your processing Rosemary Smith Opt-4 In association with DMA - - PowerPoint PPT Presentation

your processing
SMART_READER_LITE
LIVE PREVIEW

your processing Rosemary Smith Opt-4 In association with DMA - - PowerPoint PPT Presentation

Feb 06, 2024 441 likes •730 views

10 Practical steps to future-proof your processing Rosemary Smith Opt-4 In association with DMA Scotland Edinburgh 30 th June 2016 www.dpnetwork.org.uk 1. Begin your preparations now The Data Protection Act remains the law of the

slide-1
SLIDE 1

10 Practical steps to future-proof your processing

www.dpnetwork.org.uk

Rosemary Smith – Opt-4 In association with DMA Scotland Edinburgh – 30th June 2016

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
  • 1. Begin your preparations now

“The Data Protection Act remains the law of the land irrespective of the referendum result. If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. ICO statement on Brexit result

slide-5
SLIDE 5
  • 2. Make sure your privacy notices

meet the “transparency” challenge

slide-6
SLIDE 6
  • 3. Assess the impact ‘opt-in’ would

have on your database

  • Accepted wisdom suggests that the

typical permission rate for opt-out is around 70% i.e. 30% opt-out at the point of collection

  • Similarly the typical opt-in rate would be

around 30%?

70% 30%

Opt-out

Implied permission 30% opt-out 30% 70%

Opt-in

30% explicit

  • pt-in

permission Don't opt-in

slide-7
SLIDE 7

Results for opt-in by channel

We’d love to keep you updated about research and services for <charity name>. To receive these communications, please tick the boxes below: Typical permission rates [ ] Email Email: 30 to 45% [ ] SMS SMS: 1 to 10% [ ] Post Post: 15 to 25% [ ] Phone Phone: 5 to 10% You can unsubscribe at any time.

slide-8
SLIDE 8

Results for opt-in by channel

slide-9
SLIDE 9
  • 4. Test and optimise data collection

statements

[ ] “We’d like to keep you informed by email about our future

  • ffers and new product launches. Please tick this box to let us

know that you are happy for us to do this. (Don’t forget, you can change your contact preferences at any time by logging into your account or by using the unsubscribe links which you will find on all our emails.)

66%

slide-10
SLIDE 10

What about icons?

slide-11
SLIDE 11
  • 5. Consider using legitimate interests

for some Direct Marketing

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” Recital 47

slide-12
SLIDE 12

Assessing Legitimate Interests

  • Does a relationship exist?
  • Are the interests of the data subject

‘overriding’? Weigh up the balance of your interests against the data subject’s rights.

  • Will be overridden by an objection from the

data subject – so exclude opt-outs.

  • Would this processing be within their

reasonable expectations? Must still meet the requirements under PECR.

slide-13
SLIDE 13
  • 6. Make sure you can store proof of

consent and multiple permissions

Article 7 Conditions for consent

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

slide-14
SLIDE 14

I said stop DM Profiling me! [date] I gave Parental consent [date/child’s name] I consented to marketing by channel [date/wording] I objected to processing under Legitimate Interests [date] I’ve made 10 subject access requests this year

I objected to Direct Marketing by channel [date] I explicitly Consented to sensitive data processing [date] I explicitly Consented to legal profiling [date] I asked to be Erased [date] This data is processed under LI Data is minimised after erasure request

slide-15
SLIDE 15
  • 7. Review contracts with processors
  • The nature of the processing, the

categories of personal data and the term

  • The rights and duties of each parties
  • Processing can only be carried out

with documented instructions of the Controller

  • Staff confidentiality
  • Security of data
  • Approval of sub-contractors
  • Assistance in fulfilling data subjects’

rights

  • Assistance with conducting DPIAs

and with Privacy By Design

  • Processor must provide sufficient

guarantees as to technical and

  • rganisational measures to ensure

GDPR compliance and the rights of data subjects

  • Deletion or return of data on

termination

  • Right to audit the processor
  • Processor must “call out” any

instructions from controller which could lead to a breach

slide-16
SLIDE 16
  • 8. Check your profiling. Does it need

consent?

Provide a credit score Data selection for a credit card Evaluate a mortgage application Use a geo-demographic profile Segment data for a campaign CCTV monitoring Choose which clients to invite to a event

slide-17
SLIDE 17
  • 9. Prepare to fulfill Data Subject rights

“Where the data subject

  • bjects to the processing for

direct marketing purposes, the personal data shall no longer be processed for such purposes.” Article 21 (3)

slide-18
SLIDE 18

Is this the right to have DNT requests honoured?

“In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to

  • bject by automated means

using technical specifications.” Article 21(5)

slide-19
SLIDE 19

And other rights….

19

Data Portability The right to erasure Free subject access

slide-20
SLIDE 20
  • 10. Consider using positive privacy

communications to increase trust

  • Demonstrates the data

value exchange

  • Produces positive impact
  • n marketing permissions
  • In line with transparency

requirements in the GDPR

slide-21
SLIDE 21

Greater data transparency

Benefits

  • Provides greater clarity
  • Reassures
  • Supports brand values
  • Increases permission,

engagement & trust

  • First mover advantage

Risks

  • Walking the walk
  • Attracts activists / regulator

scrutiny

  • Increases SARs
  • Competitors could take first

mover advantage

slide-22
SLIDE 22

http://www.channel4.com/4viewers/viewer-promise/ourpromise

10m registered users 50% 16-24 year

  • lds
slide-23
SLIDE 23

http://www.o2.co.uk/termsandconditions/privacy-policy

20k unique views per month

slide-24
SLIDE 24

https://www.youtube.com/watch?v=2MdQa87fqnw

slide-25
SLIDE 25

http://www.theguardian.com/info/video/2014/nov/03/ why-your-data-matters-to-us-video

slide-26
SLIDE 26

10 Practical steps to future-proof your processing

1. Begin your preparations now 2. Make sure your privacy notices meet the “transparency” challenge 3. Assess the impact ‘opt-in’ would have on your database 4. Test and optimise data collection statements 5. Consider using legitimate interests for some Direct Marketing 6. Make sure you can store proof of consent and multiple permissions 7. Review contracts with processors 8. Check your profiling. Does it need consent? 9. Prepare to fulfill Data Subject rights

  • 10. Consider using positive privacy communications to increase

trust

26

slide-27
SLIDE 27

The original content of this presentation is the intellectual property of Opt-4 Ltd and may not be reproduced without permission 2016 (c)