DMA - DPC Workshop - 23 October 2013

Data protection 2013

Friday 8 February

#dmadata

Supported by

Data protection compliance workshopWednesday 23 October 2013

Welcome and Overview

Lesley Tadgell-Foster, Managing Director, Shelfline Promotional Consultancy

INTRODUCING THE DATA

PROTECTION ACT 1998

Lesley Tadgell-Foster

Shelfline

Be Aware

The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd. nor by the Direct Marketing Association.

It does not make any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.

The danger of better targeting meaning

more intrusion

• Customers worry about what happens to their information, how it can be used against them, and they fear to being sold to - but expect it

• High profile data losses – justified fears

• Concerns fuelled by the media – they know what’s in your shopping basket syndrome...

• Data collection meets record-keeping

…continued

• Respect for customers’ rights to privacy and

discretion always vital in building

confidence, now enshrined in legislation

• The obligation of marketing to offer

explanations, reassurance and honesty

• Self-interest prevails – lose customer

confidence and expect them to cut contact

Purpose of the 1998 Data

Protection Act• To safeguard the public from abuse in the

collection/storage and distribution of personal information

• Information relating to identifiable, living individuals only – not organisation

• Can be held on computer or system

• Or in a ‘relevant filing system’. Not your address book – but in a structured way – such as a card index

…continued

• So manual records are included.

Transitional relief until October 2007 for

full compliance

• Can also include photographs and systems

such as CCTV

RESPONSIBILITIES DEFINED

The Data Controller:

• This is the ‘person’ deciding why/how personal data is processed

• More likely that the organisation is the Data Controller

• An individual employee only likes to ‘carry the can’ if shown to be ‘knowingly or recklessly contravening the employer’s policies and procedures. But....?

The Data Processor:

• ‘Any person other than an employee of the

data controller who processes data on behalf

of…

- Computer bureaux

- Individual market researchers collecting

survey responses

AND WHAT IS PROCESSING?

Anything to do with personal

data from:

• Obtaining

• Using

• Holding/Storing

• Changing

• Disclosing

• Erasing

• Disposing

The Eight Principles Reviewed

1. Personal data must be processed fairly and

lawfully

The concept of fairness implies using candour

and transparency in dealing with the acquisition

of customer’s personal information

Are they deceived or misled in any way about

your purposes for obtaining/using the data?


2. Personal data shall be obtained only for

one or more specified and lawful purposes

and shall not be further processed in any

manner incompatible with that purpose or

those purposes

Think purposes – not files


3. Personal data shall be adequate, relevant

and not excessive in relation to the

purpose or purposes for which they are

processed

Avoid ‘just in case’ information

Defer to the minimum


4. Personal data shall be accurate and where

necessary, kept up to date

Gives very frequent rise to customer

irritation, resentment and suspicion


5. Personal data processed for any purpose or

purposes shall not be kept for longer than

is necessary for that purpose or those

purposes

Depends on both data and application


6. Personal data shall be processed in

accordance with the rights of data subjects

under this Act


7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or personal data and against accidental loss or destruction of, or damage to, personal data

Real emphasis on the integrity of data and reliability or operations

Data controller takes responsibility for ensuring that any agency (bureaux) maintains adequate security and is bound by contract


8. Personal data shall not be transferred to a

country or territory outside the EU unless

it ensures an adequate level of protection

for the rights and freedoms of data

subjects…

The individual is an active part of

the ‘system’ of data protection

• this allows the right to know that processing

is being undertaken

• the right to inspect personal data

• the right to prevent processing in certain

circumstances (e.g. for direct marketing)

• the right to rectify, block or erase data

Is data processed/amended

outside the EEA – possibly to be

returned to the UK later?

Does the country have ‘adequate’/mirror

legislation to ours?

• For USA can consider use of ‘safe harbors’

model contracts

• Everywhere else need tailored contracts for

contractor/company overseas to

demonstrate adherence to UK DP regime

Sensitive Data – Opt in always

• Racial or ethnic data

• Political Opinions/Trade Union membership

• Religious or similar beliefs

• Physical/mental health

• Sexual Life

• Committed or alleged offences

Customer Understanding and

Agreement

• The most onerous duty of all

• Must ‘signify’ consent – a positive communication

• Consent must be specific and informed

• The role of the ‘opt out’ box

• Depend on clarity of wording

• Cannot be given under duress

• Consent can be withdrawn

So What Place Direct Marketing?

• The right to reject unsolicited marketing –

by whatever means

• So – media neutral!

• Define the nature and purpose of the contact

• Are they just saying ‘no’ to your material,

or are they also rejecting that from third

parties?

…continued

• You may well need two opt out clauses

• Danger of combining into a single one?

• From time to time we may wish to contact

you with further information about our

products and those of other companies we

think may interest you. Please tick if you

do not wish this to happen

Media Choices

Can you implement real choice every time,

without fail?

- Direct mail

- Telephone

- Fax

- Email

- SMS/text

Almost all opt-out still....

Privacy & Electronic Communication

Regulations: ‘PECR’ - from 2004

Email Opt out OK for EXISTING

customers/similar products only (also

known as the soft opt-in)

SMS Same regime

Transfer to 3rd parties for them to undertake

marketing = Opt-in

Anyone still using fax?

Has always been opt in for home users/

sole traders & partnerships

More Concerns

• What exactly do you plan to send?

• Now – in the future?

• Will you change your media approaches over time?

• And what about new products/services?

• You don’t pass on your customer list at the moment – but might you at some point?

• OPT-IN ALWAYS FOR 3rd party Email/SMS transfers

GOODBYE TO THE ELECTORAL

ROLL

Not entirely – but enough to lose complete

coverage

Two versions – opts out up to 46% in

Wandsworth

Credit Referencing use still OK – for now…

Consent at the earliest

opportunity

• And there’s no going back…

• No means no

• The Boots Advantage Case

What Information Do You Have

on Me?

• Subjects’ Right of Access

• Across all material/all databases/all departments

• Subjects can be internal as well as external for

data protection purposes

• Think Human Resources/Personnel records

• How easy/quick for you to collate all files held on

a single name?

…continued

• Credit rejection based on inaccuracy or

scoring?

• How best to explain to customers your

decision making?

• Maximum fee £10

• Maximum period 40 days

Don’t Box Yourself In

• What about CRM?

• How best to ensure continuity over time?

• What about changing lifestyles/lifestages?

• How much can/do you tell on future communications?

• Make is as enticing as possible – given space/truth, but don’t over-promise

• Optimise the opt-out to cleanse your list of the no-hopers

• Work through how to retain the best

Other People’s Customers

• Are you using data across different divisions to

subsidiary companies?

• In the customer’s shoes – how closely related to

the known purpose for giving data?

• Running a Current Account is not the same as

using the ledger to cross-sell Life Insurance

• What if you start up a new venture and contact

existing customers with offers?

…continued

• Ask questions about rented-in lists

• Have list warranties been obtained?

• Still run against the Preference Services

• Is it time to re-visit those who haven’t

opted-out with a new consent?

Business to Business

Business lists with contact names capable of

identifying a living individual fall squarely

within the scope of the new Act

Offer marketing preferences in exactly the

same way to business prospects/customers

as for consumers

The Preference Services

TPS & CTPS, for supressing numbers from

cold telephone canvassing

Mailing Preference Service for consumers

only – no business version

And If You Get It Wrong?

• Customers have rights under the Act to challenge the accuracy of information held on them

• And to have it corrected or erased

• Plus they can claim compensation for both material loss and distress

• Not a big issue yet – perhaps the press haven’t discovered it!

Starting Young

• How Data Protection affects children

• A bit confusing…

• No age described in the Act

• The Information Commissioner goes with

12 year olds for e-communication (Trust

UK standard)

but…

• The Advertising Standards Authority CAP

Committee say 16 years on all

communication

Implications:

• Must not use or rent lists of names unless

parental approval obtained in writing at the

time the information was collected

• Must be verifiable consent of the parent

(opt-in)

• Implies is it vital to determine age as soon

as possible

…continued

• Not OK for web communication to gain

consent by a mouse click

• Postal communication needed to confirm

The Information Commissioner

• Establishes and maintains a register of data

users

• Promotes compliance with the Data

Protection Principles

• Considers complaints and breaches, and

prosecutes offenders or serves notices

A ‘NEW BROOM’ IN YOUR LIFE

Christopher Graham – new Information

Commissioner

Challenges and benefits of a ‘new face’

Looking for high profile cases + punishing worst

& persistent offenders

‘We need to be selective to be effective’ (Richard

Thomas, predecessor).

Increased fines up to £500,000 from April 2010

Refreshment Break

The role of the ICO

Sally Annereau, Data Protection Analyst, Taylor Wessing

Sally Annereau

Data Protection Analyst

The Office of the Information

Commissioner (the ‘IC’)

Insert appropriate

image

15978330

IC- status

> Appointed by the Crown

> Independent – not servant of the Crown

> Regulator of- The Data Protection Act 1998

- The Privacy and Electronic Communications Regulations 2003 (as updated)

- The Freedom of Information Act 2000

- The Environmental Information Regulations 2004

> 7 year appointment

> Appointment limited to one term of office

> Annual report to Parliament

Duties of the Commissioner

> Promote observance of the Act

> Maintain the register of notifications

> Make assessments

> Conduct audits

> Disseminate information

> Prepare and encourage codes of practice

> Enforce the Act

> Report annually to Parliament

Assessment considerations

> Includes- Does it concern the processing of personal data?

- Is it by a directly affected individual?

- Does the request raise a matter of substance?

- Is it made without undue delay?

- Has the individual raised their complaint with the controller?

- Could the matter be dealt with better by another body?

- Has the matter been resolved already?

Individual complaints/queries

> 1989-90 - 2698

> 1990-91 - 2419

> 1991-92 - 1747

> 1992-93 - 4590

> 1993-94 - 2889

> 1994-95 - 2814

> 1995-96 - 2950

> 1996-97 - 3897

> 1997-98 - 4173

> 1998-99 - 3653

> 1999-00 - 4570

> 2000-01 - 8875

> 2001-02 - 12500

> 2002-03 - 12001

> 2003-04 - 11664

> 2004-05 - 19,460

> 2005-06 - 22,059

> 2006-07 - 23,988

> 2007-08 – 24,851

> 2008-09 – 25, 509

> 2009 -10 – 33,234

> 2010-11 – 26,227

> 2011-12 - 20, 080

(minus FOI casework)

Source: OIC

0

5000

10000

15000

20000

25000

30000

35000

1990-

1991

1993-

1994

1996-

1997

1999-

2000

2002-

2003

2005-

2006

2008-

2009

2011-

2012

Complaints

UK Categories of complaint> Sectors

- Lenders- General business- Direct marketing- Local Government- Health- Central Government- Telecoms- Policing and criminal records- Debt collectors- Internet

> Popular complaint causes- Subject access- Inaccurate data- Disclosure of personal data- Tele-marketing calls- Security- Email and SMS

Source: OIC Annual report 2013

0

5

10

15

20

25

30

35

40

45

50

Causes

Subject access

Disclosure

Inaccurate data

Security

Use of data

Fair processing

Obtaining data

excessive irrelev't

0

2

4

6

8

10

12

14

16

18

Causes

Lenders

Local Gov

Health

Central Gov

Policing

Telecoms

Education

Insurance

Internet

Retail

Investigations

> Can brief a regional investigating officer

> Can issue an ‘Information Notice’- (‘Special Information Notice – special purposes)

> Can obtain a search warrant from a judge- Warrants can be obtained with or without notice to the controller

- Offence to obstruct the execution of a warrant

Powers

> Direct consequences- Prosecution

- Undertakings

- Enforcement- Conduct audits

power applies to public bodies

can be extended to certain types of private

body subject to an order by the Secretary of

State

- Monetary penalties (up to £500,000)

> Indirect consequences- Power of publicity

- Intervention by other regulators

- Risk of being sued

Compensation claims

Breach of contract

When handling complaints

> Try and head off complaints before they reach the OIC

> Log all complaints received- Date of receipt

- Action dates

- Deadlines

> Try to find out what is behind the complaint

> Report up the details - Progress

- Outcomes

- Lessons/actions

> Respond promptly to all correspondence

When the going gets tough

> Seek legal advice before agreeing to be interviewed by an investigating

officer!

> Be aware of the extent of the Commissioner’s powers

> Remember an Enforcement notice is for life - Do not allow an Enforcement Notice to be issued against you or sign an

Undertaking unless you understand the consequences

- Use your right to make representations wherever possible

Data security and transfers


Sally Annereau


Keeping Data Safe

Insert appropriate

image

15973509

Data in demand

> Increase in sharing of data

> Technological developments

> Black market in data

> Cultural ‘catch-up’ required among data users- Lack of value attached to data assets

- Absence of reporting lines and accountability

- Lack of awareness

- Lack of oversight

- Policies, often mere ‘window dressing’

Data breaches - Incident sectors (UK ICO figures for 1 Apr - 30 June 2013)

Regulatory Framework

> Data Protection Act 1998 (‘DPA’)- Seventh Principle

“Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental loss or

destruction of, or damage to, personal data”

> Other non DPA specific rules

- FCA rules

- effective systems and controls for countering the risk

- Public sector - Government Security Policy Framework (‘SPF’)

Why be concerned?

> Risk of enforcement action

> Risk of being prosecuted- Company, directors, secretaries and other officers

- Individual employee liability

> Risk of fines

> Risk of being sued

> Costs of managing

> Damage to reputation

> Risk of devalued assets

Data protection UK: Enforcement in practice

> Feb 2011–Sep 2012 – Security

breaches- 600 ‘Self-notified’ security breaches

- Undertakings 99

- Monetary Penalties 22

Source ICO

Penalties in GBP

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

Feb-1

1Jun

e

Jan

-12

Mar

May

Jun

e

Sep

No

v

Feb

Jun

e

July

Aug

Technical security measures - examples

> Passwords

> Firewalls

> Anti-virus software

> Secure internet payment systems

> Encryption

> Privacy enhancing technologies

Organisational measures - examples

> Reliability of employees- Selection

- Education

- Written guidance and procedures

- Accountability and action

- Controls on access /physical and systems

> Secure storage

> Controls on data movement /sharing

> Multi-disciplinary approach

> Data protection officer

> Security policy

> Monitoring

Using a data processor

> Definition- ‘any person (other than an employee of the data controller) who processes the

data on behalf of the data controller’

> Examples- insurance company and call centre;

- company and payroll bureau;

- group of related companies and subsidiary responsible for administration of

group-wide marketing campaigns; and

- company and secure data disposal agency

Obligations when outsourcing

> Choose a processor providing guarantees of- Technical

- Organisational

- security measures

> Take reasonable steps to ensure compliance with above- Written agreement

Processor acts on controller’s instructions

Imposes obligations equivalent to the seventh principle

Checklist for processor selection

> Does the processor have a data protection/information officer?

> How secure are the premises?

> What business continuity measures are in place?

> Does the processor have a written data protection/ security policy?

> What security standards does the processor adhere to?

> Does the processor conduct compliance and adequacy audits

> Have there been any security incidents?

> What steps are taken to ensure employee reliability?

> What training do employees receive in data protection?

> Other considerations- financial status, insurance cover, subcontracting and references?

Security and IT system design

> Need for adequate security measures- “both at the time of the design of the processing system and at the time of the

processing itself”

> Are contractors/ developers aware of the implications of the Seventh

Principle for system design?

> Who is responsible for specifying security requirements- What do the tender documents say about security?

- What does the contract say about security?

> Consider the integrity of internal systems as well as preventing external

access (e.g the use of live data for systems testing)

Notifying breaches – IC guidance

> When to notify – consider- the potential harm to affected individuals

- the volume of data lost

- the sensitivity of the data lost

> What to tell the IC’s office/affected individuals- What happened

- What information was involved

- What steps have been taken/are taking to mitigate the risks

- Contact points

- Self-help steps (in the case of affected individuals)

Anticipating the worst

> Security reporting and escalation processes

> Implement a breach management plan- Key stages

Containment and recovery

Assessing the risks

Notification of breaches

Evaluate handling and response and implement changes

- Identify and list the actions required within each stage

- Allocate responsibility for each action

- Identify the response time for each action

- Train relevant staff and test the plan

- Publicise the plan

Sally Annereau


Data transfers

Insert appropriate

image

15973509

When might a transfer occur?

For example…

> Employee data to US headquarters

> Customer data to a South American call centre

> Use of a data bureau in India

> Multi-national central CRM database

> Supply of customer orders to Japanese distributor

The Eighth Principle

“Personal data shall not be transferred to a country or territory outside the

European Economic Area unless that country or territory ensures an

adequate level of protection for the rights and freedoms of data subjects in

relation to the processing of personal data”

Take a ‘bite-sized’ approach to the problem - 1

> Is personal data involved?

> Is the personal data going beyond the European Economic Area

(“EEA”)*?

> Is a transfer taking place?

* The member countries of the European Union together with Norway, Iceland

and Liechtenstein.

Adequate Protection?

> Has the European Commission ruled that the destination country is

adequate?

> Is the transfer to a US business signed up to the Safe Harbour Scheme?

> Does an exception to the Eighth Principle apply?

Existing EC adequacy findings*

> Hungary

> Switzerland

> Canada

> Argentina

> Guernsey, Jersey or Isle of Man

> Faroe Islands

> Andorra

> Israel

> Uruguay

> New Zealand

* Details of adequacy decisions can be found at:

http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm

http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm

Safe Harbour

> A US self-regulatory scheme

> US companies certify to comply with 7 principles

> Not all US companies can participate

> It is possible to check a public register of members

http://www.export.gov/safeHarbor

> Non compliance actionable by US Government or affected individuals

Exceptions under the Eighth Principle

Including:

> The data subject consents to the transfer

> The transfer is necessary for the performance of a contract with the data

subject(s).

> The transfer is necessary to implement pre-contractual measures at the

request of the data subject.

> There is a contract in placed based on EU approved terms between the

exporter and importer of the data*

*http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm

http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm

Binding Corporate Rules (“BCR”)

> Intra-group solution for international transfers

> Use of group wide enforceable data handling policies

> Required content for submission of BCR

> Supervisory co-operation for approval process

> NOT for the faint hearted!

Presumption of Adequacy?

Consider:

> the nature of the personal data

> the country of origin of the personal data

> the country of destination

> the purposes of the intended processing

> the law/relevant codes in force in the destination country

Practical Considerations

> To what extent do you transfer personal data outside the EEA?

> Do you have international subsidiaries?

> Consider the potential for transfers down the line and collect data with

that possibility in mind

> Consider carefully the wording of consent notices and contract terms

> Don’t under estimate the potential impact of non-compliance

E marketing and Cookies


Insert appropriate

image

E-Marketing and cookies

Sally Annereau

[email protected]

The current law in the UK

> Data Protection Act 1998

> Privacy and Electronic Communications Regulations 2003- Came into force on 11 December 2003

- Do not apply solely to marketing by e-mail or SMS

- rules also cover marketing by telephone, fax and automated calling

systems

- Need to think about this AND the Data Protection Act 1998

> The Privacy and Electronic Communications (EC Directive)

(Amendment) Regulations 2011- These come from European Directives

- Similar (but not exactly the same…) laws throughout Europe

Marketing by e-mail and SMS – the rules

(1)

Privacy and Electronic Communications Regulations 2003

> No unsolicited e-mail or SMS marketing to individuals unless:- Recipient has consented

OR

- (1) you obtained contact details “in the course of the sale or negotiations for

the sale of a product or service”;

- (2) you are marketing your own similar goods or services to them; AND

- (3) opportunity to opt out (free of charge) given at the point of collection and at

the time of each subsequent communication

Marketing by e-mail and SMS – the

rules (2)

> You cannot disguise yourself

and

> You have to provide a valid return path

How do I go about getting consent?

> There is no set way of getting it, but the law says that it must be

informed, freely given (i.e. revocable) and…

> For e-mail or SMS marketing, consent has to be positive, so…

“I would like to send you information by e-mail. Please tick this box if

you do not want me to do so”

but

“I would like to send you information by e-mail. Please tick this box if

you are happy for me to do so”

? “By submitting this form, you will be indicating your consent to receiving

e-mail marketing messages from us unless you have indicated an

objection to receiving such messages by ticking the above box”

> Don’t necessarily need a classic tick-box

Mobile marketing

> “Live”/voice marketing calls- TPS list – every 28 days

- CTPS

- In-house telephone suppression lists

> Text, picture and video mobile marketing is governed by the rules

previously discussed

Some tricky areas…

> Legal problems- What is “in the course of the sale or negotiations for the sale”?

- Not simply registering an interest at/visiting a web site

- What are “similar” products and services?

- What would someone reasonably expect?

- Viral marketing

> Technical and marketing problems- How long does consent last?

- What about pre-existing e-mail or SMS marketing lists?

- Hw d U fit all info U nd in2 160 krctz?

Automated calls and Fax marketing

Automated calls

> Prior express consent of any recipient required

> Where consent provided then communication must include:- Identity of caller

- Contact address or free phone number

Fax marketing

> Prior consent of individual subscribers required

> Corporate subscribers- not if opt-out or if registered on the Fax Preference Service register

> Where can legitimately communicate then this must include:- Identity of caller

- Contact address or free phone number

Cookies

> A piece of information that includes a unique reference code that a

website transfers to your device to store and sometimes track

information about you.

Can be:

> First / third party

> Session or persistent

> ‘Flash’ or ‘super’

And don’t forget web beacons/gifs.

Regulation 6 ‘PECAR’

No storage or access to information stored, in the terminal equipment of a subscriber or user unless the user or subscriber:

a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

b) has given his consent.

Exception where storage or access is:

> for the sole purposes of carrying out the transmission of a communication over an electronic communications network; or

> strictly necessary for the provision of an information society service requested by the user or subscriber

Key considerations

> Move from old law notice and ‘opt-out’ to notice and consent

> Applies to equivalent technologies

> No legal distinctions between different types of cookies

> Applies to all equipment capable of receiving cookies

> Clear and comprehensive information about cookies needs to be

provided about purposes of cookies

> Limited exceptions

IC Guidance

Initial guidance – no firm view on what kinds of consent will be enough but:

> Browser settings – unlikely to work

> Pop-ups and similar techniques?

> Terms and conditions?

> Settings/Feature led consent?

> Functional uses?

> Third party cookies?

Update guidance

explicit consent allows for regulatory certainty (and will be the most

appropriate way to comply in some circumstances)

“this does not mean that implied consent cannot be valid” although it

must still be informed.

Other viewpoints

> IAB

> Article 29 Working Party

> ICC

> ‘Do Not Track’

Enforcement

> 12 month compliance amnesty (ended 26 May 2012)

> Post May 2012 - Possible action including enforcement notices or fines

subject to an assessment of the impact of the breach on the privacy and

other rights of user.

Considerations likely to include:

> The intrusiveness of the cookie?

> Is data passed to an organisation the individual would not expect?

> Will any sensitive data be held in profiles?

> Is the website being “cavalier” or “tricksy”?

Steps to take (if playing catch-up) (1)

1. Identify- Websites?- Types of cookies (or other tools)?- Purpose of the cookie?- When deployed?- Who deploys (first or third party)?- Who can read the cookie?- How long is the cookie stored? - Are profiles of users browsing activity being created?

2. Assess- Is the cookie necessary to underpin a service requested by the user?- What is the impact of the cookie on the user?- Session only or persistent?- Is a third party tracking the user across this and other websites?- Are profiles of browsing activity being created?

Next steps (2)

3. Implement- Is sign-up or registration required to access the website?

- Do users initiate a function or setting that uses a cookie?

- Do users need to be alerted on first arriving on the website?

- Review, enhance and introduce notices and privacy policies

- Consider both specific and ‘holistic’ approach to solutions

So what are businesses doing?

> Confusion persists over what level of consent is enough

> Genuine reluctance to embrace clear consent mechanisms

> Yet doing nothing is not an option

> Evidence that most UK online businesses have: - cariried out internal audits

- raised the bar on transparency and information

- implemented changes to terms and conditions, privacy ‘and cookies’ policy

- Applied landing page alerts / actions / notices

Examples

Light box approach

Enhanced privacy policies

Consent in policies & terms?

> “When you create or log in to a online account you agree to our privacy and cookies notice. Otherwise, by continuing to use our websites or mobile services you agree to the use of cookies as described in this notice. Please see our cookies notice.”

> By using the site you accept this privacy and cookie policy (our “privacy and cookie policy”). If you do not agree with any term in this privacy and cookie policy, please do not use our site or submit any personal data through it.

> By clicking the "I Agree" button on the registration form, you agree that you:-

1. have read the web site terms of your privacy policy;2. consent to our use of your information in accordance with our privacy policy;3. consent to the use of cookies as disclosed to you in our cookies policyand;4. agree to bound by these terms and conditions.

If you do not agree, please leave this website now.

Lunch

The proposals for new data protection law


The Proposed European

Data Protection Framework

Sally Annereau

Data Protection

Data Protection Laws

> Current Landscape

> New Horizon

> The Reform Journey

- Published Proposals, 25 January 2012

- Parliament and Council

First Reading

Second Reading

- Entry into Force - Regulation

Proposed new EU framework

> Regulation

2014?

2 Year Implementation Period?

2016?

> Evolution or revolution?

Upgrade

New

> The final picture?

Ambiguity

Delegated Acts

Harmonisation

Territorial Scope

> Establishment in the EU

> Extended to those who are not in EU if processing relates to

- The offer of goods or services to data subjects within the EU

- The monitoring of EU data subject’s behaviour

> Home Authority

> Prior Authorisation

> Forum Shopping

Definitions

Similar base point

> Data Subject

> Personal Data Breach

> Binding Corporate Roles

> Sensitive Personal Data

Personal Data Processing Principles

> Lawful, fair and transparent

> Collected for a specified, explicit and legitimate purpose

> Adequate, relevant and limited to the minimum necessary

> Accurate and kept up-to-date

> Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes

> Ensuring compliance with the provisions of the regulation

Consent

> Burden of proof

> Written declarations

> Withdrawal of consent

> Significant imbalance

> Personal data relating to a child

Special/Sensitive Personal Data

> Prohibition:

- the processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited

> Consent

> Employment law

> Vital interests

> Legal

> Public interest

> Health purposes

Transparency

> Transparent and easily accessible policies

- Processing of personal data

- Exercise of data subject’s rights

> Intelligible form

> Clear and plain language

> Adapted to the data subject

Subject Access Requests

> Information to be provided to the data subject

> Rights of access

> Electronic form

> Standard forms and procedures

> Timings

> Fee?

Right to be forgotten

> Right to rectification

- Inaccurate personal data; and

- Completion of incomplete personal data

> Right to be forgotten and a right to erasure

Where:

no longer necessary to the purpose of collection

the subject has withdrawn their consent

the subject objects

the processing is in breach of the Regulations

> Erasure without delay

> Restrict processing of disputed data

> Commission can specify further rules

Data Portability

> Obtaining a copy of data

> Format to be supplied

> Automated processing

> Technical standards, modalities and procedures for transmission

Marketing and Profiling

> Right to object to processing

- where based on

– vital interests

– public interest

– legitimate interests

> Right to object to direct marketing

> Rights in relation to measures based on profiling

Extended to include health, personal preferences, reliability and

behaviour

> Consent?

Responsibilities of the Data Controller

> Policies and implementation

> Documentation

> Security obligations

> Data protection impact assessment

> Prior authorisation

> Data Protection Officer

> Implement compliance mechanisms and ensure verification

> Data Protection

- Design

- Default

Data Processor

> Due diligence and sufficient guarantees

> Contractual measures required

> Documenting the controller’s instructions and the processor’s obligations

> Shifting from processor to controller

Data Security

> Obligations of the data controller and the data processor

> Appropriate technical and organisational measures

> Notification of a personal data breach

- Notify the supervisory authority

- Within 24 hours

- Reason justification for 24 hours plus

> Data processor obligations to inform the data controller

> Content of the notification

> Notifying data subjects

Data Protection Impact Assessment

> Controller or Processor?

> Trigger points

> Considerations within the impact assessment

> Data subject liaison

> Prior authorisation and prior consultation

Data Protection Officer

> Designation of the DPO

> Tasks of the DPO

> Minimum term

> Different to current DPO roles

Data Transfers to Third Countries

> General principles

> Adequacy decisions

> Transfers by way of appropriate safeguards

> Binding corporate rules

> Derogations

Remedies

> Complaint to the supervisory authority

> Civil action against

- supervisory authority

- controller

- processor

> Right to compensation

Proposed new EU framework: Fines

First tier

€250,000 or 0.5%

Second tier

€500,000 or 1%

Third tier

€1m or 2%

> Subject access request breaches

> Rules on transparency

> Rectification

> Right to be forgotten

> Data subject’s objections

> Compliance (required documentation)

> Processes data without a legal basis

> International data transfers

> Compliance (appropriate internal policies)

> Impact assessments

> EU representative

Who’s in the firing line….“Anyone who …”

Food for thought

> Further Standards and Delegated Acts

> Commission reserved power to specify standard forms and procedures

Including: methods to obtain a child’s consent

forms and procedures for access requests and communicating information and data

electronic format of supplied data

technical standards for protection by design or default

> Wide Commission powers to adopt delegated acts

Including: specifying lawful processing conditions

specifying sensitive data and how it is safeguarded

the detail of fair processing information to data subjects

additional data controller responsibilities & conditions for audits

> Member state safeguards and rules

Food for thought

> Compliance benchmark must be raised

- DPO

- Documentation

- Evidential trail

- May be published

> Vendor management processes must change

- Due diligence

- Contracts

- Liability

Data protection compliance and marketing: getting the right balance

Penny Champion, Data Protection Manager, NSPCC

Data protection compliance workshop

23 October 2013 - DMA

Data protection compliance and

marketing - Getting the right balance

Some practical challenges for charities

Penny Champion, Data Protection [email protected]

www.NSPCC.org.uk

NSPCC 23 October 2013

At the NSPCC in the year 2012-2013

Source: Annual Reports and Accounts

Regular and one-off donations

income of £110.7m

- That was 85.6% of our income

Letter from Santa alone raised £1.8m

Why direct marketing matters to charities

2

http://www.nspcc.org.uk/what-we-do/about-the-nspcc/annual-report/annual-report-hub_wdh84884.html

Contexts for charities: the marketing environment-1

Supporter data not always in one database

Often goes back decades, reflecting supporter loyalty, but data

quality and currency may be uncertain

Donors from all sectors of society – from individual giving at £2

a month all the way up to wealthy individuals and large

corporates

Participation in events – fundraising balls, sponsored walks,

bike rides, ascent of the Gherkin, HACK walks

Participation in externally organised events – London Marathon,

Belfast Marathon

Legacies

Supporter relationship management can be challenging!

3

Contexts for charities: the marketing environment-2

Supporters are respected and valued

Aim is to have sustainable relationships with all sectors of

donors

Data protection and privacy law and regulation really matters

when it comes to successful donor recruitment and retention

Cost of fundraising across different channels:

Telephone tends to be more effective – people respond to

the human voice

Email is a very cost effective way of communicating

But you need the right consents in place!

What do supporters think they’ve agreed to by way of direct

marketing communications?

4

Practical scenarios from the Data Protection

Manager’s in-box at ‘National Charity’

The scenarios are fictitious but could come up at any major UK

charity. You are responsible for advising the Director of

Fundraising what to do in the following circumstances:

1 Bringing gift aid declarations up to date

2 A local committee decides to run a Christmas Fair to raise

funds for National Charity

3 A major corporate supporter – BigTelCo – is supporting a Big

Run. The runners are its staff, their families, and friends. The

CEO wants to email all entrants to say ‘thank you’

4 TV advert – Text CHILD2013 to donate £4. You’d like to phone

donors later and see if you can convert them to regular givers

5


Manager’s in-box at ‘National Charity’ 1 of 4

Bringing gift aid declarations up to date – repairing defective data

o There’s been a major review and clean up of Gift Aid

declarations for existing supporters

o For some of the older ones, the original declaration can’t be

found, or there is a technical problem eg no forename initial is

held. As a result you have had to mark the donations as ‘No Gift

Aid’ and cannot claim back from HMRC

o Can we telephone or email these supporters to ask if they can

give a new Gift Aid declaration?

The scenario is fictitious but could come up at any major UK charity

6


Manager’s in-box at ‘National Charity’ 2 of 4

A local committee decides to run a Christmas Fair to raise funds

for National Charity

o They want a website – how can that best be managed?

(cookies compliance, privacy notices, who is the data controller

anyway?)

o Committee members want to email their personal contacts –

local businesses and their friends to generate interest from

potential stallholders. So do the PEC Regs apply?


7


Manager’s in-box at ‘National Charity’ 3 of 4A major corporate supporter – BigTelCo – is supporting a Big Run.

o National Charity is BigTelCo’s charity of the year. There’s going

to be a BigTelco Run. It’s been promoted to staff on the

company’s intranet – they are encouraged to get family and

friends to enter.

o Entry is on-line – a special webpage set up by National Charity

– and over 400 people have signed up. National Charity is the

data controller for their personal data.

o The CEO is thrilled – she decides she wants to email all

entrants after the Run to say thank you from BigTelCo. But

National Charity did not tell entrants that their email addresses

would be passed to BigTelCo. What are the options and risks?


8


Manager’s in-box at ‘National Charity’ 4 of 4TV advert – Text CHILD2013 to donate £4. You’d like to phone

donors later and see if you can convert them to regular givers

o CAP Code compliance is OK - the advert complies with the

standards for what is displayed on screen and how many

seconds it’s up there. People are told how much of the £4 the

charity gets and National Charity (registered number, website

address) is shown.

o Donors get a ‘thank you’ text from National Charity. It includes a

link to the Gift Aid declaration webpage. We want to phone

donors to see if we can convert them to regular givers. Can we

give them the telephone opt-out opportunity in the thank-you

text?


9

Conclusions – not always easy answers

Quality of data gives rise to problems. Is the Gift Aid approach

administrative or direct marketing in purpose? How will the

supporters perceive it?

Who’s the data controller? Volunteers doing their own thing

may well be fine, but how can National Charity manage the

privacy compliance risks to itself?

Privacy statements – retro-fitting consents to disclose is hard. Is

the CEO thank-you direct marketing? Will the BigTelCo Run

entrants object?

Unless you obliterate the ad with ‘small print’ you’re going to

have to find another way to deliver the telephone opt-out.

What’s fair and best for the donors?

The scenarios are fictitious but could come up at any major UK charity

10

And finally ……. Look out for companies who claim to offer a marketing blocking

service to consumers (Opt Out UK Ltd, Data Protection House).

You (probably) do not have to agree to their demands. Talk to

the DMA.

Wider privacy issues – it’s not just about supporters.

Use of ‘real life stories’ in marketing materials

Personal data in the charity’s Facebook page or other social

media

Your thoughts and questions?

Penny Champion, Data Protection Manager

[email protected]

11

Practical session & feedback


Refreshment break

Privacy statements


Be Aware

The information contained in this presentation ad provided verbally is not intended as legal advice/counsel and is not represented as such by Shelfline Promotional Consultancy Ltd., nor by Charity Confidential.Neither makes any warranties or statements regarding the acceptability of the information provided Whenever taking any action related to the law obtain advice from legal counsel.

The Ever Willing Customer?

‘The key to modern direct marketing is the capture of individual customer details at the first sale, so that the marketer can begin a relationship with the customer’Tapp (1998) Principles of Direct & Database Marketing

Trust Me, It’s The 121 World Now

‘Trust is more important than it ever was before. If you violate it, you will be outed’Peppers (2008) IDM Insights

Lack of Privacy Control

Control over the personal information held

Control over personalised marketing

Control over data accuracyEvans, O’Malley & Patterson (2004) Exploring Direct and Customer Relationship Marketing

Privacy Statement Checklist

How easy is it to find – online/offline?

Is it true?

Does it make sense?

How does it cover marketing contact?

What else is desirable?

Is it future-proofed?

Does it reassure – inspire trust & confidence?

Real Voices

‘What if I don’t tick the terms & conditions. Do they still have my details? I don’t know how it works?

(Jess aged 22)

‘I always think that’s just legal stuff they have to put it, even if they don’t want to’. (Marcos aged 25)

More Voices

‘If it’s short they could get out of any little situation, there’s no way they’ve covered everything’ (Mollie aged 23)

‘The longer they are the more suspicious I am’ (John aged 56)

‘I think it’s a load of blurb really’

(Judy aged 42)

Frequency of Reading Privacy Policies

45% claim never to read

28% rarely read

18% sometimes read

5% always read

Source: Sophie Warren, BA International Marketing Student, Bournemouth University, January 2009

Don’t Tell People The Obvious

Something a reasonable person would anticipate and agree to if asked

Necessary to carry out the transaction requested

Has no unforeseen consequences

Sharing Information

No unjustified adverse effects

Within the same group – provide back up details if asked

When the sharing is unexpected

Saying what you mean, and playing fair

‘From time to time we may wish to contact you with further information about our products and those of other carefully selected companies we think may be of interest to you. Please write to xxxxxx if you do not wish this to happen’

Let’s Get Personal: [email protected]

Test


Close

DMA - DPC Workshop - 23 October 2013

Business

integrity of data

data collection

sensitive data

data processor

whyhow personal data

data protection act

system of data protection

rights of data subjects