Conducting Compliant Marketing & SARs Workshop - CMG Events www.castlebridge.ie Data Privacy Information Governance Information Quality (c) 2015-2016 Castlebridge - distributed with permission

Direct Marketing & GDPR Understanding the Link between Marketing activity, Subject Access Request, and GDPR Hosted by

G GDPR overview

Gdpr Enhanced rights for data subjects Accountability, Transparency, Security Fines and enforcement by Regulator

rights for data subjects Right to object to processing Right to withdraw consent to processing Right to Subject Access Request

Responsibilities for companies Fair and lawful obtaining of data Adherence to standards of GDPR Document processes to demonstrate compliance

gdpr – A risk based approach Identify risks Assess level of risk aversion Minimise exposure and implement best practice

RISKS AND IMPLICATIONS OF direct marketing

Direct marketing Information about products, services, events Linked by a call to action Asking subject to exchange money, data, or time

direct marketing risks Bad/unlawful marketing annoys customers Customers are more aware of their rights Angry customers more likely to complain

Risks to business Reputational damage/loss of customer faith Subject Access Request or prosecution by DPC Operational risks: fines or cease processing of data

Dpc and complaints 58% increase in complaints to DPC in 2016 Data subjects increasingly exercising SAR rights Bad marketing is a driver of Subject Access Requests

Subject access requests Data subject has right to request copy of all data held  Estimated cost in resourcing and outsourcing single SAR:  Minimum: €700                Maximum: over €100k

Other sanctions Fines of 2% / 4% of turnover, or €10m / €20m Notice to stop processing could be more damaging Potential to massively disrupt business 

GDPR and Direct marketing

direct marketing methods Electronic mail Calls and texts Landline / Postal

Obtaining data Processes for obtaining data must comply with GDPR Must be able to explain where data came from Must be able to explain nature of processing 

Consent and electronic mail Opt-in required Inform at time of data capture of DM purpose Must tell customer who is sending email/sms Simple and free mechanism for contact/opt-out  

Consent and calling Landlines Opt-out Inform at time of data capture of DM purpose Check on NDD for “Do-Not-Call” notice Simple and free mechanism for opt-out  

Consent and calling mobiles Opt-in required Inform at time of data capture of DM purpose Simple and free mechanism for opt-out  

Marketing to existing customers Needs to be for similar product as originally bought New consent required if done on behalf of third-party Best practice requires Opt-in at point of sale Simple and free mechanism for opt-out on every message  

Marketing and OTT services OTT = Twitter, Facebook, WhatsApp, Skype etc. Best practice = do not use these channels Loss of control over data through use of OTT services

Marketing essentials Rules apply to both B2C and B2B Simple and free opt-outs must be provided Do not use pre-ticked boxes Do not use OTT services 

RISK mitigation strategies

First steps Review how you engage in direct marketing Review consent, and ensure adherence to GDPR  Document processes to demonstrate compliance

Assess direct marketing methods How do you market? Document these processes  Ensure data has been lawfully obtained Ensure highest standards of consent 

Minimising exposure Principle of Data Minimisation Ethical approach to data processing Application of best practice checks and balances

Ethical data handling Care for your customer or client Respect data and privacy rights of individual Acquire data in a lawful manner

Demonstrate compliance Document all processes around data processing Ensure transparency and clarity in policies, T&Cs, etc. Ensure highest standards of security 

To conduct marketing in a compliant manner under GDPR, you will need to document processes and information flows relating to marketing activities.

Benefits of compliance G Benefits of compliance

Customer care Greater customer trust Greater customer engagement through transparency Enhanced reputation for your company  

Risk minimisation Lower chance of complaints re: direct marketing Lower chance of receiving Subject Access Request Lower exposure to fines from regulator (DPC) 

Streamlined business Data Minimisation good for any organisation Process documentation = good information governance Documentation allows for better marketing  

G Key takeaways

Direct marketing & gdpr DM is a legitimate business interest under GDPR Responsibilities towards customers and their data Risk of fines/Subject Access Requests for non-compliance

Better direct marketing Risk mitigation through data minimisation Lawful obtaining of data and GDPR compliance Better customer engagement through transparency

Conducting Compliant Marketing & SARs Workshop - CMG Events www.castlebridge.ie Data Privacy Information Governance Information Quality (c) 2015-2016 Castlebridge - distributed with permission