gdpr compliance & your customer...
TRANSCRIPT
PPT First Edition | June 2016
GDPR COMPLIANCE & YOUR CUSTOMER COMMUNICATIONS
PPT First Edition | June 2016
The enclosed materials are highly sensitive, proprietary and confidential. Please use every effort to safeguard the confidentiality of these materials. Please do not copy, distribute, use, share or otherwise provide access to these materials to any person inside or outside DST without prior written approval.
This proprietary, confidential presentation is for general informational purposes only and does not constitute an agreement. By making this presentation available to you, we are not granting any express or implied rights or licenses under any intellectual property right.
If we permit your printing, copying or transmitting of content in this presentation, it is under a non-exclusive, non-transferable, limited license, and you must include or refer to the copyright notice contained in this document. You may not create derivative works of this presentation or its content without our prior written permission. Any reference in this presentation to another entity or its products or services is provided for convenience only and does not constitute an offer to sell, or the solicitation of an offer to buy, any products or services offered by such entity, nor does such reference constitute our endorsement, referral, or recommendation.
Our trademarks and service marks and those of third parties used in this presentation are the property of their respective owners.
© 2017 DST Output London Ltd, Inc. All rights reserved.
DISCLAIMER
PPT First Edition | June 2016
ABOUT US
CHRIS PARKINSON MARC MICHAELS PAUL JEMPSON ALISTAIR DUVOISIN
Head of Risk & Data Privacy
Director of Strategy & Insight
Senior Solution Design Consultant
Head of CRM & Data (PHE)
@PJchats @DST_UK @MarcPMichaels
07968 759514 [email protected]
07875 134 818 [email protected]
07825 506 471 [email protected]
Tweet us @DST_UK #DSTGDPR
dstdemo.com/GDPR
PPT First Edition | June 2016
BEFORE WE START
What you are about to hear is based on:
• Our current understanding of the GDPR regulations as published
• Together with guidance that has been issued by appropriate bodies (<4th March)
• Our own research with Data IQ
• Keeping abreast of general developments and news
Note: Not all guidance has been issued on all topics
There will be different interpretations of how legislation should be applied
LEGAL SUPPORT & ADVICE (Free for DMA members) [email protected]
PPT First Edition | June 2016
OPINION: GDPR – ARE YOU READY?
Before coming here today how prepared for the GDPR regulation changes do you feel? (honestly!)
1. Yes, completely prepared
2. Nearly there
3. We have started
4. Not yet started
0%
3%
64%
33%
PPT First Edition | June 2016
GUIDANCE AVAILABLE
INFORMATION COMMISSIONER OFFICE
Issued:
• Preparing for the GDPR – 12 steps to take now
• Overview of GDPR
• Privacy Notices Code of Practice – updated with GDPR requirements
• GDPR Consent Draft Guidance
To follow:
• Contracts and Liability
• Profiling
• Risk
WORKING PARTY 29
Issued:
• Guidelines on Data Protection Officers
• Guidelines on the right to data portability
• Guidelines for identifying a controller or processors lead
supervisory authority
• Administrative fines
• High risk processing and Data Protection Impact Assessments
• Certification
• Profiling
• Consent
• Transparency
• Notification of personal data breaches
• Tools for international transfers
To follow:
PPT First Edition | June 2016
THE CONTEXT
BUT AND
Marketers want to be timely, relevant and
motivating with marketing messages to
prospects and customers
Data is a key component of the fuel that can drive
this successfully
Consumers only want useful messages but many are suspicious
about sharing their data in case it is
misused/abused
Others will quite happily part with their data if they see the value in doing so
Government/EU want to ensure that people’s right
to privacy is respected
And that businesses adhere to the new
regulations designed for today’s modern
communications landscape
PPT First Edition | June 2016
THE NEW REGULATIONS
• GDPR will be in force 25 May 2018
• Brexit has no impact
• The culture and infrastructure changes mean organisations need to be working on this now
• Fines up to €20m or 4 per cent of an organisation’s annual worldwide turnover
• The review of the e-Privacy directive (email, cookies) is linked to GDPR and the EU are looking to align them
Sections:
• What's new
• Introduction
• Principles
• Key areas to consider
• Individuals' rights
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision making and profiling
• Accountability and governance
• Breach notification
• Transfer of data
• National derogations
PPT First Edition | June 2016
IT’S A BIG ISSUE… WITH LOTS OF NOISE
"data is a toxic asset and saving it is dangerous.“
Bruce Schneier - leading security expert
PPT First Edition | June 2016
CONSUMERS ARE CAUTIOUS
DST’s joint research with Data IQ showed:
• 50% prefer not to share data
• Trust and openness (for consumers with brands) are key
• It’s really hard to get third party consent
• Shelf-life of consent is shortening – 50% of consumers want to update less than every six months. Some want it every time you contact them
• There needs to be a value exchange
• Trust flies out the window in the event of a breach
PPT First Edition | June 2016
AND A LOT OF BUSINESSES ARE NOT READY
• Over 50% of brands were only ‘somewhat aware’ of GDPR
• Less than 7% of brands were ‘prepared’
• Are businesses as ready as they may imagine they are?
• Is this really high enough up the business agenda as it deserves?
• Permission to market is absolutely key – this needs to be understood and tracked business wide
PPT First Edition | June 2016
THE CHALLENGE
Given all the complex changes around GDPR:
? ? How can organisations gain/retain the trust of their customers and remain fully compliant?
? ? How can organisations still maximise the use of data to gain real results?
PPT First Edition | June 2016
SO WHAT DO BUSINESSES NEED TO DO?
Be fully aware
• Where am I compared to the GDPR requirements? (Gap Analysis)
• What are the risks?
• What strategy do I need to get there?
• Are there specific issues in my sector? (e.g. Fundraising Preference Service, Know Your Customer)
• Do I need any external help?
Make it a strategic focus for senior management – now
• Don’t put off for another day
• Provide time and resource
PPT First Edition | June 2016
THE CHECKLIST FOR ACTION
The ICO have issued guidance on the 12 steps to take to become GDPR compliant
The key areas are:
• Business Culture & Responsibilities
• Lawful Processing
• Acknowledging Individual’s Rights
• The Right Processes for the Right Data
• Business Continuity & Breach Acknowledgement
• Reviewing and Managing Consent and Permissions
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
A LOT TO CONSIDER
Not straightforward, no short-cuts and no cop-outs
Organisation's need to build on current foundations to create a “Culture of Opportunity & Respect for data”
‘You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have’
Source: ICO 12 steps to take now
1 12 2 3 4 5 6 7 8 9 10 11
1
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
CULTURE OF OPPORTUNITY & RESPECT FOR DATA
• Not just compliance but building it into your priorities – a mission
• Recognising that the data is the customer and that respecting it builds trust
Your staff need to be aware of:
• what GDPR is
• what are the impacts
• what processes need to be put in place and how to follow them
• what happens when things go wrong
• how to deal with any suppliers who handle data for you
1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: GDPR TRAINING
• Organisations needs to ensure that the all staff have a basic awareness of GDPR and the impact
• Detailed training and workshops with key staff for whom GDPR will have more of an impact in their day to day life
• DST would work together with you to assess your specific requirements
1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DATA PROTECTION OFFICERS
A Data Protection Officer is required when:
1. Processing carried out by a public authority or body (except courts)
2. Core activities involve regular/ systematic monitoring of subjects
3. Core activities involve processing of special categories data on a large scale
Article 37
Examples from recent guidance:
“processing customer data in the regular course of business, processing personal data for behavioural advertising or processing ‘real time geo-location of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services’, for example.”
1
1 12 2 3 4 5 6 7 8 9 10
12 2 3 4 5 6 7 8 9 10
11
1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
INTERNATIONAL LOCATIONS
If you operate internationally, need to ascertain your supervisory authority
Based on:
1. Location for ‘main administration’ or
2. Where decisions about data processing are made
1 12
1 12 2 3 4 5 6 7 8 9 10
11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
LAWFUL PROCESSING
Both DPA and GDPR require business to have a “lawful” reason for processing
1. Consent of Data Subject
2. Necessary for the completion of a contract
3. Necessary for legal obligation
4. Necessary to protect the vital interests of Data Subject
5. Task carried out in the public interest
6. Necessary for the legitimate interest of data controller (not available for public authorities)
Only one of these needs be true for lawful processing
1 12 11
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5
6
7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
LAWFUL PROCESSING
Both DPA and GDPR require business to have a “lawful” reason for processing
1. Consent of Data Subject
2. Necessary for the completion of a contract
3. Necessary for legal obligation
4. Necessary to protect the vital interests of Data Subject
5. Task carried out in the public interest
6. Necessary for the legitimate interest of data controller (not available for public authorities)
Only one of these needs be true for lawful processing
1 12 11
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5
6
7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
What do they ACTUALLY mean?
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
What they mean
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
4. I don’t want you to do that anymore
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
4. I don’t want you to do that anymore
5. Give me my stuff, I want to take it to someone else
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
4. I don’t want you to do that anymore
5. Give me my stuff, I want to take it to someone else
6. Stop doing that
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
YOUR CUSTOMER’S INDIVIDUALS RIGHTS
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
4. I don’t want you to do that anymore
5. Give me my stuff, I want to take it to someone else
6. Stop doing that
7. What decisions have you made which stop me doing/getting something?
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
THEIR RIGHT TO BE INFORMED
1. Identity and contact details of Data Controller (you) and your DPO (if you have one)
2. Purpose of the processing and the legal basis of the processing
3. Legitimate Interest if you are using it
4. Categories of recipients of the data
5. Any transfers to third countries and safeguards
6. Retention period or criteria used of the same
7. Existence of data subjects rights
8. The right to withdraw consent at any time
9. Right to lodge a complaint with supervisory authority
10. Any data required by statutory requirement
11. Existence of automated decision making and profiling
The Data Subject (your customer) must have the following information:
…a Fair Processing Notice will now be an essay!
1 12 6 11 4 5
1 12 2 3 4 5 6 7 8 9 10 11
12 2 3 4 5 6 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
AUTOMATED DECISION MAKING & PROFILING
There was a fear that the use of automated decision making & profiling would need consent in the initial drafts of GDPR. Clarification from ICO states this is only necessary when
• The automated decision making/ profiling will result in a legal or significant effect on the data subject
So:
• For marketing – predictive analysis, modelling etc. – is fine
• For the use of fraud prevention – is fine
• Where you already ready have consent
1 12 11
1 12 2 3
4 5
6 7 8 9 10 11
12 2 3 4 5
6
7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
THE RIGHT PROCESSES & THE RIGHT DATA
You need to be fully aware of what you have in terms of customer data:
• What do I have? Where did it come from? How was it collected?
• Where is it all being held?
• What is the business using/not using?
• Who is it being shared with?
• What is the legal basis for processing this data (consent, legitimate usage)?
• What are the processes for subject access? Deletion of data? Data portability?
• What are my priorities and/or opportunities for leveraging this data asset?
• Who is accountable? Do we have the right people/skills/systems?
• Do we have the right procedures in place? Can we undertake Data Protection Impact Assessments? Is my customer data fully documented/mapped?
1 12 11
1 12 2 3
4 5
6 7 8 9 10 11
12 2
3
4 5
6
7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
RECORD KEEPING IS CRUCIAL
The Accountability Principle
• Under GDPR you are required to be able to demonstrate that you comply with the various principles
• Evidence and documentation are key
• Make sure all decisions are documented and kept for audit purposes
• Document all of the data activity
• Data journeys including locations, access, risks, controls
Consider as part of your design
• Data Minimisation
• DPIA performed or documented evidence of why the business considered them unnecessary
• Allowing individuals to monitor their own processing
1 12 11
1 12 2
3 4 5 6
7 8 9 10 11
12
2
4 5 7 8 9 10 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DATA JOURNEY
What needs to be considered for the Data Journey?
• How does PII data get into the business?
• Where does it go and what processes does it go through?
• Who has access to it, in each step of the journey?
• What is the risk to the PII data at each point, do I need to do a DPIA?
• How does it leave the business?
• What suppliers/partners have access to your systems?
• What suppliers receive the data from you and for what purposes?
1 12 11
1 12 2
3 4 5 6
7 8 9 10 11
12
2
4 5 7 8 9 10 11 1
PPT First Edition | June 2016
STORE USER ADDS CUSTOMER
DATA
STORE PROCESS
STORE PROCESS
EXAMPLE DATA JOURNEY
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
WHAT CONSTITUTES A DATA PROTECTION IMPACT ASSESSMENT?
A DPIA must be performed when:
• Is likely to result in a high risk to the rights and freedoms of natural persons
• Automatic decision making and profiling are performed which will have a legal impact on the data subject
• Large scale processing of special category data
Article 35 (Clause 1, 3)
1 12 11
1 12
2 3 4 5 6
7 8 9 10 11
12 4 5 7 8 9
10
11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
WHAT CONSTITUTES A DATA PROTECTION IMPACT ASSESSMENT?
A DPIA will need to include:
• Systematic description of processing operations (inc. purposes of processing & legitimate interest if appropriate)
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes
• Assessment of the risks to the rights and freedoms and data subject
• Measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect the data subject and demonstrate compliance
Article 35 (clause 7)
1 12 11
1 12
2 3 4 5 6
7 8 9 10 11
12 4 5 7 8 9
10
11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
BUSINESS CONTINUITY
The DPA required you to keep data secure, but GDPR expands this to include requirements
• for confidentiality, integrity, availability and resilience of processing systems and services (Article 32.1b)
• The ability to restore that availability and access to personal data in a timely manner in the event of a physical or technical incident (not defined) (Article 32.1c)
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (Article 32.1d)
Your approach to Business Continuity and Testing is now wrapped up in legislation
1 12 11
1 12
2 3 4 5 6
7 8 9
10
11
12 4 5 7 8
9
11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DATA BREACHES
• Need to notify the ICO (and possibly other bodies) within 72 hours if the breach is likely to result in a high risk to the individual
• Need to have the right procedures in place to detect, report and investigate a personal data breach
• Whilst there is no set timeframe, clients need to inform the public ‘without undue delay’ in the event of a serious breach where it might leave them open to financial loss or high risk to the ‘rights and freedoms’ of the individual
• Failure to report a breach could result in a fine, as well as a fine for the breach itself
1 12 11
1 12
2 3 4 5 6
7 8 9
10
11
12 4 5 7 8
9
11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: DATA EXPLORATION
• Get a better understanding of your existing data landscape
• Recognise the gaps between Current & Future state
• Recommend data strategies to close those gaps
Data Exploration from compliance and CRM best-practice point of views
2 3 5 6 8 10 1 12 11 4 9
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DATA BREACHES
1 12 11
1 12
2 3 4 5 6
7 8 9
10
11
12 4 5 7 8
9
11 1
‘A sincere and personal apology’ The #1 proactive action a company can take to help prevent the end of a customer relationship Source: Ponemon Consumer Study on Aftermath of a Breach
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: BREACH NOTIFICATION
• Outbound communications to allay customer fears – copywriting, signposting, next steps, customer protection
• Manage inbound calls
• International coverage
• Individual-level communication evidence
1 12 11
1 12
2 3 4 5 6
7 8 9
10
11
12 4 5 7 8
9
11 1
COMMUNICATION AUDIENCE
CONTACT PREFERENCE
EMAIL COMMUNICATION
DIRECT MAIL COMMUNICATION
ADMISSION
INBOUND CUSTOMER CALLS
EMAIL COMMUNICATION
DIRECT MAIL COMMUNICATION
ACTION
Investigation & Mitigation
PPT First Edition | June 2016
OPINION: DATA JOURNEYS
Has your organisation mapped out all your data journeys?
1. Yes, completed
2. Reaching maturing
3. Early stages
4. No
5. Unsure
3%
5%
50%
29%
13%
PPT First Edition | June 2016
OPINION: BREACH NOTIFICATION PLANNING
Does your organisation have clear procedures laid down in the event of a data breach?
1. Yes
2. Some procedures
3. No – we would need to react quickly
4. Unsure
38%
36%
21%
5%
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
CONSENT IS KEY
• Existing consumer consent may not be sufficient for GDPR – need to review
• Consent MUST be freely given specific, informed indication of the individuals wishes for an unambiguous purpose – in clear and plain language
• Need to evidence when, what and how consent was given
• New identities, such as IP addresses, device IDs, Facebook IDs are personal data
• Data controller responsibility to ensure third-parties collect data in a compliant manner
Affirmative, evidenced action
Silence Pre-ticked boxes
1 12 11
1 12
2 3 4 5 6
7 8
9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
CONSENT IS KEY
• Consent is not permanent
• If in doubt, refresh consent
• Consumers want a ‘refresh’ every 6 months (Source: DST Data IQ Research)
1 12 11
1 12
2 3 4 5 6
7 8
9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
CONSENT PERIOD
1 12 11
1 12
2 3 4 5 6
7 8
9 10
11
12 4 5
7
8 11 1
• Consider and document business and consumer points of view
• Document your decision making process and rationale
Source: ICO Consent Guidance
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
CONSENT MANAGEMENT
• Consent management – across channels, campaigns and brands
• Is consent withdrawal/ change preferences/ ’right to be forgotten’ as easy as giving consent?
• Is the data you are collecting mandatory for the service? Are you ‘coercing’ consent? Was it genuine free choice?
• Protection for children and consent – gather parental or guardian consent
• Are you monitoring permissions? Need to understand changes and act upon them
1 12 11
1 12
2 3 4 5 6
7 8
9 10
11
12 4 5
7 8
11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
WHAT IF YOUR CURRENT CONSENT IS NOT VALID?
A plan of action:
1. Attempt to regain consent using GDPR compliant processes before May 2018 – campaigns to re-permission legacy customers
2. Consider if you can use an alternate reason for processing the Data Subject data –Legitimate Interest
1 12 11
1 12
2 3 4 5 6
7
8 9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
PERMISSION STATEMENT LANGUAGE
Focus shift - not just a legal task – Marketing & Legal/ Compliance
Content
• Easy for consumers to find and understand. Consider Multilayer approach
• In your brands language and tone to build trust
• Inform consumers of their rights under GDPR
PERMISSIONS & PRIVACY POLICY
1 12 11
1 12
2 3 4 5 6
7
8 9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
OPINION: PERMISSION STATEMENTS
Who is involved in drafting your permissions statement?
1. Legal only
2. Legal & Marketing
3. Marketing only
4. Unsure
16%
66%
3%
16%
PPT First Edition | June 2016
Does your organisation have a consolidated company wide view of permissions?
1. Yes
2. In planning/ development
3. No
4. Unsure
OPINION: PERMISSION GATHERING
18%
32%
32%
18%
PPT First Edition | June 2016
OPINION: CONSENT – ARE YOU READY?
Are you confident that all your customers data has permission flags that are compliant with GDPR?
1. Very confident
2. Somewhat confident
3. Not so confident
4. Unsure
5. Going back to the office to check!
10%
21%
54%
10%
5%
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: REPERMISSION CAMPAIGNS
Need to ‘re-permission’ existing subscribers/ customers
• Tactical Opt-In programme – including email with easy opt-in confirmation
• Win-Back or auto unsubscribe campaigns
• Link through to consent/ content preferences
Empower the recipient or risk losing them
PLAN
CREATE
DELIVER
1 12 11
1 12
2 3 4 5 6
7
8 9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: PERMISSION RESEARCH
• Organisations are reluctant to test permission variants in the live environment as it affects all future communications possibilities - so research is a viable alternative
• The Data Permissions Benchmark is a structured approach with 14 dimensions and optimises your statement(s) against industry benchmarks
1 12 11
1 12
2 3 4 5 6
7
8 9 10
11
12 4 5
7
8 11 1
PPT First Edition | June 2016
1 12 2 3 5 6 8 9 10 11 7 4
DST SOLUTION: PREFERENCE CENTRE
Secure Online Microsite
• Easy to use, easy to digest why data is being collected/ used
• Manage consent and channel preferences, including child consent
• Inform/ manage individuals rights
• Manage complexity across brands
• Verify additional key data variables
• Encourage content preferences/ breaks rather than full unsubscribe
1 12 11
1 12
2 3 5 6
7
9 10
11
12
4
5
7 8
11 1
PPT First Edition | June 2016
HOW PHE ARE PREPARING FOR GDPR
PPT First Edition | June 2016
In the public eye
• Motivate and support millions more people to make and sustain changes that improve their health
• 8 national brands covering health behaviours from cradle to grave
• Broad mix of data collected depending on campaign
• 6m customer records held on database and an ever growing digital ecosystem
• Maximum public scrutiny = maximum data rigour required
PPT First Edition | June 2016
Our current data landscape
• Complex interconnectivity of data stored across brands and channels with consent at different levels
• Single view of customers important to manage our campaigns effectively and manage customer privacy
• Since 2008, all customer PII data is held at DST on SCV, a deliberate consolidation to ensure limited supplier exposure to and management of customer data • Strict controls and process in place to access data • All data shared is anonymised and not even PHE can see customer names and addresses
• Named data is only part of the picture – opportunities to leverage cookie and device id data is more
prevalent but continual governance reappraisal required
• Irrespective of GDPR, data security and respect of customer privacy is critical - strict internal policies and procedures followed in all data related matters.
PPT First Edition | June 2016
How are we preparing ourselves for GDPR
• GDPR puts this into sharp focus and provides roadmap for how we can do more for our customers.
• Need to be prepared to find out who still wants to be on our database and create strong value exchange for keeping them
• Awareness building – people know it is coming but full impact not known yet
• Internal champion is key • Repetition at senior management level – it’s not top of their list (yet) • Engaging the cross-floor team and awareness training critical to embedding it culturally • Engaging suppliers – Data Council established to discuss data opportunities and challenges
• Commissioning DST to lead on GDPR preparation:
• Gain a full understanding of the whole PHE data landscape • Recognise gaps between current data abilities and compliance levels and desired future state • Recommend data improvement strategies and roadmap to close those gaps
PPT First Edition | June 2016
Putting customers in control of their preferences
• As more campaigns added more unsubscribe routes. No single view and clarity for consumer existed beyond each single unsubscribe event
• New Preference Centre built to recognise need to give customers access to their data and easily manage details and consent
• Puts us ahead of the game in terms of being GDPR-ready and recognising the importance of consent in marketing comms
• Good reset point for PHE to review all historic opt-ins and have complete confidence in how manage customer preferences
PPT First Edition | June 2016
Embracing GDPR in a positive way
• The new regulation is not unreasonable
• As a government arm, we have a duty to do the right thing
• Duty not to waste public money communicating to people who don’t want to be communicated with
• Good reset point and we shouldn’t be afraid of the potential impact on our database size.
• Opportunity to focus on the wider data landscape
• It’s about having confidence in the brands and our skills as marketeers to motivate consumers to take an action and engage with us on their terms
PPT First Edition | June 2016
HOW PHE ARE PREPARING FOR GDPR
PPT First Edition | June 2016
OPINION: GDPR – ARE YOU READY?
After coming here today how prepared do you now feel about the GDPR regulation changes?
1. I was (and am) well prepared
2. I’m much better prepared
3. I’m still unsure of what is required
4. It’s all still unclear to me
PPT First Edition | June 2016
SUMMARY
PPT First Edition | June 2016
THE ICO’S 12 STEPS & HOW WE CAN HELP 1 AWARENESS
2 INFORMATION YOU HOLD
3 COMMUNICATING PRIVACY INFORMATION
4 INDIVIDUALS’ RIGHTS
5 SUBJECT ACCESS RIGHTS
6 LEGAL BASIS FOR PROCESSING PERSONAL DATA
7 CONSENT
8 CHILDREN (CONSENT VERIFICATION)
9 DATA BREACHES
10 DATA PROTECTION BY DESIGN/ IMPACT ASSESSMENT
11 DATA PROTECTION OFFICERS
12 INTERNATIONAL (SUPERVISORY AUTHORITY RECOGNITION)
GDPR AWARENESS TRAINING
DST DATA EXPLORATION
DST REPERMISSIONING DST PREFERENCE CENTRE DST PREFERENCE RESEARCH
DST BREACH NOTIFICATION
ICO 12 Step Guide: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
PPT First Edition | June 2016
DST’S CREDENTIALS
Certified Compliance
Experts
Compliance
Planning
Data Analysts
Solution Design
Data Management
Experts
70 billion records in the
last 12 months
ISO 27001 certified
Partner Compliance
100 million multichannel
regulatory campaigns in
the last 12 months
Provide solutions
tailored to meet your business
needs
PPT First Edition | June 2016
CLOSING SUMMARY
GDPR will impact your businesses and now is
the time to act
More than just ‘cost of compliance’
An opportunity to gain better engagement with
the right people
We can support you on this journey; not with
legal or regulatory advice, but with
expertise and practical solutions
PPT First Edition | June 2016
PANEL DISCUSSION