Becoming A Data Champion the law. John Enser A refresher: Data has - - PowerPoint PPT Presentation

John Enser

Becoming A Data Champion – the law.

A refresher: Data has rules.

1. You need permission to collect Personal Data. 2. You can only use Personal Data for the purposes you collected it. 3. You should only use the minimum Personal Data you need. 4. You must protect Personal Data. 5. You must not transfer Personal Data outside of Europe without specific protections.

But what is Personal Data?

"any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; "

• Widely interpreted.
• If in doubt, information is likely Personal Data.

Is _________ Personal Data?

1. STB tuning data (without associated subscriber details) 2. First party subscriber data 3. Third party data Likely, NO. Likely, YES. Depends on the type of data.

And remember…

Data alone may not be Personal Data BUT in combination with other data, could be.

…and the fringes can be grey areas…

Single items of audience data (for example "sympathetic to charities", or "M1634") may not be Personal Data BUT as you add more data, the more likely it becomes Personal Data (for example, "female", "1634", "Cambridge", "vet", "frequent traveller", "graduate").

Don't panic.

Even if information is Personal Data, you can still use it – you just need to follow the rules.

[Data protection challenges] arise not only from the volume of the data but from the ways in which it is generated, the propensity to find new uses for it, the complexity of the processing and the possibility of unexpected consequences for individuals

“

Europe is changing.

• Currently, local implementations of data laws differ across Europe.
• More harmonised under GDPR but still likely to be national differences.
• Greater penalties – up to 4% of global turnover
• unclear as to whether this applies across all companies in the group, but intention is clearly to

• GDPR changes some things:
• wider definition of Personal Data;
• "explicit consent" now needed for "profiling" which produces a "legal effect" or similar in respect of

• definition of "profiling" expressly references "analysing… or predicting aspects concerning that

So what is Personal Data in future?

"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an

• nline identifier or to one or more factors specific to the physical, physiological, genetic,

mental, economic, cultural or social identity of that natural person"

Other things to consider.

• Not just pure "law" but also attitudes of each data protection regulator.
• UK very business-friendly, much of continental Europe less so.
• Much industry-specific guidance also in play (e.g. AdChoices). Not legally required but

expected by others in the industry, and increasingly consumers.

• As the GDPR comes into force, regulators and industry bodies will issue guidance.

Review frequently to keep up-to-date with best practice.

• Can you influence best practice?

Practical solutions.

• Treat all collected data as Personal Data.
• Keep collected data secure. Limit data exposure.
• Train employees – the best protection is an informed team.
• Minimise data –
• identify key data you need to retain, not a "vacuum cleaner" approach;
• think about how long each piece of data is valuable; and
• consider anonymisation/psuedonymisation over time.

Practical solutions.

• Central "hubs" for data storage can help –
• a consistent approach is easier to maintain; and
• security measures can be enhanced at lower cost (as no need to multiply across lots of markets).
• And be ready to respond appropriately to any breach -
• Obligation to notify regulators
• Action plans with suppliers
• Comms strategy with Consumers

New ICO guidance

• Does it need to be personal data? Anonymise before analysis.
• Describe analytics activities in a privacy notice at the point of collection.
• Privacy-by-design:
• Include a PIA in the development of big data solutions.
• Make sure decisions are auditable.
• Develop 'ethical principles' – consider a data ethics board.

Also consider consumers.

• Make sure consumers are informed of how their data will be used –
• well developed privacy and cookie policies;
• clear notices at point-of-collection;
• hiding away in lots of text in a terms of use or policy is unlikely to work in future.
• Create granular preference centres –
• allow consumers to manage the data they share with you – better to get some data that a

• regularly refresh consents.

And another thing…

Privacy and Electronic Communications Regulation

What? Updated rules specific to direct marketing, cookies and

• ther online activities.

When? 25 May 2018 (proposed)

Privacy and Electronic Communications Regulation

What's changing?

• Increased sanctions aligned with GDPR
• Extra-territorial effect
• Scope now includes OTT providers and M2M/IOT
• Broader definition of "cookie"
• Browser providers must implement "do-not-track"

PECR is only an initial draft – it could still change!

But at least there's no privacy laws in the US?

• For more information
• please contact:

Olswang: Changing Business. www.olswang.com

John Enser +44 (0) 20 7067 3183 john.enser@olswang.com