Digital Banking and Data Protection Achieving balance of compliance with customer experience and opportunity 30 September 2015 Paula Barrett Partner

Data protection compliance Recognizing what personal data/private information is processed Identifying the players - data controllers and data processors Work through application of principles, lawful reasons, fairness, transfers, filings, etc Give fair notice Gather permissions where needed Other relevant issues Other legislation/laws/torts Culture and expectations Political/regulatory stance

Personal data – can you spot it? “Personal Data” means data which relate to a living individual who can be identified: (a) from those data and other information which is in the possession of or is likely to come into the possession of, the data controller (b) includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual Not just names – other identifiers too Think about ability to combine with other data within business Can include twitter names, Mac address, Fixed IP address Current DPA Definition:

The players? −Spot the data controller(s)! Often more than one in digital platforms Within group? Third parties? Relevant for determining Applicable law Who carries DPA responsibility? Lawfulness requirement in transfers from DC to BC Limited exemptions −Who are the data processor? Contractual requirements under DPA to be met Under UK DPA no direct obligations Position may change under GDPR Geographic restrictions on transfers

Eversheds LLP | −Timing: When does data collection really commence? Bear in mind varying sources and channels – app, social media, other accounts, etc. Do you need a third party to provide notice/expand notices to specifically include us and our processing? −Scope – transparency is essential and becoming more so −Consistency across platforms (on and offline) Expanding digital processing may mean we have to expand the non digital notices and notices on other platforms e.g. facebook etc. −Technical constaints and customer experience Screen and text limitations Layering Links to website and other locations for further detail Fair Processing Notice must be given prior to or within a reasonable time of data being collected. When & how to deliver Notices and privacy policies

Eversheds LLP | −Start with working out what processing you are doing Need to understand the totality of processing including any sharing with other group companies and third parties −Treat consent as a last resort – not the first one It can be withdrawn at any time −Other lawful reasons: Consider statutory obligation Legitimate interest At request of individual Fulfilment of contract Anti-fraud Remember all qualified by “necessary for” test and proportionality −Transparency on consent obtained by or for third parties −How will marketing preference be exercised? tools within the digital product? −Operationally/technically need to be able to respond to consent changes from range of sources For each category of personal data you need a lawful reason for processing it When, what and how Collection of permissions

Questions?

eversheds.com ©2015 Eversheds LLP Eversheds LLP is a limited liability partnership Partner Paula Barrett Company Commercial Eversheds One Wood Street London EC2V 7WS