New EU data protection law How to avoid disaster Stephen Groom 1
CASE STUDY: New EU legislation: how to avoid data disaster
Jul 15, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
New EU data protection law How to avoid disaster
Stephen Groom
1
osborneclarke.com
Osborne Clarke
• An international law firm
• 600 lawyers
• 8 countries
• 18 offices
• 6 key sectors including digital business
• Leaders in marketing and privacy law
• Marketinglaw.co.uk
2
Current data protection obligations in a nutshell
Restrictions on transfers outside the
EEA
Keep data accurate & up-to-date
Retain data for an
appropriate period
Respond to data
subject requests
Annual
notification obligation
Get opt in / out consent for email /
SMS marketing
Screen against
TPS/FPS "do not call"
lists
Get opt-in consent to
use cookies
Data must be relevant
and not excessive
Notify ICO of security
breaches (not yet
compulsory for all)
Knowledge/ Consent
Data protection obligations
New data protection obligations from February 2017?
Restrictions on transfers outside the
EEA
Keep data accurate & up-to-date
Retain data for an
appropriate period
Respond to data
subject requests
Annual
notification obligation
Get opt in / out consent for email /
SMS marketing
Screen against
TPS/FPS "do not call"
lists
Get opt-in consent to
use cookies
Data must be relevant
and not excessive
Notify ICO of security
breaches (not yet
compulsory for all)
Knowledge/
Consent
Data protection obligations DPO requirement
Enhanced data
subject rights:
- right to be forgotten
- data portability
24 / 72 hours to
notify data / cyber
breaches
Fines to increase (<2% world-
wide turnover or €1m)
Expanded
definition of
personal data
Data
processor
responsibility
Higher level of
consent
required
Increased use of
Privacy Impact
Assessments (PIAs)
and emphasis on
accountability
Processor BCRS
Profiling only with
explicit prior
consent
osborneclarke.com
5
Non-compliance – the penalties Key regulator weapons and other impacts
1. Fines – Are on the increase: • UK (ICO has had power to fine up to £500k from April 2010)
2. Weapons used by National Regulatory Authorities: • Good Practice Assessments
• Enforcement Notices/Undertakings
3. It's not just about fines • Negative impact on share value
• Customer and staff perception and trust
• Brand damage
• Diversion of time and resources
osborneclarke.com
Increase in Enforcement 2013/4 marketing law milestones
• June 2013: ICO fines Save Britain Money £225,000 for nuisance calls
• December 2013: ICO fines payday lender First Financial UK Ltd
£175,000 fine for spam texts
• January 2014: Spain – jewellery companies first in Europe to be
fined for non compliance with cookie laws
• January 2014: UK High Court Vidal-Hall vs Google – behavioural
targeting (ongoing)
• February 2014: Trading standards criminal prosecution against cold
callers Apple Group Holdings £36,000
• March 2014: "serious breach" £500K hurdle may be lowered to
"serious nuisance and annoyance"
6
osborneclarke.com
£0.00
£20,000.00
£40,000.00
£60,000.00
£80,000.00
£100,000.00
£120,000.00
£140,000.00
£160,000.00
£180,000.00
£200,000.00
2010 2011 2012 2013 2014
Av
era
ge m
on
eta
ry p
en
alt
y
* Statistics for 2010 only include November and December Based on data from http://ico.org.uk/enforcement/trends
Average Monetary Penalty Notice amount per year*
7
osborneclarke.com
Data privacy and marketing The bottom line
• So with stricter data protection laws round
the corner..
• enforcers taking more action under the
existing law and..
• the threshold for six figure fines likely to be
reduced…
• doing nothing until new data protection laws
arrive …
• is not an option.
8
osborneclarke.com
9
Technology and business trends What makes our phone ring?
• Cloud computing
• BYOD
• Location marketing
• Tracking / Cookies
• Social media
• Digital sales
• Near field communications/payments
• Outsourcing / offshoring
• Telematics/vehicle tracking
• Smart meters, grid, devices, home…..
• Global HR systems
osborneclarke.com
(1) Assign responsibility
Bite the bullet and appoint a DPO
1. Assign ownership (and budget)
Time to appoint a DPO (law may oblige you to soon)
2. Who should it be: IT, Legal, Compliance, HR?
Benefits of legal privilege
3. Visible reporting lines
To existing risk committees
And to board
4. Risk registers
Failure to address known issues increases penalties
Whether your issues or a 3rd party's
10
osborneclarke.com
(2) Get serious about training
ICO's #1 pet hate
1. 72% of ICO enforcement action last year cited lack of suitable
training as a reason action taken
2. So who to train?
− Start with DPO and leaders of teams who process your most
sensitive data
− Viral training – train the trainer
3. Desk top or in person?
4. The message can be spread in other ways too
− Videos, notices, pop up reminders, pay slip inserts…..
5. Ensure it's not a 1 off event
11
osborneclarke.com
12
(3) Time to review your policies
Are your current policies fit for purpose?
1. Technology/business developments have rendered many policies
out of date
− Privacy
− Cookies
− Social media
− BYOD
− Security
− Data retention
3. Beware need for Works Council approval if changing policies in EU
osborneclarke.com
(4) Review your approach to hiring marketing service suppliers What have you agreed, what will you agree?
Key DPA principles:
"Appropriate technical and organisational measures must be taken
against unauthorised or unlawful processing of personal data and
against accidental loss, destruction or damage"
– Written contracts required with suppliers
– Staff reliability measures
– Supplier selection linked to security guarantees
– Steps to ensure ongoing supplier compliance
Data only kept as long as it is needed
• Check which suppliers process valuable data
• Check existing contracts, precedents and RFP language
13
osborneclarke.com
(5) Registrations In place and up to date?
1. Classic error is to be under-registered
2. N.B. each group company must notify – as must company pension
trusts
3. Separate registrations required in each EU country for each Data
Controller
4. In the UK 2 tier fees – payable annually:
• £35; or
• £500 if > £25.9M turnover and > 249 staff
14
osborneclarke.com
(6) Intra-group data transfers Assess your compliance with the fiddliest aspect of DP laws
1. Even if you don't have global operations your
suppliers may do
2. Europe's law makers and regulators are fixated by
data transfer issues
• Check your data transfer solutions – model
contracts, safe harbor, BCRs
• Beware model contract registration
requirement in many EU countries
3. Remember that
• viewing personal data on a UK server from a
terminal in the US= a data transfer
• EU data laws apply to personal data of all living
individuals, not just EU citizens
15
osborneclarke.com
16
(7) Security breach notification
Plan your approach to reacting to cyber attack or data loss
1. Design your team – Legal, IT, PR, HR?
2. Pre-plan for the issues which it will need to consider:
i. Location – breach, affected individuals
ii. Seriousness of breach (timing, potential for harm, numbers affected,
Sensitivity of data involved)
iii. Measures taken to limit harm
iv. Evidence preservation
v. Legal privilege
vi. Who will need to be notified?
vii. Insurance position
osborneclarke.com
(8) Marketing compliance Do your sales and marketing teams know their responsibilities?
1. Ensure that relevant teams understand opt in / out
2. Consider partners
• Do you have control of all notices
3. Review approach to marketing list purchase
• The DMA's list purchase warranties
4. Time for a marketing audit?
17
osborneclarke.com
18
Useful Materials
General:
• ICO's introductory DP guide
– https://www.ico.gov.uk/Global/~/media/documents/library/Data_Protection/Practical_application/THE_GUIDE_TO_DATA_PROTECTION.ashx
• ICO's direct marketing guidance
– http://ico.org.uk/enforcement/action/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf
• ICO's data breach guidance note
– http://www.ico.gov.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Practical_application/breach_reporting.ashx
• EC's review of Data Protection laws and link to draft regulation
– http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
Osborne Clarke:
• OC's White Paper - "Prepare now and avoid the risks" – Contact us for a copy
• OC's Data report (The Data Gold Rush) and DP blog:
– http://www.osborneclarke.com/connected-insights/campaigns/data-gold-rush/
osborneclarke.com
19
Any questions?
Stephen Groom
Co-chair-Advertising & Marketing Law Group
Deputy Chair-Privacy and Data Law Group
T +44 (0) 207 105 7078
M +44 (0) 7788 584 295
www.marketinglaw.co.uk
[insert photo here]
Height = 5.39cm
Width = 5.81cm
Related Documents
