Published by Alisha McKerron on 15 November 2018
My head was swirling with data privacy thoughts, when I left the Executive Leader Network Conference in Reading, last week. Not bad considering, I had arrived with an impenetrable head cold, which showed no signs of easing as the afternoon progressed.
By midmorning I had listened to three talks and a panel discussion with another two talks squeezed in before lunch. By the end of the day, my final tally was 9 talks and one panel debate. I certainly got my money’s worth, but would I remember all that I had learnt? Not without making some notes!
Below are the topics of each talk I attended and some information about the talks.
- What makes an ideal DPO?
I learnt from Christel Cao-Delebarre, that data subjects are lodging more complaints than ever. Although a company may not be obliged to appoint a data protection Officer (“DPO”), companies should consider volunteering one. Why? Because a DPO is a key contributor to transformative corporate changes, a key partner for end-user satisfaction and a key representative of the company for the EU and for non EU supervisory authorities.
I agree with this approach, although I wonder if it would be prudent to give the office the title of Privacy Manager, in the voluntary instance. This would distinguish the office from a mandatory appointment, and allow for flexible compliance with DPO, Data Protection Regulations (“GDPR”).
When considering whether a DPO is mandatory, we should bear in mind that processing employee data or financial data is excluded from the test.
- The Ultimate Guide to New ePrivacy Regulations: Cookie Consent, DNT, and Online Tracking Technologies
PECR is due to be replaced by a European Regulation (“ePR) but no one knows when exactly this will happen. Although Parliament has agreed its version, the Council of Ministers has yet to agree theirs. It may be some time before the Commission, Parliament and the Council of Ministers will be able to enter a trialogue debate to agree a final version.
GDPR has necessitated a higher standard of disclosure and consent in relation to cookies. Data subject are being made aware of cookies via banners. A common approach now is to categorise cookies and get consent for each, while also allowing easy withdrawal of consent.
The new ePR will apply to machine communications. It will extend the requirement of obtaining consent for storing cookies, to the processing of personal data used for tracking. It will address issues around ad-blocking and Wi-Fi location tracking. It will shift the focus from website cookie banners to users’ browser settings.
It will also tighten the rules on marketing, with the default position being that all marketing to individuals (whether a private individual (B2C) or an employee (B2B)) by phone, text or email must be opt-in. (At the moment direct marketing emails can be sent to employees working for corporates (B2B) or public authorities without consent, on an opt-out basis). In other words the new law will align B2B marketing with B2C.
The advertising industry is up in arms. If adverts are blocked because consent to tracking has been denied, it will strip European publishers of the right to monetize their content through advertising. The only other way publishers will be able to monetize content is to start charging consumers. Some publishers have begun doing this. Others have made their websites inaccessible to the EU.
The Interactive Advertising Bureau (“IAB”) is lobbying for an inclusion of a legitimate basis as a way round consent.
- Panel Discussion
GDPR is Here to Stay
According to the panel one of the biggest mistake’s companies are making, is to underestimate the ongoing importance of GDPR. GDPR policies need to become part of businesses’ DNA.
ePR and Consent
At first, I found the comments the panel were making about consent, contradictory: either is was needed for direct marketing, or it was not. Once I realised the importance of distinguishing between businesses and individuals and which channel of marketing is being used (mail/ sms, phone/fax or post) things became clearer. So that you don’t fall into this trap the position is: consent is not required for marketing emails or texts to businesses (i.e. first name.last email@example.com), so long as there is a lawful basis together with an opt out. (Apparently, it is good practice to keep a ‘do not email or text’ list of any companies that object). Consent is required for marketing emails or texts to individuals although there are some exceptions (see below).
If the ePR comes into effect, consent will be required for the processing of electronic personal data used for tracking. This requirement will have a catastrophic effect on the advertising industry because it relies on the processing of this type of personal data. The Direct Marketing Association (“DMA”) is lobbying hard to have an exception included.
Direct Marketing Emails
The DMA has had past success in lobbying for changes in draft laws. It managed to get an exception to the rule that individuals must have given their consent to received direct marketing emails. If the individual is a previous customer and the marketing is in relation to a similar product, consent is not required, because there is a ‘soft opt-in.
It is also important to distinguish between informative emails and advertising emails. I am not persuaded by the argument that no consent is required in the instance of an informative email which has a bit of advertising in it.
Legitimate Interest and Marketing
If e-privacy laws do not require consent, legitimate interests may be relied on. For example, direct marketing by post. This seems to have been lost in translation post GDPR.
Data Subjects Right to be Informed
Data subjects have the right to be informed via a privacy notice whenever their personal data is being processed. This is still the case, if personal data is sourced from the public domain or if public personal data is aggregated with private personal data. This is especially relevant to recruitment agencies.
Data Processors and Data Controllers
The role of data processors and data controllers is more equivalent. It is important to always be considering the risks associated with processing personal data and potential harm to data subjects.
Provenance of Personal Data
Companies must know the provenance of third-party personal data i.e. where it comes from, how it was collected, the legal basis for collection, whether the data subjects have been correctly informed etc. Consider whether the communication made at collection is sufficient further down the line. If data has been improperly collected, it may damage a company’s branding. Sellers of personal data need to be careful who they sell to, for example Life Cycle Marketing (Mother and Baby) Limited was fined for selling personal data to a political party.
- Email Marketing in a Post – GDPR World
Jenna Tiffany took us back in time, when the first Nokia mobile phone came on the market. She pointed out how much has changed since then. She observed, that the GPPR journey thus far has been an emotional one, beginning with denial, and ending with acceptance with everything in between.
What we should not lose sight of, is the consumers desire to protect their personal data and the importance of building up a relationship of trust. Some companies have understood this better than others and been more successful in rolling out their new GDPR policies. They have used this to differentiate themselves from their competitors.
We should view the changes in privacy law as a wonderful marketing opportunity to strengthen our relationship with our customers.
- Privacy, Compliance in a Fast-Changing Landscape
Ivana Bartoletti extolled the virtues of good governance with sound data protection policies. For example, policies which will trigger Data Protection Impact Assessments (DPIA) analysis. The policies should set out how DPIA’s should be done and by whom and how frequently they should be reviewed. Ivana suggested preparing a matrix of criteria using WP248 as a source. Only two criteria need to be met. Ivana discussed other tools including data minimisation (do I really need this data?), threat analysis (what is the harm on the data subject?), privacy by design and default and procedures in place for data breaches.
- Life after GDPR….. Accountability Transparency and What is Still to Come
Towards the end of the lunch break, Christine Andrew gave us 6 tips about life after GDPR.
- Don’t Panic: Not everyone is GDPR compliant
- Check Breach Management
The Information Commission (“ICO”) is only really concerned with systematic breaches rather than individual breaches. If ICO does not respond quickly it is almost always good news. Complaints have increases and so ICO has had to prioritise more severe breaches over less severe. What is important is that businesses are able to show that they have clear internal processes to pick up every breach, no matter how minor. Look at ICO’s webcast on How to Report Data Breaches
- Subject Access Reports
Subject accesses reports are nothing new and are best dealt with by engaging with the data subject to determine their motivation. Are they a vexatious employee or do they no longer want to receive direct marketing?
- Make sure you know where all personal data is processed
- Audit third parties
Companies should ensure that third party processors which are processing personal data on their behalf, have been audited. Check that there is continual data mapping and that correct records of processing are being kept.
- Rate yourself
Use ICO’s Guide to Audits to understand what evidence (existence of committees, minutes, risk register, PIA’s, staff training, art 30 records etc) CO will be looking for and what controls they would expect to see in place.
- Creating a Culture of Privacy Compliance
Ben Westwood spoke about creating a culture within a business of privacy compliance. The first thing a business needs to do is set about defining its mission. ICO’s mission statement is a useful precedent to look at. Next is getting everyone on board from senior management right down to a single contact person. Seeking endorsement and support is crucial. Proactive engagement is necessary. DPO’s should seek out an audience via privacy events, training, information lunches and competitions. Adopting an open-door policy and appointing brand ambassadors should help too. They must introduce a methods of demonstrating compliance, for example how many subject access requests the business has dealt with. A record of data processing is essential. ICO’s template is a useful tool. Another very useful tool is the guide created by the American Institute of CPAs and the Canadian Institute of Accountants with help from ISACA. It is based on the Generally Accepted Privacy Principles (GAPP) and aims to assist organizations in strengthening their privacy policies, procedures and practices.
- Breach Markers: How to be Certain that Your Data Has Been Breached and Know Where the Breach Originated
Jeremy Hendy extolled the virtues of breach markers particularly when a business’s personal data sits on a third party server outside the businesses control.
- Can Email Marketing Survive GDPR?
Dean Seddon went to great lengths to correct the misconception that direct marketing emails can no longer be used without consent. This is only the case in relation to B2C direct marketing emails. PECR does not require consent for B2B direct marketing emails. Legitimate basis can be relied on instead so long as there is an opt out. ICO’s guide explains when this legitimate interest may be relied on.
Direct marketing’s biggest challenge is consumers ire and the work of trolls. Consumers may have forgotten that they opted in to direct marketing emails or may not have fully understood what they were consenting to. Full disclosure is essential. It’s also important to develop a policy on how to handle complaints to prevent brand damage further down the line.
- Defence Against Malicious Data Subject Requests.
Shane Reed explained the various steps business should take upon receipt of a data subject request. The first step is to alert all the various departments that may be involved and complete an office 365 search in share point. Next identity of the data subject. Bear in mind that you have 30 days to respond. If business have a clear data retention policy designed to minimise personal data this should reduce the amount of personal data that may need to be handed-over.