Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

© 2017 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES

Summer / Fall 2017 Webinar Program


Profiling, Big Data & Consent Under

the GDPR

October 11, 2017

© 2017 TrustArc Inc Privacy Insight Series - trustarc.com/insightseries

Thank you for joining the webinar

• We will start 2-3 minutes after the hour

• This webinar will be recorded – both the recording and

slides will be sent out via email later today

• Please use the GotoWebinar Control Panel on the right

hand side to submit any questions for the speakers

2

“Profiling, Big Data & Consent Under the

GDPR”


Today’s Speakers

Mark Webber

US Managing Partner, Fieldfisher

Helen Huang

Sr. Product Manager, TrustArc


Profiling and Big Data

4


What is changing?

• New definition of profiling

• Strengthened individual rights

(e.g. automated decision-making)

• Greater focus on accountability and

governance

• Increased transparency requirements

• Wider definition of personal data

(e.g. location data, online identifiers,

technology identifiers etc.)


Profiling and the GDPR

Two key questions:

1) What is profiling under

the GDPR?

2) Is it restricted?

6

Not all profiling is legally restricted!


What is profiling?

“…any form of automated processing of personal data

consisting of the use of personal data to evaluate certain

personal aspects relating to a natural person, in particular to

analyse or predict aspects concerning that natural person’s

performance at work, economic situation, health, personal

preferences, interests, reliability, behaviour, location or

movements” (GDPR Article 4)

…Targeting

…Evaluation…

Analytics…


Grounds for processing

8

Article 6 GDPR – Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) The data subject has given consent to the processing of his or her personal data for one or

more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is

party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is

subject;

(d) processing is necessary to protect the vital interests of the data subject or of another

natural person;

(e) processing is necessary for the performance of a task carried out in the public interests

or in the exercise of official authority vested in the controller

(f) Processing is necessary for the purposes of the legitimate interests pursued by the

controller or by a third party, except where such interests are overrriden by the interests or

fundamental rights and freedoms of the data subject, in particular where the data subject is a child.


Grounds for processing (2)

• Organisations need to ensure that they have

clear “grounds” for lawful processing

• Under the GDPR – consent is NOT

mandatory……

REQUIRED


But “consent” is defined…

'consent' of the data subject means “any freely

given, specific, informed and unambiguous

indication of the data subject's wishes by which he

or she, by a statement or by a clear affirmative

action, signifies agreement to the processing of

personal data relating to him or her”

10


Relying on consent

If relying on consent to collect and use an individual’s personal data, the

GDPR says that consent must be:

“unambiguous” if the data in question is ordinary, non-sensitive

personal data (Art 6 of the GDPR says that “consent” is needed, and

Art 4 defines consent to be “unambiguous” - hence “unambiguous”

consent); but

“explicit” if the data in question is sensitive personal data (i.e. relates

to any of the categories of sensitive data listed in Art 9(1) of the

GDPR, such as physical or mental health data, racial or ethnic origin,

and so on)

I Agree

11


Unambiguous v explicit consent

• Unambiguous consent:

• given “by a statement or by a clear affirmative action” (Article 4)

• given “by a clear affirmative act…such as by a written statement, including by

electronic means, or an oral statement” (Recital 32)

• “Silence, pre-ticked boxes or inactivity should not…constitute consent” (Recital 32)

• Or given through “another statement or conduct which clearly indicates in this

context the data subject’s acceptance of the proposed processing of his or her

personal data” (Recital 32)

• Explicit consent

= Explicit affirmative action, i.e. explicit consent

- it’s also clear (unambiguous)

• “I agree to my personal data being processed by X for Y purposes”

• Ticking an unchecked box to say “I consent”

• Event sign-in, participants told that their details will be used for a specific type of

profiling and asked (verbally) whether they consent to this processing

12


Automated decision-making

Individual has right not to be subject to “…a decision based solely on automated

processing, including profiling, which produces legal effects concerning him or her or

similarly significantly affects him or her”

…Profiling is not in and of itself an automated decision!

1. There must be a decision

2. There must be automated processing

(which may include profiling)

3. Decision must be based solely on

automated processing

4. Decision must produce “legal effects”

or otherwise “significantly affect” the

individual


Automated decision-making (2)

Automated decision making IS permitted if:

1. Authorised by Union or Member State law

2. Necessary for the contract between the data subject and data controller

3. Data subject has provided explicit consent.

…But don’t forget!

Right to express their view

Right to obtain explanation of decision reached

Right to object / challenge the decision

Sensitive data / children


Other obligations

► Ensure data is processed fairly and transparently

Use appropriate mathematical or statistical procedures

Implement technical and organisational measures to avoid and correct errors and

minimise bias or discrimination

Provide meaningful clear information (i) about existence of automated decision

making, including profiling; and (ii) logic involved and significance and envisaged

consequences of profiling.

► Comply with principles of accuracy, storage limitation and privacy by design

Data must be kept accurate and up-to-date – garbage in, garbage out?

Ensure data is not kept for longer than necessary

Incorporate processes by default and by design

► Honor the “right to object” exercised by any data subject (whether or not automated)

► Carry out Data Protection Impact Assessment (DPIA) for high risk processing

► Appoint Data Protection Officer (DPO) if required

15


Profiling and ePrivacy

• Cookies still require consent – with browsers and similar software required to

provide cookie and tracking controls

• Website owners will need to be able to demonstrate that users have consented

• Website owners will be responsible for managing consent needed for third party

tracking

• Cookies will be permitted for first party or third party analytics

16

ePrivacy Directive

New ePrivacy Regulations, May 2018?




Implementing a Consent Solution

Key Features


GDPR Consent Considerations

• Legal and policy

• Business strategy

• Technology and architecture

• Implementation steps

18


Poll Question

What types of data activities will you rely on

Consent as the legal basis for processing?

1. Digital tracking technologies (e.g. cookies)

2. Marketing activities (e.g. email marketing)

3. Other

19


GDPR Consent Requirements

• Capturing a robust-enough audit trail to show that a

person has consented to processing his/her data

• Ability to configure the notice as default opted out

(checkbox unchecked) to get affirmative consent from the

user

20


GDPR Consent Requirements

• Ability to ensure that no tracking happens until user

consents, unless it’s strictly necessary

• Ensure you can request consent again when processing

purpose or scope of transfer changes

• Ability to handle consent for other marketing activities,

such as email or SMS marketing

21


Poll Question

How do you plan to comply with GDPR consent

requirements?

1. Build in-house solution

2. Reuse an existing software

3. License a privacy technology solution

4. Other

22


GDPR Consent Compliance Steps

1. Discovery of consumer touch points

1. Data flow inventory and mapping

2. Cookies and marketing activities

2. Figure out where Consent is used as legal basis for

processing

3. Make a build or buy decision for GDPR consent solution

1. Developer resources near-term and long-term

2. Internal software systems to reuse

3. Compliance timeline or “risk appetite”

4. De-risk by working with partner with privacy as core competency

23




Questions?




Contacts

Helen Huang [email protected]

Mark Webber [email protected]

mailto:[email protected]

mailto:[email protected]


Privacy Insight Series – 2017 Calendar

26

To register for Summer/Fall webinars and/or past webinar recordings

visit: www.trustarc.com/insightseries




Thank You!

Please take a quick minute and complete our post-webinar survey that will

appear as you exit the platform.

Register for the next webinar in our Series – November 15th

“6 Months to Go: How will the GDPR be Enforced?”