rec This presentation contains general information. This - - PowerPoint PPT Presentation

rec

20/06/2019 Atlantic Compliance 1

This presentation contains general information. This presentation is not intended to constitute legal advice and therefore should not be relied on as such.

Agenda enda

• Revisit – where we are now.
• Breaches
• Direct Marketing
• GDPR
• EPrivacy
• What you could/should be doing now

Atlantic Compliance 2

20/06/2019 Atlantic Compliance 3

• New concept – need to be able to demonstrate that comply with

the GDPR

Accountability bility

• Increases the amount of information that you must provide to

clients with collecting their data

Privacy Notice ices

• Raises the bar higher if you are relying on consent for processing

data

Consent ent

• Mandatory to notify the supervisory authority/individual of data

breach in 72 hrs

Breac ach notif ifica ication tion

• Data protection impact assessments – must be performed where

processing is likely to result in high risk to rights and freedom of individuals

DPIA A

• Now open to direct enforcement action by data subjects and

regulators

Data a Proce cess ssor r liability bility

• Retain records of all processing activities

Data a mappin ping g

• Liability and compensation – Data subjects can sue for material or non

material damage plus the supervisory authority can fine up to 4% WW turnover

Sanctio tions s

• Additional mechanism required to ensure third country has

adequate levels of protection

Intern ernationa tional l Data a Transf sfer ers

En Enhanc anced ed Ob Obligations tions for r Firms ms

20/06/2019 Atlantic Compliance 4

• about the processing of their personal data – principle of

transparency

Right t to be Inform rmed ed

• if their personal data is inaccurate or incomplete (requests to

amend data will normally have to be processed within 1 month)

Right t to Rectif ifica icatio tion

• to their personal data and supplementary information, and the

right to confirmation that their personal data is being processed

Right t of Access ess

• to their personal data and supplementary information, and the

right to confirmation that their personal data is being processed

Right t to be Forgott tten en

• of their personal data, for example, if they consider that

processing is unlawful or the data is inaccurate

Right t to Restric trict t Process essin ing

• of their personal data for their own purposes (they will be allowed

to obtain and reuse their data)

Right t to Data Porta tabili bility

• to the processing of their personal data for direct marketing,

scientific or historical research, or statistical purposes

Right t to Object ct

• Data subjects can initiate complaints with the courts to the

supervisory authority and seek compensation for both material and non material damage.

Right t to make a Compla mplain int

• Right not to be subject to a decision based solely on automated

processing which significantly affect them (including profiling).

Right t to not be evalu luate ted d on the basis is of autom tomated ed process essin ing

Ex Expansi ansion

• n of Indi

divi viduals duals rights hts

Data ta Protec tection ion Principles nciples

20/06/2019 Atlantic Compliance 5

6 Principles

Process data lawfully, fairly and Transparently Keep for one specified, explicit and legitimate purposes Keep it safe and secure Keep it accurate, complete and up- to-date Ensure that it is adequate, relevant and limited to what is necessary Keep in a form that the data subject can be identified only as long as necessary

Data ta Processi cessing ng

Processing will only be lawful if ONE ONE of the following conditions is met:

20/06/2019 Atlantic Compliance 6

Data subject gives consent for one or more specific purposes Consent Processing is necessary to meet contractual obligations entered into by the data subject Legal Obligations Processing is necessary to comply with legal

• bligations of the

controller Vital Interests Processing is necessary to protect the vital interests

• f the data subject.

. Public Interests Processing is necessary for tasks in the public interest or exercise of authority vested in the controller . . Legitimate Interests Processing is for the purposes of legitimate interests pursued by the controller Contractual Obligations

1 2 3 4 5 6

Data ta Protec tection ion Principles nciples

Processed fairly, lawfully and transparently

Requires an additional compliance burden on organisations (albeit one that is implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities.

Purpose Limitation - collected for specified, explicit and legitimate purposes.

In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible, purpose.

Data Minimisation - adequate, relevant and limited to what is necessary.

The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.

20/06/2019 Atlantic Compliance 7

Data ta Protec tection ion Principles nciples

Accuracy - accurate and, where necessary, kept up to date.

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

Retention - kept for no longer than is necessary.

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are

• processed. Personal data may be stored for longer periods insofar as the data will be

processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.

Security - processed in a manner that ensures appropriate security.

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Acco counta tabil bility ity - new requirement that the controller be able to demonstrate accountability.

20/06/2019 Atlantic Compliance 8

Breac eaches hes – updates tes from

• m DPC

PC

• Use this form if you wish to contact us on behalf of an organisation to

report a personal data breach that has occurred in your organisation (or that you think may have occurred), in circumstances where you have determined that the breach presents a risk to the affected individuals.

• You can also use this form to update a breach report that you have

previously submitted to us.

• A personal data breach occurs when the data is accessed, disclosed,

altered, lost or destroyed in contravention of an organisation’s obligation to keep personal data in its possession safe and secure

• https://forms.dataprotection.ie/report-a-breach-
• f-personal-data

Atlantic Compliance 9

Direct ect Market eting ing – GD GDPR PR lawfu wful l reason ason

• You must have a lawful reason for processing personal data.
• Direct Marketing is either consent or legitimate interest.
• The GDPR states that:

‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’

• ‘At any rate the existence of a legitimate interest would need careful assessment including whether a data

subject can reasonably expect at that time and in the context of the collection of the personal data that processing for what purpose takes place ‘

• Therefore yes Direct Marketing can be carried out without consent however , if using legitimate interest then

you must carry out a legitimate interest assessment.

Atlantic Compliance 10

Dir irect ect Mar arketing eting an and d Consent….

Re Review how you As Ask for and and Re Record Co Consent and and if you choose to use Co Consent as a Legal Legal Ba Basis for any of your processing, please note: Consent (under the GDPR) must be: freely given, specific, informed and unambiguous (obtained through a clear, affirmative action) It must be: 1.Unbundled - Separate from other terms and conditions and should not be a pre-condition of signing up for a service; 2.No pre-ticked opt-in boxes; 3.Granular consent required for distinct processing operations or marketing channels. An example of “processing operations” could be Data and behavioural analysis, profiling, segmentation, social media monitoring, combining data from third parties. Ideally, provide a check-box for each one; 4.Named – name your organisation and any third-party who will be relying on the consent (precisely defined categories of third-parties will not be enough); 5.You must keep clear records to demonstrate consent; 6.You need to tell people about their right to withdraw consent. As well as the above, an organisation must give an individual the following information for consent to be considered specific and informed:

• The purposes of the processing - why does your organisation need personal data from somebody? Make your reasons for requesting a piece of personal data very clear.
• As a minimum, individuals must be informed about the types of processing being undertaken. If the specific processing activity is not brought to their attention, consent will not be informed, so it won’t be

valid.

• Once you have gained consent you must keep it under review. People have only given consent for the processing specifically brought to their attention in any statement made during the data collection
• process. If your organisation wishes to change any of the processing activity, or repurpose the data, you must fully inform the individual and obtain further consent.

How long consent lasts will depend upon the individual context, so organisations must determine the duration themselves. This also means justifying, when challenged, why it has chosen the data retention

• period. This aspect must be documented and form part of an organisation’s records of processing activities. For products such as insurance which renew annually, it might be appropriate for consent to last a

year. Keep an audit trail for consent – who consented, when they consented, what they were told at the time, how they consented and if consent has been withdrawn (include date, time and method of withdrawal)

Atlantic Compliance 11

Legiti gitima mate te In Inter terest est – LIA IA

• To minimise the risks to the individual, companies should

implement safeguards to demonstrate their commitment to protecting an individual's personal data.

• Some possible safeguards include:
• Offer the ability to easily opt-out of further marketing at every

communication

• Data minimisation – document strict limitations on what data is

collected, how much is collected and what is it used for. Demonstrate that you have considered and are able to justify why you collect or retain the personal data you hold.

• Conduct Data Protection Impact Assessments for new marketing

projects

• Demonstrate that you carry out regular staff training on data protection

and privacy

• Use privacy enhancing technologies such as encryption and secure file

storage

• Limit the number of marketing communications within a given timeframe

to reduce inconvenience

Atlantic Compliance 12

How to ensur ure e direct ct marketi eting ng meets ts each requir irement ment of the GDPR DPR

# GDPR Requirement Notes

Lawfulness, Fairness, Transparency 1 DATA

ATA MINI NIMI MISATION ON - Is data adequate, relevant

and limited to what is necessary? Ensure that team is only collecting and storing the exact info required for marketing campaigns, e.g., if you do not send email marketing, do not store email addresses for the purposes of marketing 2 INT

NTEGR GRITY AND ND CON ONFIDENT NTIALITY - how do you

keep data secure, how do you protect against unauthorised/unlawful processing, loss, destruction

• r damage?

Outline who has access to marketing data and why as well as what controls (IT and

• perational) are in place to ensure security.

3 PUR

URPOS OSE LIMI MITATION ON - Is data collected for

specified, explicit and legitimate purpose - What do you do with it? Identify the marketing processes that are in place and ensure individuals are informed

• f the purpose for the processing

4 ACCUR

URACY - How do you ensure data is kept

accurate and up to date? Document the measures in place for ensuring that data is accurate, and any processes carried out to ensure data stays accurate over time 5 STOR

ORAGE GE LIMI MITATION ON - How long do you keep

data for and can you justify those storage periods? Establish a retention policy for marketing-specific data 6 INT

NTERNA NATIONAL TRANS NSFERS - Details of third- party

transfers to other countries Identify if data is transferred to other countries during marketing activities e.g. if an email system such as Mailchimp is used, ensure a data protection agreement is in place and find out where your customers data is being stored, e.g. – are servers

• utside of the EU?

Atlantic Compliance 13

How to ensur ure e direct ct marketi eting ng meets ts each requir irement ment of the GDP DPR

LAWF

processing? List the marketing processes carried out and determine if Legitimate Interests or Consent is the best legal basis for each process. If Consent – ensure the gathering and management of consent is done in a GDPR compliant manner. If Legitimate Interests, complete a Legitimate Interests Assessment. See notes below on these legal bases.

Individuals Rights

RIGHT TO

you are collecting their data, why you are processing it and who you are sharing it with. Ensure company privacy policy makes reference to how data will be used for marketing and the legal bases that may apply OTHER

data, delete data, restrict processing or stop processing of data if the individual requests it - include details on your process to also inform your data processors of any requests to correct, delete or restrict processing and how you follow up with the data processors to ensure this is carried out

Accountability

PROCESS

(DPA) is required to exist between the company and any external companies who they use for data processing If you use email marketing tools or companies to assist with postal marketing or SMS marketing, ensure an agreement is in place INTER

DPR DOCUMEN

Document all the processes, policies and measure in place to demonstrate accountability and compliance

Atlantic Compliance 14

GDPR PR an and d EP EPriv rivac acy y

• Aside from GDPR, the company must also comply with

the ePrivacy Regulations

• EPrivacy regulations specifically refer to unsolicited marketing to

customers via electronic means e.g. email, SMS and phone call.

• Postal marketing is not subject to ePrivacy, nor is marketing that is

solicited (directly asked for) by the customer, for example where they call and ask to be sent information on a product.

Atlantic Compliance 15

EP EPriv rivac acy y an and d GDPR PR

EPrivacy requires consent for most communication activities except in cases where:

• The personal data was collected in the context of a sale (i.e., the person is an

existing customer) And

• The product or service being marketed is your own product or service;
• The product or service you are marketing is of a kind similar to that which you

sold to the customer at the time you obtained their contact details;

• At the time you collected the details, you gave the customer the opportunity to
• bject, in an easy manner and without charge, to their use for marketing

purposes;

• Each time you send a marketing message, you give the customer the right to
• bject to receipt of further messages; and
• The sale of the product or service occurred not more than twelve months prior to

the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that twelve-month period.

The above is reference from the Data Protection Commission website and SI No 336/2011 (11)

Atlantic Compliance 16

Tel elephone phone – EP EPriv rivac acy

• You must tell your customers (or potential customers) that you intend to use their

data for marketing purposes and give them an opportunity at point of collection to refuse such use or Opt Out(for example, by providing a “tick-box” on an application form).

• In the case of a customer, you can call them even if they have opted out from

receiving marketing calls on the National Directory Database (“NDD”), i.e. the consent given to your firm outweighs the preferences recorded on the NDD and so you do not need to check the NDD.

• However in the case of a non-customer, you must check the NDD for any opt outs

recorded before calling that individual, i.e. the NDD opt out will override any consent given to your firm.

• To access the National Directory Database, click here (left click and Open

Hyperlink). http://www.openeir.ie/NDD/

Atlantic Compliance 17

Em Email ail an and d SM SMS S - EP EPriv rivacy y

• SMS messages are considered like email and the same rules apply.
• Email – individuals and business customers
• At the point of sale, you must tell your customers that you intend to use

their data for marketing purposes and give them an opportunity at point of collection to refuse such use or Opt In (for example, by providing a “tick- box” on an application form).

• • For those customers who do not Opt Out, you can email them for

marketing purposes, so long as:-

• (i) Its within 12 months of the initial point of sale and receipt of their email

details;

• (ii) The product or service being marketed is your own;
• (iii) The product or service being marketed is similar to that supplied to the

customer in the context of the (previous) sale (e.g. another insurance product);

• (iv)In the email (and all subsequent emails), the customer is given a clear
• ptout not to receive further such emails;
• (v) All subsequent marketing emails are within 12 months of the previous

email and the customer has not opted out since the last email.

Atlantic Compliance 18

Em Email ail – No Non Custo stomer mers s EPrivacy….

• Email – Non-customers
• For non-Business non-customers: You must have their prior explicit consent

(i.e. Opt In) before emailing them for marketing purposes.

• However for Business non-customers (even individuals, sole traders for example) -

you can email them for marketing purposes as long as their business or official email is received by you in the context of commercial or official activity or is listed in a Business Directory.

Atlantic Compliance 19

Posta tal mail l ………GD GDPR R but not EPriv ivacy

• You must tell your customers (or potential customers) that you intend to use their

data for marketing purposes and give them an opportunity at point of collection to refuse such use or Opt Out (for example, by providing a “tick-box” on an application form).

• An individual may withdraw consent to direct marketing at any time. The data

controller has 28 days to comply with a request to cease direct marketing.

• For non-customers, you can use names and addresses on the most up-to-date

version of the Edited Electoral Register but not the Full Register for postal marketing. Individuals on the Edited Register are those who, when registering to vote, did not

• bject to personal data being used for marketing

Atlantic Compliance 20

FAQ – Can an I u I use se Bo Bought ught in in lis lists ts

• You can use bought-in lists to make live marketing calls, but you should screen

against your own ‘do-not-call’ list of people who have previously objected to or

• pted out of your calls.
• You must be very careful before using bought-in lists for recorded calls, texts
• r emails. You can only use them if all the people on the list specifically

consented to receive that type of message from you. Generic consent covering any third party is unlikely to be enough. Consent must be for the named company and for the type of marketing message you want to send (e.g., email, SMS, and what the message contents will be)

• You must make checks to satisfy yourself that any list is accurate, and the

details were collected fairly, and that the consent is specific and recent enough to cover your marketing. It’s advisable to carry out significant due- diligence on the list providers and be wary if you experience any resistance. Check the data you have bought against your own suppression/unsubscribe lists and ensure you are not sending marketing to anyone who has already

• pted out
• Clearly identify the third-party data source on your CRM as this will allow you

to demonstrate a record of the data source as required under GDPR and will allow you to easily extract/delete data from this source at a later date should compliance concerns arise

Atlantic Compliance 21

Ca Can n I c I col

• ld-email

email so someone

• ne if

if the heir ir add ddress ess is is p pub ublic licly ly availa ilable le on

• n the

heir ir websi bsite? te?

• You will need to consider both the GDPR and ePrivacy regulations in this scenario.
• Currently, under ePrivacy, you can email an individual or a business for marketing

purposes as long as their business or official email is received by you in the context

• f commercial or official activity or is listed in a Business Directory.
• Under the GDPR, as you will not have consent for cold emails, you may be able to rely
• n legitimate interests to send a first email but you must try to obtain consent to

continue sending further communications.

• Please note, the new ePrivacy regulation may change the rules about how corporate

and individual subscribers are treated so be mindful of this upcoming regulation.

Atlantic Compliance 22

Sharing ring Lists sts ?

• Can I share lists with other companies in the group?
• The same rules apply as for other third parties. If you intend to share the list within

your group, you must have each individual’s specific consent to marketing from your group companies.

• As always, the best way to get consent is to provide an opt-in box. Ideally, you should

list the group companies (you could do this online by providing a link).

• You may even want to consider offering separate opt-ins for each company, to give

the individual greater choice and to target your group’s marketing more effectively.

• You cannot show consent if you only provide information about marketing from your

group companies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Atlantic Compliance 23

Ca Can n my m y mob

• bile

ile ph phon

• ne

e be be targeted eted for

• r marketing

eting ph phone

• ne

call lls

• Under the ePrivacy Regulations (SI 336 of 2011) marketing calls to mobile

phones are prohibited unless (i) the caller has been notified by the subscriber or user that he or she consents to the receipt of such calls on his

• r her mobile telephone, or (ii) the subscriber or user has consented

generally to receiving marketing calls and that such consent to receive marketing calls is recorded in the NDD in respect of his or her mobile telephone number.

• In relation to email and mobile phone text based direct marketing, it is an
• ffence to send such communications to you without your clear consent in
• advance. In the case of businesses, messages can be sent until such time as

the sender is asked to stop and any subsequent messages from that sender would then be an offence.

Atlantic Compliance 24

Legitima itimate te inte terests ests is is not a blank nket et so solution ution

• Cold-emailing huge lists of addresses scraped from the internet… You will be in

violation of the GDPR if you do this.

• You must be able to justify why you chose a specific person in an organisation to send

marketing communications to and you should be able to show that you adhered to the GDPR principles of legality, fairness and transparency in the process you used to

• btain their address.
• To be able to rely on legitimate interests, you need to be able to show that you have a

strong reason to contact the individual, that you have personalised your message to them, that both of your organizations are likely to benefit from a potential business relationship, that you have informed them you are processing their data and given them a clear way to opt-out of further communications.

• You must also keep in mind the principle of only storing data for as long as needed. If

you do not receive a response to your cold email, you should remove the data from your list in a timely manner

Atlantic Compliance 25

Upd pdate te on the new ePriv rivac acy regula gulation tion

• European union currently negotiating the text of the regulation and there have been a

number of drafts.

• Nothing is decided yet, but the current draft (dated Feb 15th 2019 ) would make the

following changes:

• Definition of communications service. Current laws refer to traditional methods
• f communication (phone, email, SMS). New legislation will be expanded to

include communications made over messaging services, web based email and VOIP, so, WhatsApp, Facebook Messenger, Skype and similar

• Expected 2021

Atlantic Compliance 26

Dir irect ect Mar arketing eting – GDPR PR

• GDPR does not forbid Companies to reach out to "unknown" individuals, it defines

the guidelines under Article 14 ruling (the Data Subject needs to "accept" your "pitch").

• Not only must you carry out a legitimate interest assessment you must inform your

customers within you privacy notice.

Atlantic Compliance 27

The e Ri Risk sk

• There is this "instituted" dangerous idea that Supervisory Authorities are

both focused on "big fish" and just do not have the "resources" to audit the Marketplace... the Risk for Companies does not derive from a "lottery" alike scenario, where you become "eligible" for Auditing; it is a fact that Supervisory Authorities do not have the means to Audit the entire Market, so they are focused on following Data Subject's Complaints... hence, do not make your prospects "angry".

Atlantic Compliance 28

Dir irect ect Mar arketing eting – Finally….

• Bottom Line
• You can reach out to Prospects (even if you had not previously done so), just

"Adapt" accordingly to the Regulation and the advantage you will get is a win-win:

• Being Compliant towards GDPR;
• Creating leverage towards your Prospects by demonstrating you are

concerned about their Privacy (make them "happy" and "confident" on you);

• Getting “Qualified Leads" instead of “vague” signals or total unawareness

about the effective impact of your campaign.

Atlantic Compliance 29

Next xt Steps s – wh what t you could uld/should /should be doing ng now

20/06/2019 Atlantic Compliance 30

• Review:
• Privacy notice
• GAP Analysis
• Retention Schedule and Policy
• Data Mapping
• SAR procedures