10 Practical steps to future-proof your processing Rosemary Smith – Opt-4 In association with DMA Scotland Edinburgh – 30 th June 2016 www.dpnetwork.org.uk
1. Begin your preparations now “The Data Protection Act remains the law of the land irrespective of the referendum result. If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. ICO statement on Brexit result
2. Make sure your privacy notices meet the “transparency” challenge
3. Assess the impact ‘opt - in’ would have on your database Opt-out Implied permission 30% opt-out • Accepted wisdom suggests that the 30% typical permission rate for opt-out is around 70% 70% i.e. 30% opt-out at the point of collection Opt-in • Similarly the typical opt-in rate would be around 30%? 30% explicit opt-in permission 30% Don't opt-in 70%
Results for opt-in by channel We’d love to keep you updated about research and services for <charity name>. To receive these communications, please tick the boxes below: Typical permission rates [ ] Email Email: 30 to 45% [ ] SMS SMS: 1 to 10% [ ] Post Post: 15 to 25% [ ] Phone Phone: 5 to 10% You can unsubscribe at any time.
Results for opt-in by channel
4. Test and optimise data collection statements [ ] “We’d like to keep you informed by email about our future offers and new product launches. Please tick this box to let us know that you are happy for us to do this. (Don’t forget, you can change your contact preferences at any time by logging into your account or by using the unsubscribe links which you will find on all our emails.) 66%
What about icons?
5. Consider using legitimate interests for some Direct Marketing “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest ” Recital 47
Assessing Legitimate Interests • Does a relationship exist? • Are the interests of the data subject ‘overriding’? Weigh up the balance of your interests against the data subject’s rights. • Will be overridden by an objection from the data subject – so exclude opt-outs. • Would this processing be within their reasonable expectations? Must still meet the requirements under PECR.
6. Make sure you can store proof of consent and multiple permissions Article 7 Conditions for consent Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Data is I asked to be minimised I said stop DM I gave Parental consent Profiling me! Erased [date] after erasure [date/child’s name] [date] request I explicitly I consented to Consented to I objected to processing marketing by legal profiling under Legitimate channel [date] Interests [date] [date/wording] I explicitly Consented to I’ve made 10 I objected to This data sensitive data subject access is processed requests this Direct Marketing processing year under LI [date] by channel [date]
7. Review contracts with processors • • The nature of the processing, the Processor must provide sufficient categories of personal data and the guarantees as to technical and term organisational measures to ensure GDPR compliance and the rights of • The rights and duties of each parties data subjects • Processing can only be carried out • Deletion or return of data on with documented instructions of the termination Controller • Right to audit the processor • Staff confidentiality • Processor must “call out” any • Security of data instructions from controller which • Approval of sub-contractors could lead to a breach • Assistance in fulfilling data subjects’ rights • Assistance with conducting DPIAs and with Privacy By Design
8. Check your profiling. Does it need consent? CCTV monitoring Segment data for a campaign Provide a credit score Data selection for Evaluate a mortgage application a credit card Choose which clients to invite to a event Use a geo-demographic profile
9. Prepare to fulfill Data Subject rights “Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” Article 21 (3)
Is this the right to have DNT requests honoured? “In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications .” Article 21(5)
And other rights…. Data Portability The right to erasure Free subject access 19
10. Consider using positive privacy communications to increase trust • Demonstrates the data value exchange • Produces positive impact on marketing permissions • In line with transparency requirements in the GDPR
Greater data transparency Benefits • Provides greater clarity Risks • Reassures • Walking the walk • Supports brand values • Attracts activists / regulator • Increases permission, scrutiny engagement & trust • Increases SARs • First mover advantage • Competitors could take first mover advantage
10m registered users 50% 16-24 year olds http://www.channel4.com/4viewers/viewer-promise/ourpromise
20k unique views per month http://www.o2.co.uk/termsandconditions/privacy-policy
https://www.youtube.com/watch?v=2MdQa87fqnw
http://www.theguardian.com/info/video/2014/nov/03/ why-your-data-matters-to-us-video
10 Practical steps to future-proof your processing 1. Begin your preparations now 2. Make sure your privacy notices meet the “transparency” challenge 3. Assess the impact ‘opt - in’ would have on your database 4. Test and optimise data collection statements 5. Consider using legitimate interests for some Direct Marketing 6. Make sure you can store proof of consent and multiple permissions 7. Review contracts with processors 8. Check your profiling. Does it need consent? 9. Prepare to fulfill Data Subject rights 10. Consider using positive privacy communications to increase trust 26
The original content of this presentation is the intellectual property of Opt-4 Ltd and may not be reproduced without permission 2016 (c)
Recommend
More recommend
