gdpr compliance & your customer...

PPT First Edition | June 2016

GDPR COMPLIANCE & YOUR CUSTOMER COMMUNICATIONS


The enclosed materials are highly sensitive, proprietary and confidential. Please use every effort to safeguard the confidentiality of these materials. Please do not copy, distribute, use, share or otherwise provide access to these materials to any person inside or outside DST without prior written approval.

This proprietary, confidential presentation is for general informational purposes only and does not constitute an agreement. By making this presentation available to you, we are not granting any express or implied rights or licenses under any intellectual property right.

If we permit your printing, copying or transmitting of content in this presentation, it is under a non-exclusive, non-transferable, limited license, and you must include or refer to the copyright notice contained in this document. You may not create derivative works of this presentation or its content without our prior written permission. Any reference in this presentation to another entity or its products or services is provided for convenience only and does not constitute an offer to sell, or the solicitation of an offer to buy, any products or services offered by such entity, nor does such reference constitute our endorsement, referral, or recommendation.

Our trademarks and service marks and those of third parties used in this presentation are the property of their respective owners.

© 2017 DST Output London Ltd, Inc. All rights reserved.

DISCLAIMER


ABOUT US

CHRIS PARKINSON MARC MICHAELS PAUL JEMPSON ALISTAIR DUVOISIN

Head of Risk & Data Privacy

Director of Strategy & Insight

Senior Solution Design Consultant

Head of CRM & Data (PHE)

@PJchats @DST_UK @MarcPMichaels

07968 759514 [email protected]

07875 134 818 [email protected]

07825 506 471 [email protected]

Tweet us @DST_UK #DSTGDPR

dstdemo.com/GDPR


BEFORE WE START

What you are about to hear is based on:

• Our current understanding of the GDPR regulations as published

• Together with guidance that has been issued by appropriate bodies (<4th March)

• Our own research with Data IQ

• Keeping abreast of general developments and news

Note: Not all guidance has been issued on all topics

There will be different interpretations of how legislation should be applied

LEGAL SUPPORT & ADVICE (Free for DMA members) [email protected]


OPINION: GDPR – ARE YOU READY?

Before coming here today how prepared for the GDPR regulation changes do you feel? (honestly!)

1. Yes, completely prepared

2. Nearly there

3. We have started

4. Not yet started

0%

3%

64%

33%


GUIDANCE AVAILABLE

INFORMATION COMMISSIONER OFFICE

Issued:

• Preparing for the GDPR – 12 steps to take now

• Overview of GDPR

• Privacy Notices Code of Practice – updated with GDPR requirements

• GDPR Consent Draft Guidance

To follow:

• Contracts and Liability

• Profiling

• Risk

WORKING PARTY 29

Issued:

• Guidelines on Data Protection Officers

• Guidelines on the right to data portability

• Guidelines for identifying a controller or processors lead

supervisory authority

• Administrative fines

• High risk processing and Data Protection Impact Assessments

• Certification

• Profiling

• Consent

• Transparency

• Notification of personal data breaches

• Tools for international transfers

To follow:


THE CONTEXT

BUT AND

Marketers want to be timely, relevant and

motivating with marketing messages to

prospects and customers

Data is a key component of the fuel that can drive

this successfully

Consumers only want useful messages but many are suspicious

about sharing their data in case it is

misused/abused

Others will quite happily part with their data if they see the value in doing so

Government/EU want to ensure that people’s right

to privacy is respected

And that businesses adhere to the new

regulations designed for today’s modern

communications landscape


THE NEW REGULATIONS

• GDPR will be in force 25 May 2018

• Brexit has no impact

• The culture and infrastructure changes mean organisations need to be working on this now

• Fines up to €20m or 4 per cent of an organisation’s annual worldwide turnover

• The review of the e-Privacy directive (email, cookies) is linked to GDPR and the EU are looking to align them

Sections:

• What's new

• Introduction

• Principles

• Key areas to consider

• Individuals' rights

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights related to automated decision making and profiling

• Accountability and governance

• Breach notification

• Transfer of data

• National derogations


IT’S A BIG ISSUE… WITH LOTS OF NOISE

"data is a toxic asset and saving it is dangerous.“

Bruce Schneier - leading security expert


CONSUMERS ARE CAUTIOUS

DST’s joint research with Data IQ showed:

• 50% prefer not to share data

• Trust and openness (for consumers with brands) are key

• It’s really hard to get third party consent

• Shelf-life of consent is shortening – 50% of consumers want to update less than every six months. Some want it every time you contact them

• There needs to be a value exchange

• Trust flies out the window in the event of a breach


AND A LOT OF BUSINESSES ARE NOT READY

• Over 50% of brands were only ‘somewhat aware’ of GDPR

• Less than 7% of brands were ‘prepared’

• Are businesses as ready as they may imagine they are?

• Is this really high enough up the business agenda as it deserves?

• Permission to market is absolutely key – this needs to be understood and tracked business wide


THE CHALLENGE

Given all the complex changes around GDPR:

? ? How can organisations gain/retain the trust of their customers and remain fully compliant?

? ? How can organisations still maximise the use of data to gain real results?


SO WHAT DO BUSINESSES NEED TO DO?

Be fully aware

• Where am I compared to the GDPR requirements? (Gap Analysis)

• What are the risks?

• What strategy do I need to get there?

• Are there specific issues in my sector? (e.g. Fundraising Preference Service, Know Your Customer)

• Do I need any external help?

Make it a strategic focus for senior management – now

• Don’t put off for another day

• Provide time and resource


THE CHECKLIST FOR ACTION

The ICO have issued guidance on the 12 steps to take to become GDPR compliant

The key areas are:

• Business Culture & Responsibilities

• Lawful Processing

• Acknowledging Individual’s Rights

• The Right Processes for the Right Data

• Business Continuity & Breach Acknowledgement

• Reviewing and Managing Consent and Permissions


1 12 2 3 5 6 8 9 10 11 7 4

A LOT TO CONSIDER

Not straightforward, no short-cuts and no cop-outs

Organisation's need to build on current foundations to create a “Culture of Opportunity & Respect for data”

‘You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have’

Source: ICO 12 steps to take now

1 12 2 3 4 5 6 7 8 9 10 11

1

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

CULTURE OF OPPORTUNITY & RESPECT FOR DATA

• Not just compliance but building it into your priorities – a mission

• Recognising that the data is the customer and that respecting it builds trust

Your staff need to be aware of:

• what GDPR is

• what are the impacts

• what processes need to be put in place and how to follow them

• what happens when things go wrong

• how to deal with any suppliers who handle data for you

1


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: GDPR TRAINING

• Organisations needs to ensure that the all staff have a basic awareness of GDPR and the impact

• Detailed training and workshops with key staff for whom GDPR will have more of an impact in their day to day life

• DST would work together with you to assess your specific requirements

1


1 12 2 3 5 6 8 9 10 11 7 4

DATA PROTECTION OFFICERS

A Data Protection Officer is required when:

1. Processing carried out by a public authority or body (except courts)

2. Core activities involve regular/ systematic monitoring of subjects

3. Core activities involve processing of special categories data on a large scale

Article 37

Examples from recent guidance:

“processing customer data in the regular course of business, processing personal data for behavioural advertising or processing ‘real time geo-location of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services’, for example.”

1

1 12 2 3 4 5 6 7 8 9 10

12 2 3 4 5 6 7 8 9 10

11

1


1 12 2 3 5 6 8 9 10 11 7 4

INTERNATIONAL LOCATIONS

If you operate internationally, need to ascertain your supervisory authority

Based on:

1. Location for ‘main administration’ or

2. Where decisions about data processing are made

1 12

1 12 2 3 4 5 6 7 8 9 10

11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

LAWFUL PROCESSING

Both DPA and GDPR require business to have a “lawful” reason for processing

1. Consent of Data Subject

2. Necessary for the completion of a contract

3. Necessary for legal obligation

4. Necessary to protect the vital interests of Data Subject

5. Task carried out in the public interest

6. Necessary for the legitimate interest of data controller (not available for public authorities)

Only one of these needs be true for lawful processing

1 12 11

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5

6

7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

YOUR CUSTOMER’S INDIVIDUALS RIGHTS

What do they ACTUALLY mean?

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1

There are 7 individual rights

1. The right to be informed

2. The right to access

3. The right to rectification

4. The right to restrict processing

5. The right to data portability

6. The right to object

7. Rights in relation to automated decision making and profiling


1 12 2 3 5 6 8 9 10 11 7 4










1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1

What they mean


1 12 2 3 5 6 8 9 10 11 7 4










What they mean

1. What are you collecting, why and who can see it?

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean


2. How can I get to see my own stuff?

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean



3. I want to change something

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean




4. I don’t want you to do that anymore

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean





5. Give me my stuff, I want to take it to someone else

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean






6. Stop doing that

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4










What they mean






6. Stop doing that

7. What decisions have you made which stop me doing/getting something?

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

THEIR RIGHT TO BE INFORMED

1. Identity and contact details of Data Controller (you) and your DPO (if you have one)

2. Purpose of the processing and the legal basis of the processing

3. Legitimate Interest if you are using it

4. Categories of recipients of the data

5. Any transfers to third countries and safeguards

6. Retention period or criteria used of the same

7. Existence of data subjects rights

8. The right to withdraw consent at any time

9. Right to lodge a complaint with supervisory authority

10. Any data required by statutory requirement

11. Existence of automated decision making and profiling

The Data Subject (your customer) must have the following information:

…a Fair Processing Notice will now be an essay!

1 12 6 11 4 5

1 12 2 3 4 5 6 7 8 9 10 11

12 2 3 4 5 6 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

AUTOMATED DECISION MAKING & PROFILING

There was a fear that the use of automated decision making & profiling would need consent in the initial drafts of GDPR. Clarification from ICO states this is only necessary when

• The automated decision making/ profiling will result in a legal or significant effect on the data subject

So:

• For marketing – predictive analysis, modelling etc. – is fine

• For the use of fraud prevention – is fine

• Where you already ready have consent

1 12 11

1 12 2 3

4 5

6 7 8 9 10 11

12 2 3 4 5

6

7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

THE RIGHT PROCESSES & THE RIGHT DATA

You need to be fully aware of what you have in terms of customer data:

• What do I have? Where did it come from? How was it collected?

• Where is it all being held?

• What is the business using/not using?

• Who is it being shared with?

• What is the legal basis for processing this data (consent, legitimate usage)?

• What are the processes for subject access? Deletion of data? Data portability?

• What are my priorities and/or opportunities for leveraging this data asset?

• Who is accountable? Do we have the right people/skills/systems?

• Do we have the right procedures in place? Can we undertake Data Protection Impact Assessments? Is my customer data fully documented/mapped?

1 12 11

1 12 2 3

4 5

6 7 8 9 10 11

12 2

3

4 5

6

7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

RECORD KEEPING IS CRUCIAL

The Accountability Principle

• Under GDPR you are required to be able to demonstrate that you comply with the various principles

• Evidence and documentation are key

• Make sure all decisions are documented and kept for audit purposes

• Document all of the data activity

• Data journeys including locations, access, risks, controls

Consider as part of your design

• Data Minimisation

• DPIA performed or documented evidence of why the business considered them unnecessary

• Allowing individuals to monitor their own processing

1 12 11

1 12 2

3 4 5 6

7 8 9 10 11

12

2

4 5 7 8 9 10 11 1


1 12 2 3 5 6 8 9 10 11 7 4

DATA JOURNEY

What needs to be considered for the Data Journey?

• How does PII data get into the business?

• Where does it go and what processes does it go through?

• Who has access to it, in each step of the journey?

• What is the risk to the PII data at each point, do I need to do a DPIA?

• How does it leave the business?

• What suppliers/partners have access to your systems?

• What suppliers receive the data from you and for what purposes?

1 12 11

1 12 2

3 4 5 6

7 8 9 10 11

12

2

4 5 7 8 9 10 11 1


STORE USER ADDS CUSTOMER

DATA

STORE PROCESS

STORE PROCESS

EXAMPLE DATA JOURNEY


1 12 2 3 5 6 8 9 10 11 7 4

WHAT CONSTITUTES A DATA PROTECTION IMPACT ASSESSMENT?

A DPIA must be performed when:

• Is likely to result in a high risk to the rights and freedoms of natural persons

• Automatic decision making and profiling are performed which will have a legal impact on the data subject

• Large scale processing of special category data

Article 35 (Clause 1, 3)

1 12 11

1 12

2 3 4 5 6

7 8 9 10 11

12 4 5 7 8 9

10

11 1


1 12 2 3 5 6 8 9 10 11 7 4

WHAT CONSTITUTES A DATA PROTECTION IMPACT ASSESSMENT?

A DPIA will need to include:

• Systematic description of processing operations (inc. purposes of processing & legitimate interest if appropriate)

• An assessment of the necessity and proportionality of the processing operations in relation to the purposes

• Assessment of the risks to the rights and freedoms and data subject

• Measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect the data subject and demonstrate compliance

Article 35 (clause 7)

1 12 11

1 12

2 3 4 5 6

7 8 9 10 11

12 4 5 7 8 9

10

11 1


1 12 2 3 5 6 8 9 10 11 7 4

BUSINESS CONTINUITY

The DPA required you to keep data secure, but GDPR expands this to include requirements

• for confidentiality, integrity, availability and resilience of processing systems and services (Article 32.1b)

• The ability to restore that availability and access to personal data in a timely manner in the event of a physical or technical incident (not defined) (Article 32.1c)

• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32.1d)

Your approach to Business Continuity and Testing is now wrapped up in legislation

1 12 11

1 12

2 3 4 5 6

7 8 9

10

11

12 4 5 7 8

9

11 1


1 12 2 3 5 6 8 9 10 11 7 4

DATA BREACHES

• Need to notify the ICO (and possibly other bodies) within 72 hours if the breach is likely to result in a high risk to the individual

• Need to have the right procedures in place to detect, report and investigate a personal data breach

• Whilst there is no set timeframe, clients need to inform the public ‘without undue delay’ in the event of a serious breach where it might leave them open to financial loss or high risk to the ‘rights and freedoms’ of the individual

• Failure to report a breach could result in a fine, as well as a fine for the breach itself

1 12 11

1 12

2 3 4 5 6

7 8 9

10

11

12 4 5 7 8

9

11 1


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: DATA EXPLORATION

• Get a better understanding of your existing data landscape

• Recognise the gaps between Current & Future state

• Recommend data strategies to close those gaps

Data Exploration from compliance and CRM best-practice point of views

2 3 5 6 8 10 1 12 11 4 9


1 12 2 3 5 6 8 9 10 11 7 4

DATA BREACHES

1 12 11

1 12

2 3 4 5 6

7 8 9

10

11

12 4 5 7 8

9

11 1

‘A sincere and personal apology’ The #1 proactive action a company can take to help prevent the end of a customer relationship Source: Ponemon Consumer Study on Aftermath of a Breach


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: BREACH NOTIFICATION

• Outbound communications to allay customer fears – copywriting, signposting, next steps, customer protection

• Manage inbound calls

• International coverage

• Individual-level communication evidence

1 12 11

1 12

2 3 4 5 6

7 8 9

10

11

12 4 5 7 8

9

11 1

COMMUNICATION AUDIENCE

CONTACT PREFERENCE

EMAIL COMMUNICATION

DIRECT MAIL COMMUNICATION

ADMISSION

INBOUND CUSTOMER CALLS

EMAIL COMMUNICATION

DIRECT MAIL COMMUNICATION

ACTION

Investigation & Mitigation


OPINION: DATA JOURNEYS

Has your organisation mapped out all your data journeys?

1. Yes, completed

2. Reaching maturing

3. Early stages

4. No

5. Unsure

3%

5%

50%

29%

13%


OPINION: BREACH NOTIFICATION PLANNING

Does your organisation have clear procedures laid down in the event of a data breach?

1. Yes

2. Some procedures

3. No – we would need to react quickly

4. Unsure

38%

36%

21%

5%


1 12 2 3 5 6 8 9 10 11 7 4

CONSENT IS KEY

• Existing consumer consent may not be sufficient for GDPR – need to review

• Consent MUST be freely given specific, informed indication of the individuals wishes for an unambiguous purpose – in clear and plain language

• Need to evidence when, what and how consent was given

• New identities, such as IP addresses, device IDs, Facebook IDs are personal data

• Data controller responsibility to ensure third-parties collect data in a compliant manner

Affirmative, evidenced action

Silence Pre-ticked boxes

1 12 11

1 12

2 3 4 5 6

7 8

9 10

11

12 4 5

7

8 11 1


1 12 2 3 5 6 8 9 10 11 7 4

CONSENT IS KEY

• Consent is not permanent

• If in doubt, refresh consent

• Consumers want a ‘refresh’ every 6 months (Source: DST Data IQ Research)

1 12 11

1 12

2 3 4 5 6

7 8

9 10

11

12 4 5

7

8 11 1


1 12 2 3 5 6 8 9 10 11 7 4

CONSENT PERIOD

1 12 11

1 12

2 3 4 5 6

7 8

9 10

11

12 4 5

7

8 11 1

• Consider and document business and consumer points of view

• Document your decision making process and rationale

Source: ICO Consent Guidance


1 12 2 3 5 6 8 9 10 11 7 4

CONSENT MANAGEMENT

• Consent management – across channels, campaigns and brands

• Is consent withdrawal/ change preferences/ ’right to be forgotten’ as easy as giving consent?

• Is the data you are collecting mandatory for the service? Are you ‘coercing’ consent? Was it genuine free choice?

• Protection for children and consent – gather parental or guardian consent

• Are you monitoring permissions? Need to understand changes and act upon them

1 12 11

1 12

2 3 4 5 6

7 8

9 10

11

12 4 5

7 8

11 1


1 12 2 3 5 6 8 9 10 11 7 4

WHAT IF YOUR CURRENT CONSENT IS NOT VALID?

A plan of action:

1. Attempt to regain consent using GDPR compliant processes before May 2018 – campaigns to re-permission legacy customers

2. Consider if you can use an alternate reason for processing the Data Subject data –Legitimate Interest

1 12 11

1 12

2 3 4 5 6

7

8 9 10

11

12 4 5

7

8 11 1


1 12 2 3 5 6 8 9 10 11 7 4

PERMISSION STATEMENT LANGUAGE

Focus shift - not just a legal task – Marketing & Legal/ Compliance

Content

• Easy for consumers to find and understand. Consider Multilayer approach

• In your brands language and tone to build trust

• Inform consumers of their rights under GDPR

PERMISSIONS & PRIVACY POLICY

1 12 11

1 12

2 3 4 5 6

7

8 9 10

11

12 4 5

7

8 11 1


OPINION: PERMISSION STATEMENTS

Who is involved in drafting your permissions statement?

1. Legal only

2. Legal & Marketing

3. Marketing only

4. Unsure

16%

66%

3%

16%


Does your organisation have a consolidated company wide view of permissions?

1. Yes

2. In planning/ development

3. No

4. Unsure

OPINION: PERMISSION GATHERING

18%

32%

32%

18%


OPINION: CONSENT – ARE YOU READY?

Are you confident that all your customers data has permission flags that are compliant with GDPR?

1. Very confident

2. Somewhat confident

3. Not so confident

4. Unsure

5. Going back to the office to check!

10%

21%

54%

10%

5%


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: REPERMISSION CAMPAIGNS

Need to ‘re-permission’ existing subscribers/ customers

• Tactical Opt-In programme – including email with easy opt-in confirmation

• Win-Back or auto unsubscribe campaigns

• Link through to consent/ content preferences

Empower the recipient or risk losing them

PLAN

CREATE

DELIVER

1 12 11

1 12

2 3 4 5 6

7

8 9 10

11

12 4 5

7

8 11 1


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: PERMISSION RESEARCH

• Organisations are reluctant to test permission variants in the live environment as it affects all future communications possibilities - so research is a viable alternative

• The Data Permissions Benchmark is a structured approach with 14 dimensions and optimises your statement(s) against industry benchmarks

1 12 11

1 12

2 3 4 5 6

7

8 9 10

11

12 4 5

7

8 11 1


1 12 2 3 5 6 8 9 10 11 7 4

DST SOLUTION: PREFERENCE CENTRE

Secure Online Microsite

• Easy to use, easy to digest why data is being collected/ used

• Manage consent and channel preferences, including child consent

• Inform/ manage individuals rights

• Manage complexity across brands

• Verify additional key data variables

• Encourage content preferences/ breaks rather than full unsubscribe

1 12 11

1 12

2 3 5 6

7

9 10

11

12

4

5

7 8

11 1


HOW PHE ARE PREPARING FOR GDPR


In the public eye

• Motivate and support millions more people to make and sustain changes that improve their health

• 8 national brands covering health behaviours from cradle to grave

• Broad mix of data collected depending on campaign

• 6m customer records held on database and an ever growing digital ecosystem

• Maximum public scrutiny = maximum data rigour required


Our current data landscape

• Complex interconnectivity of data stored across brands and channels with consent at different levels

• Single view of customers important to manage our campaigns effectively and manage customer privacy

• Since 2008, all customer PII data is held at DST on SCV, a deliberate consolidation to ensure limited supplier exposure to and management of customer data • Strict controls and process in place to access data • All data shared is anonymised and not even PHE can see customer names and addresses

• Named data is only part of the picture – opportunities to leverage cookie and device id data is more

prevalent but continual governance reappraisal required

• Irrespective of GDPR, data security and respect of customer privacy is critical - strict internal policies and procedures followed in all data related matters.


How are we preparing ourselves for GDPR

• GDPR puts this into sharp focus and provides roadmap for how we can do more for our customers.

• Need to be prepared to find out who still wants to be on our database and create strong value exchange for keeping them

• Awareness building – people know it is coming but full impact not known yet

• Internal champion is key • Repetition at senior management level – it’s not top of their list (yet) • Engaging the cross-floor team and awareness training critical to embedding it culturally • Engaging suppliers – Data Council established to discuss data opportunities and challenges

• Commissioning DST to lead on GDPR preparation:

• Gain a full understanding of the whole PHE data landscape • Recognise gaps between current data abilities and compliance levels and desired future state • Recommend data improvement strategies and roadmap to close those gaps


Putting customers in control of their preferences

• As more campaigns added more unsubscribe routes. No single view and clarity for consumer existed beyond each single unsubscribe event

• New Preference Centre built to recognise need to give customers access to their data and easily manage details and consent

• Puts us ahead of the game in terms of being GDPR-ready and recognising the importance of consent in marketing comms

• Good reset point for PHE to review all historic opt-ins and have complete confidence in how manage customer preferences


Embracing GDPR in a positive way

• The new regulation is not unreasonable

• As a government arm, we have a duty to do the right thing

• Duty not to waste public money communicating to people who don’t want to be communicated with

• Good reset point and we shouldn’t be afraid of the potential impact on our database size.

• Opportunity to focus on the wider data landscape

• It’s about having confidence in the brands and our skills as marketeers to motivate consumers to take an action and engage with us on their terms


HOW PHE ARE PREPARING FOR GDPR


OPINION: GDPR – ARE YOU READY?

After coming here today how prepared do you now feel about the GDPR regulation changes?

1. I was (and am) well prepared

2. I’m much better prepared

3. I’m still unsure of what is required

4. It’s all still unclear to me


SUMMARY


THE ICO’S 12 STEPS & HOW WE CAN HELP 1 AWARENESS

2 INFORMATION YOU HOLD

3 COMMUNICATING PRIVACY INFORMATION

4 INDIVIDUALS’ RIGHTS

5 SUBJECT ACCESS RIGHTS

6 LEGAL BASIS FOR PROCESSING PERSONAL DATA

7 CONSENT

8 CHILDREN (CONSENT VERIFICATION)

9 DATA BREACHES

10 DATA PROTECTION BY DESIGN/ IMPACT ASSESSMENT

11 DATA PROTECTION OFFICERS

12 INTERNATIONAL (SUPERVISORY AUTHORITY RECOGNITION)

GDPR AWARENESS TRAINING

DST DATA EXPLORATION

DST REPERMISSIONING DST PREFERENCE CENTRE DST PREFERENCE RESEARCH

DST BREACH NOTIFICATION

ICO 12 Step Guide: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf


DST’S CREDENTIALS

Certified Compliance

Experts

Compliance

Planning

Data Analysts

Solution Design

Data Management

Experts

70 billion records in the

last 12 months

ISO 27001 certified

Partner Compliance

100 million multichannel

regulatory campaigns in

the last 12 months

Provide solutions

tailored to meet your business

needs


CLOSING SUMMARY

GDPR will impact your businesses and now is

the time to act

More than just ‘cost of compliance’

An opportunity to gain better engagement with

the right people

We can support you on this journey; not with

legal or regulatory advice, but with

expertise and practical solutions


PANEL DISCUSSION

gdpr compliance & your customer...

Documents