Becoming A Data Champion – the law. John Enser
A refresher: Data has rules. 1. You need permission to collect Personal Data. 2. You can only use Personal Data for the purposes you collected it . 3. You should only use the minimum Personal Data you need. 4. You must protect Personal Data. 5. You must not transfer Personal Data outside of Europe without specific protections. 2 | Becoming A Data Champion 30 March, 2017
But what is Personal Data? " any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly , in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; " • Widely interpreted. • If in doubt, information is likely Personal Data. 3 | Becoming A Data Champion 30 March, 2017
Is _________ Personal Data? 1. STB tuning data (without associated subscriber details) Likely, NO . 2. First party subscriber data Likely, YES . 3. Third party data Depends on the type of data. 4 | Becoming A Data Champion 30 March, 2017
And remember… Data alone may not be Personal Data BUT in combination with other data , could be. 5 | Becoming A Data Champion 30 March, 2017
…and the fringes can be grey areas… Single items of audience data (for example "sympathetic to charities", or "M1634") may not be Personal Data BUT as you add more data, the more likely it becomes Personal Data (for example, "female", "1634", "Cambridge", "vet", "frequent traveller", "graduate"). 6 | Becoming A Data Champion 30 March, 2017
Don't panic. Even if information is Personal Data, you can still use it – you just need to follow the rules . 7 | Becoming A Data Champion 30 March, 2017
“ [Data protection challenges] arise not only from the volume of the data but from the ways in which it is generated, the propensity to find new uses for it, the complexity of the processing and the possibility of unexpected consequences for individuals ICO: Big data, artificial intelligence, machine learning and data protection (March 2017) 8 | Becoming A Data Champion 30 March, 2017
Europe is changing. • Currently, local implementations of data laws differ across Europe. • More harmonised under GDPR but still likely to be national differences. • Greater penalties – up to 4% of global turnover • unclear as to whether this applies across all companies in the group, but intention is clearly to cover all global turnover so likely to do so. • GDPR changes some things: • wider definition of Personal Data; • "explicit consent" now needed for "profiling" which produces a "legal effect" or similar in respect of the data subject; • definition of "profiling" expressly references " analysing… or predicting aspects concerning that persons… personal preferences, interests… [and] behaviour ". 9 | Becoming A Data Champion 30 March, 2017
So what is Personal Data in future? " any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name , an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic , mental, economic, cultural or social identity of that natural person " 10 | Becoming A Data Champion 30 March, 2017
Other things to consider. • Not just pure "law" but also attitudes of each data protection regulator. • UK very business-friendly, much of continental Europe less so. • Much industry-specific guidance also in play (e.g. AdChoices). Not legally required but expected by others in the industry, and increasingly consumers. • As the GDPR comes into force, regulators and industry bodies will issue guidance. Review frequently to keep up-to-date with best practice. • Can you influence best practice? 11 | Becoming A Data Champion 30 March, 2017
Practical solutions. • Treat all collected data as Personal Data. • Keep collected data secure . Limit data exposure. • Train employees – the best protection is an informed team. • Minimise data – • identify key data you need to retain, not a "vacuum cleaner" approach; • think about how long each piece of data is valuable; and • consider anonymisation/psuedonymisation over time. 12 | Becoming A Data Champion 30 March, 2017
Practical solutions. • Central "hubs" for data storage can help – • a consistent approach is easier to maintain; and • security measures can be enhanced at lower cost (as no need to multiply across lots of markets). • And be ready to respond appropriately to any breach - • Obligation to notify regulators • Action plans with suppliers • Comms strategy with Consumers 13 | Becoming A Data Champion 30 March, 2017
New ICO guidance • Does it need to be personal data? Anonymise before analysis. • Describe analytics activities in a privacy notice at the point of collection. • Privacy-by-design : • Include a PIA in the development of big data solutions. • Make sure decisions are auditable . • Develop ' ethical principles ' – consider a data ethics board. 14 | Becoming A Data Champion 30 March, 2017
Also consider consumers. • Make sure consumers are informed of how their data will be used – • well developed privacy and cookie policies; • clear notices at point-of-collection; • hiding away in lots of text in a terms of use or policy is unlikely to work in future. • Create granular preference centres – • allow consumers to manage the data they share with you – better to get some data that a consumer is happy to share than lose all data due to a blanket opt-out; and • regularly refresh consents. 15 | Becoming A Data Champion 30 March, 2017
And another thing… 16 | Becoming A Data Champion 30 March, 2017
Privacy and Electronic Communications Regulation What? Updated rules specific to direct marketing, cookies and other online activities. When? 25 May 2018 (proposed) 17 17 | Becoming A Data Champion 30 March, 2017
Privacy and Electronic Communications Regulation What's changing? • Increased sanctions aligned with GDPR • Extra-territorial effect • Scope now includes OTT providers and M2M/IOT • Broader definition of "cookie" • Browser providers must implement " do-not-track " PECR is only an initial draft – it could still change! 18 | Becoming A Data Champion 30 March, 2017
But at least there's no privacy laws in the US? 19 | Becoming A Data Champion 30 March, 2017
20 This is the Title
• For more information • please contact: John Enser +44 (0) 20 7067 3183 john.enser@olswang.com Olswang: Changing Business. www.olswang.com
Recommend
More recommend
