Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

© 2017 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program
Profiling, Big Data & Consent Under
the GDPR
October 11, 2017

© 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Thank you for joining the webinar
• We will start 2-3 minutes after the hour
• This webinar will be recorded – both the recording and
slides will be sent out via email later today
• Please use the GotoWebinar Control Panel on the right
hand side to submit any questions for the speakers
2
“Profiling, Big Data & Consent Under the
GDPR”

Today’s Speakers
Mark Webber
US Managing Partner, Fieldfisher
Helen Huang
Sr. Product Manager, TrustArc

Profiling and Big Data
4

What is changing?
• New definition of profiling
• Strengthened individual rights
(e.g. automated decision-making)
• Greater focus on accountability and
governance
• Increased transparency requirements
• Wider definition of personal data
(e.g. location data, online identifiers,
technology identifiers etc.)

Profiling and the GDPR
Two key questions:
1) What is profiling under
the GDPR?
2) Is it restricted?
6
Not all profiling is legally restricted!

What is profiling?
“…any form of automated processing of personal data
consisting of the use of personal data to evaluate certain
personal aspects relating to a natural person, in particular to
analyse or predict aspects concerning that natural person’s
performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or
movements” (GDPR Article 4)
…Targeting
…Evaluation…
Analytics…

Grounds for processing
8
Article 6 GDPR – Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) The data subject has given consent to the processing of his or her personal data for one or
more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is
subject;
(d) processing is necessary to protect the vital interests of the data subject or of another
natural person;
(e) processing is necessary for the performance of a task carried out in the public interests
or in the exercise of official authority vested in the controller
(f) Processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overrriden by the interests or
fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

Grounds for processing (2)
• Organisations need to ensure that they have
clear “grounds” for lawful processing
• Under the GDPR – consent is NOT
mandatory……
REQUIRED

But “consent” is defined…
'consent' of the data subject means “any freely
given, specific, informed and unambiguous
indication of the data subject's wishes by which he
or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of
personal data relating to him or her”
10

Relying on consent
If relying on consent to collect and use an individual’s personal data, the
GDPR says that consent must be:
“unambiguous” if the data in question is ordinary, non-sensitive
personal data (Art 6 of the GDPR says that “consent” is needed, and
Art 4 defines consent to be “unambiguous” - hence “unambiguous”
consent); but
“explicit” if the data in question is sensitive personal data (i.e. relates
to any of the categories of sensitive data listed in Art 9(1) of the
GDPR, such as physical or mental health data, racial or ethnic origin,
and so on)
 I Agree
11

Unambiguous v explicit consent
• Unambiguous consent:
• given “by a statement or by a clear affirmative action” (Article 4)
• given “by a clear affirmative act…such as by a written statement, including by
electronic means, or an oral statement” (Recital 32)
• “Silence, pre-ticked boxes or inactivity should not…constitute consent” (Recital 32)
• Or given through “another statement or conduct which clearly indicates in this
context the data subject’s acceptance of the proposed processing of his or her
personal data” (Recital 32)
• Explicit consent
= Explicit affirmative action, i.e. explicit consent
- it’s also clear (unambiguous)
• “I agree to my personal data being processed by X for Y purposes”
• Ticking an unchecked box to say “I consent”
• Event sign-in, participants told that their details will be used for a specific type of
profiling and asked (verbally) whether they consent to this processing
12

Automated decision-making
Individual has right not to be subject to “…a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her”
…Profiling is not in and of itself an automated decision!
1. There must be a decision
2. There must be automated processing
(which may include profiling)
3. Decision must be based solely on
automated processing
4. Decision must produce “legal effects”
or otherwise “significantly affect” the
individual

Automated decision-making (2)
Automated decision making IS permitted if:
1. Authorised by Union or Member State law
2. Necessary for the contract between the data subject and data controller
3. Data subject has provided explicit consent.
…But don’t forget!
 Right to express their view
 Right to obtain explanation of decision reached
 Right to object / challenge the decision
 Sensitive data / children

Other obligations
► Ensure data is processed fairly and transparently
 Use appropriate mathematical or statistical procedures
 Implement technical and organisational measures to avoid and correct errors and
minimise bias or discrimination
 Provide meaningful clear information (i) about existence of automated decision
making, including profiling; and (ii) logic involved and significance and envisaged
consequences of profiling.
► Comply with principles of accuracy, storage limitation and privacy by design
 Data must be kept accurate and up-to-date – garbage in, garbage out?
 Ensure data is not kept for longer than necessary
 Incorporate processes by default and by design
► Honor the “right to object” exercised by any data subject (whether or not automated)
► Carry out Data Protection Impact Assessment (DPIA) for high risk processing
► Appoint Data Protection Officer (DPO) if required
15

Profiling and ePrivacy
• Cookies still require consent – with browsers and similar software required to
provide cookie and tracking controls
• Website owners will need to be able to demonstrate that users have consented
• Website owners will be responsible for managing consent needed for third party
tracking
• Cookies will be permitted for first party or third party analytics
16
 ePrivacy Directive
 New ePrivacy Regulations, May 2018?

Implementing a Consent Solution
Key Features

GDPR Consent Considerations
• Legal and policy
• Business strategy
• Technology and architecture
• Implementation steps
18

Poll Question
What types of data activities will you rely on
Consent as the legal basis for processing?
1. Digital tracking technologies (e.g. cookies)
2. Marketing activities (e.g. email marketing)
3. Other
19

GDPR Consent Requirements
• Capturing a robust-enough audit trail to show that a
person has consented to processing his/her data
• Ability to configure the notice as default opted out
(checkbox unchecked) to get affirmative consent from the
user
20

GDPR Consent Requirements
• Ability to ensure that no tracking happens until user
consents, unless it’s strictly necessary
• Ensure you can request consent again when processing
purpose or scope of transfer changes
• Ability to handle consent for other marketing activities,
such as email or SMS marketing
21

Poll Question
How do you plan to comply with GDPR consent
requirements?
1. Build in-house solution
2. Reuse an existing software
3. License a privacy technology solution
4. Other
22

GDPR Consent Compliance Steps
1. Discovery of consumer touch points
1. Data flow inventory and mapping
2. Cookies and marketing activities
2. Figure out where Consent is used as legal basis for
processing
3. Make a build or buy decision for GDPR consent solution
1. Developer resources near-term and long-term
2. Internal software systems to reuse
3. Compliance timeline or “risk appetite”
4. De-risk by working with partner with privacy as core competency
23

Questions?

Contacts
Helen Huang hhuang@trustarc.om
Mark Webber Mark.Webber@fieldfisher.com

Privacy Insight Series – 2017 Calendar
26
To register for Summer/Fall webinars and/or past webinar recordings
visit: www.trustarc.com/insightseries

Thank You!
Please take a quick minute and complete our post-webinar survey that will
appear as you exit the platform.
Register for the next webinar in our Series – November 15th
“6 Months to Go: How will the GDPR be Enforced?”

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

Similar to Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides] (20)

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]