach of the Regulations
> Erasure without delay
> Restrict processing of disputed data
> Commission can specify further rules

123. Data Portability
> Obtaining a copy of data
> Format to be supplied
> Automated processing
> Technical standards, modalities and procedures for transmission

124. Marketing and Profiling
> Right to object to processing
- where based on
– vital interests
– public interest
– legitimate interests
> Right to object to direct marketing
> Rights in relation to measures based on profiling
 Extended to include health, personal preferences, reliability and
behaviour
> Consent?

125. Responsibilities of the Data Controller
> Policies and implementation
> Documentation
> Security obligations
> Data protection impact assessment
> Prior authorisation
> Data Protection Officer
> Implement compliance mechanisms and ensure verification
> Data Protection
- Design
- Default

126. Data Processor
> Due diligence and sufficient guarantees
> Contractual measures required
> Documenting the controller’s instructions and the processor’s obligations
> Shifting from processor to controller

127. Data Security
> Obligations of the data controller and the data processor
> Appropriate technical and organisational measures
> Notification of a personal data breach
- Notify the supervisory authority
- Within 24 hours
- Reason justification for 24 hours plus
> Data processor obligations to inform the data controller
> Content of the notification
> Notifying data subjects

128. Data Protection Impact Assessment
> Controller or Processor?
> Trigger points
> Considerations within the impact assessment
> Data subject liaison
> Prior authorisation and prior consultation

129. Data Protection Officer
> Designation of the DPO
> Tasks of the DPO
> Minimum term
> Different to current DPO roles

130. Data Transfers to Third Countries
> General principles
> Adequacy decisions
> Transfers by way of appropriate safeguards
> Binding corporate rules
> Derogations

131. Remedies
> Complaint to the supervisory authority
> Civil action against
- supervisory authority
- controller
- processor
> Right to compensation

132. Proposed new EU framework: Fines
First tier
€250,000 or 0.5%
> Subject access request breaches
Second tier
€500,000 or 1%
> Rules on transparency
> Rectification
> Right to be forgotten
> Data subject’s objections
> Compliance (required documentation)
Third tier
€1m or 2%
> Processes data without a legal basis
> International data transfers
> Compliance (appropriate internal policies)
> Impact assessments
> EU representative
Who’s in the firing line….“Anyone who …”

133. Food for thought
> Further Standards and Delegated Acts
> Commission reserved power to specify standard forms and procedures
Including:
 methods to obtain a child’s consent
 forms and procedures for access requests and communicating information and
data
 electronic format of supplied data
 technical standards for protection by design or default
> Wide Commission powers to adopt delegated acts
Including:




specifying lawful processing conditions
specifying sensitive data and how it is safeguarded
the detail of fair processing information to data subjects
additional data controller responsibilities & conditions for audits
> Member state safeguards and rules

134. Food for thought
> Compliance benchmark must be raised
- DPO
- Documentation
- Evidential trail
- May be published
> Vendor management processes must change
- Due diligence
- Contracts
- Liability

135. Data protection compliance and
marketing: getting the right
balance
Penny Champion, Data Protection Manager,
NSPCC

136. Data protection compliance workshop
23 October 2013 - DMA
Data protection compliance and
marketing - Getting the right balance
Some practical challenges for charities
Penny Champion, Data Protection Manager
penny.champion@nspcc.org.uk
www.NSPCC.org.uk
NSPCC 23 October 2013

137. Why direct marketing matters to charities
At the NSPCC in the year 2012-2013
Source: Annual Reports and Accounts
Regular and one-off donations
income of £110.7m
-
That was 85.6% of our income
Letter from Santa alone raised £1.8m
2

138. Contexts for charities: the marketing environment-1
 Supporter data not always in one database
 Often goes back decades, reflecting supporter loyalty, but data
quality and currency may be uncertain
 Donors from all sectors of society – from individual giving at £2
a month all the way up to wealthy individuals and large
corporates
 Participation in events – fundraising balls, sponsored walks,
bike rides, ascent of the Gherkin, HACK walks
 Participation in externally organised events – London Marathon,
Belfast Marathon
 Legacies
Supporter relationship management can be challenging!
3

139. Contexts for charities: the marketing environment-2
 Supporters are respected and valued
 Aim is to have sustainable relationships with all sectors of
donors
 Data protection and privacy law and regulation really matters
when it comes to successful donor recruitment and retention
 Cost of fundraising across different channels:
 Telephone tends to be more effective – people respond to
the human voice
 Email is a very cost effective way of communicating
 But you need the right consents in place!
 What do supporters think they’ve agreed to by way of direct
marketing communications?
4

140. Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’
The scenarios are fictitious but could come up at any major UK
charity. You are responsible for advising the Director of
Fundraising what to do in the following circumstances:
1 Bringing gift aid declarations up to date
2 A local committee decides to run a Christmas Fair to raise
funds for National Charity
3 A major corporate supporter – BigTelCo – is supporting a Big
Run. The runners are its staff, their families, and friends. The
CEO wants to email all entrants to say ‘thank you’
4 TV advert – Text CHILD2013 to donate £4. You’d like to phone
donors later and see if you can convert them to regular givers
5

141. Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 1 of 4
Bringing gift aid declarations up to date – repairing defective data
o There’s been a major review and clean up of Gift Aid
declarations for existing supporters
o For some of the older ones, the original declaration can’t be
found, or there is a technical problem eg no forename initial is
held. As a result you have had to mark the donations as ‘No Gift
Aid’ and cannot claim back from HMRC
o Can we telephone or email these supporters to ask if they can
give a new Gift Aid declaration?
The scenario is fictitious but could come up at any major UK charity
6

142. Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 2 of 4
A local committee decides to run a Christmas Fair to raise funds
for National Charity
o They want a website – how can that best be managed?
(cookies compliance, privacy notices, who is the data controller
anyway?)
o Committee members want to email their personal contacts –
local businesses and their friends to generate interest from
potential stallholders. So do the PEC Regs apply?
The scenario is fictitious but could come up at any major UK charity
7

143. Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 3 of 4
A major corporate supporter – BigTelCo – is supporting a Big Run.
o National Charity is BigTelCo’s charity of the year. There’s going
to be a BigTelco Run. It’s been promoted to staff on the
company’s intranet – they are encouraged to get family and
friends to enter.
o Entry is on-line – a special webpage set up by National Charity
– and over 400 people have signed up. National Charity is the
data controller for their personal data.
o The CEO is thrilled – she decides she wants to email all
entrants after the Run to say thank you from BigTelCo. But
National Charity did not tell entrants that their email addresses
would be passed to BigTelCo. What are the options and risks?
The scenario is fictitious but could come up at any major UK charity
8

144. Practical scenarios from the Data Protection
Manager’s in-box at ‘National Charity’ 4 of 4
TV advert – Text CHILD2013 to donate £4. You’d like to phone
donors later and see if you can convert them to regular givers
o CAP Code compliance is OK - the advert complies with the
standards for what is displayed on screen and how many
seconds it’s up there. People are told how much of the £4 the
charity gets and National Charity (registered number, website
address) is shown.
o Donors get a ‘thank you’ text from National Charity. It includes a
link to the Gift Aid declaration webpage. We want to phone
donors to see if we can convert them to regular givers. Can we
give them the telephone opt-out opportunity in the thank-you
text?
The scenario is fictitious but could come up at any major UK charity
9

145. Conclusions – not always easy answers
 Quality of data gives rise to problems. Is the Gift Aid approach
administrative or direct marketing in purpose? How will the
supporters perceive it?
 Who’s the data controller? Volunteers doing their own thing
may well be fine, but how can National Charity manage the
privacy compliance risks to itself?
 Privacy statements – retro-fitting consents to disclose is hard. Is
the CEO thank-you direct marketing? Will the BigTelCo Run
entrants object?
 Unless you obliterate the ad with ‘small print’ you’re going to
have to find another way to deliver the telephone opt-out.
What’s fair and best for the donors?
The scenarios are fictitious but could come up at any major UK charity
10

146. And finally …….
 Look out for companies who claim to offer a marketing blocking
service to consumers (Opt Out UK Ltd, Data Protection House).
You (probably) do not have to agree to their demands. Talk to
the DMA.
 Wider privacy issues – it’s not just about supporters.
 Use of ‘real life stories’ in marketing materials
 Personal data in the charity’s Facebook page or other social
media
Your thoughts and questions?
Penny Champion, Data Protection Manager
penny.champion@nspcc.org.uk
11

147. Practical session & feedback
Sally Annereau, Data Protection Analyst,
Taylor Wessing

148. Refreshment break

149. Privacy statements
Lesley Tadgell-Foster, Managing Director,
Shelfline Promotional Consultancy

150. Be Aware
The information contained in this
presentation ad provided verbally is not
intended as legal advice/counsel and is not
represented as such by Shelfline
Promotional Consultancy Ltd., nor by
Charity Confidential.
Neither makes any warranties or
statements regarding the acceptability of
the information provided Whenever taking
any action related to the law obtain advice
from legal counsel.

151. The Ever Willing Customer?
 ‘The key to modern direct marketing
is the capture of individual customer
details at the first sale, so that the
marketer can begin a relationship
with the customer’
Tapp (1998) Principles of Direct & Database Marketing

152. Trust Me, It’s The 121 World Now
 ‘Trust is more important than it ever
was before. If you violate it, you will
be outed’
Peppers (2008) IDM Insights

153. Lack of Privacy Control
 Control over the personal information
held
 Control over personalised marketing
 Control over data accuracy
Evans, O’Malley & Patterson (2004) Exploring Direct and
Customer Relationship Marketing

154. Privacy Statement Checklist







How easy is it to find – online/offline?
Is it true?
Does it make sense?
How does it cover marketing contact?
What else is desirable?
Is it future-proofed?
Does it reassure – inspire trust &
confidence?

156. Real Voices
 ‘What if I don’t tick the terms &
conditions. Do they still have my
details? I don’t know how it works?
(Jess aged 22)
 ‘I always think that’s just legal stuff
they have to put it, even if they don’t
want to’. (Marcos aged 25)

157. More Voices
 ‘If it’s short they could get out of any
little situation, there’s no way they’ve
covered everything’ (Mollie aged 23)
 ‘The longer they are the more
suspicious I am’ (John aged 56)
 ‘I think it’s a load of blurb really’
(Judy aged 42)

158. Frequency of Reading Privacy
Policies




45% claim never to read
28% rarely read
18% sometimes read
5% always read
Source: Sophie Warren, BA International
Marketing Student, Bournemouth
University, January 2009

160. Don’t Tell People The Obvious
 Something a reasonable person would
anticipate and agree to if asked
 Necessary to carry out the
transaction requested
 Has no unforeseen consequences

161. Sharing Information
 No unjustified adverse effects
 Within the same group – provide back
up details if asked
 When the sharing is unexpected

164. Saying what you mean, and playing
fair
 ‘From time to time we may wish to
contact you with further information
about our products and those of other
carefully selected companies we think
may be of interest to you. Please
write to xxxxxx if you do not wish this
to happen’

168. Let’s Get Personal:
shelfline@btinternet.com

169. Test
Lesley Tadgell-Foster, Managing Director,
Shelfline Promotional Consultancy

170. Close