Presentation is loading. Please wait.

Presentation is loading. Please wait.

Running Compliant Direct Marketing

Published byBaldric James Modified over 6 years ago

Similar presentations

Presentation on theme: "Running Compliant Direct Marketing"— Presentation transcript:

1 Running Compliant Direct Marketing
Understanding the Link between Marketing activity, Subject Access Request, and GDPR Hosted by

2 Conducting Compliant Marketing & SARs Workshop - CMG Events
About Castlebridge Castlebridge is a specialist Data Protection and Data Governance consulting and training company. Founded in 2009, we have worked extensively with Public and Private sector organisations in Ireland, the EU, the UK, and internationally, in sectors as diverse as International finance, defence, education, student finance, telecommunications, and medical messaging. We work extensively on Data Protection syllabus development and delivery with organisations such as: Public Affairs Ireland Law Society of Ireland CMG Events Web: (c) Castlebridge - distributed with permission

3 Some Fundamental Background

4 All your Data Comes from Somewhere
Use Buy our stuff!! Buy/Rent Capture Analyse Store

5 All your Data Comes from Somewhere
Plan Obtain Store/Share Maintain Apply Dispose Information as an Asset has a Life Cycle

6 All your Data Issues Come from Somewhere
Bad Plan/No Plan = Consent issues, fair obtaining issues Bad Plan/No Plan = Accuracy or Timeliness issues Bad Plan/No Plan = Retained for too long, used when it shouldn’t be Plan Obtain Store/Share Maintain Apply Dispose Bad Plan / No Plan = Security or Cross border transfer issues, governance of 3rd parties Bad Plan/No Plan = Wrong data, wrong purpose, wrong methods 100% of data issues have their ultimate root cause at this point in the life cycle

7 Analysis of Complaint Trends
Statistically more likely to have an SAR compliant than a Marketing complaint 2009/2010 was divergence point On average over the last 14 years, only 5% of contacts to DPC from individuals result in a formal complaint being recorded. Historically, DPC has only recorded complaints that meet criteria for an investigation to be grounded A complaint is not the same as an investigation though…

8 Forecast of Complaint Trends*
E-Marketing Complaint Forecast SAR Complaint Forecast Most likely range? Most likely range? * 95% confidence level. Forecasts based on historic trends, does not factor in impact of future-looking legislative change, public awareness changes, or technology impact

9 DPC Annual Report 2015 (released 21st June 2016)
Complaints about Direct Marketing Subject Access Requests 11% of total complaints registered Down from 2014 In line with Castlebridge prediction… 62% of total Up from 2014 In line with Castlebridge prediction

10 Conducting Compliant Marketing & SARs Workshop - CMG Events
The Future? Consent Transparency Obtaining Governance Customer-focus (c) Castlebridge - distributed with permission

11 Running a Compliant Direct Marketing Campaign
Understanding the rules as they currently apply

12 The Legislative Framework
Obtain Fairly Specified & Lawful Purpose Right to blocking, rectification, erasure Retention Rights of Access DPA 1988/2003 Directive 95/46/EC Use of electronic marketing methods Requirements for consent Requirements for Opt-out Rules re: access to data written to/retrieved from devices SI 336/2011 ePrivacy Directives

13 Your E-Marketing Foot Print
Conducting Compliant Marketing & SARs Workshop - CMG Events Your E-Marketing Foot Print Bi-directional: Outbound & inbound Broadcast: Lead list capture via sign ups, content based marketing CRM Database Bi-directional: Broadcast + targeted outbound; Inbound communication Broadcast: Broadcast community building, can drive traffic to data capture site Bi-directional: Broadcast; Outbound messaging; Inbound comms; Data Profile-based marketing Electronic marketing channels cannot be thought about in isolation. You need to consider from a strategic perspective what tools you are using and how. Bi-directional: SMS messaging (in/out) Inbound calls Outbound calls Bi-directional: Outbound calls; Inbound calls; (c) Castlebridge - distributed with permission

14 “But we don’t have a CRM Database”
Data held “in platform” but can be extracted to Excel or other tools A Simple List Followers /Groups Followers & Data in DMS Connections A simple list You have a CRM database. It may just be distributed…

15 Marketing Understanding how to execute Compliant Campaigns

16 What is Direct Marketing?
‘direct marketing’ includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office; - Section 1, Data Protection Acts 1988 and 2003

17 What is Direct Marketing?
© Castlebridge Associates 2016 What is Direct Marketing? Information about Products, Services, Events, usually linked with a call to action to exchange money, data or time… Message Medium

18 Postal Direct Marketing & Consent
Direct Marketing is in the Legitimate Interests of a Data Controller Can be conducted on the basis of an OPT-OUT… …Once data is Obtained fairly Marketing purpose is communicated Data is kept safe and secure Data is not transferred outside EEA without valid basis Data is not retained for longer than needed Data is adequate relevant, not excessive

19 One Slide Summary of Marketing Rules
Conducting Compliant Marketing & SARs Workshop - CMG Events ©2016 Castlebridge One Slide Summary of Marketing Rules What is Direct Marketing? Core DPA Rules Obtain fairly, Accurate etc. Specify Purpose Be able to say where you got the data from Explanation of automated processing Postal: Opt-OUT Must inform at time of data capture of DM purpose Must give easy and free mechanism to opt-out Opt-IN Must inform at time of data capture of DM purpose Must give easy and free mechanism to opt-out Communication addressed to an identifiable individual that is asking them to exchange something of value for some potential benefit or gain Your processes for getting data in the first place must comply with the DPA Land-Line: Opt OUT Must inform at time of data capture of DM purpose and allow opt-out Must check against NDD for Do-Not-Call always You need to be able to identify where you sourced the data from and explain processing (e.g. matching) Mobile: Opt-in (Calls and SMS) Must inform at time of data capture of DM purpose Calls require an EXPLICIT Opt-In Must give easy and free mechanism to opt-out Reading location data etc. requires Opt-In Use it or lose it. eMarketing Consent expires after 12 months FAX: Opt-In if B2C, Opt-Out for B2B (c) Castlebridge - distributed with permission

20 Cross Border Transfer Rules also apply…
Conducting Compliant Marketing & SARs Workshop - CMG Events Cross Border Transfer Rules also apply… Basis for Transfer Transferred To EU Alternatives? Model Clauses (If you ask…) United States Yes Safe Harbour (still….) United States (Unlawfully) Yes Only lawful if you have negotiated model clauses outside standard agreement Model Clauses Australia Yes Safe Harbour (still…) United States (Unlawfully) TBC Only lawful if you have negotiated model clauses outside standard agreement Based on review of publicly provided information as of 13 June 2016 (c) Castlebridge - distributed with permission

21 Electronic Direct Marketing – what is in scope?
Cookies Landline SMS Calls to Mobile Location FAX Rules apply to B2B and B2C contexts….

22 Direct Marketing to Landline - Summary
OK to call if you haven’t been told not to call them Must check NDD to make sure there is not a “blanket” opt-out Subsequent opt-in for telephone can over- ride NDD Date/Timestamps become VERY important!

23 “electronic mail” therefore means email and SMS.
A Key Definition The ePrivacy Directive and SI336 define “electronic mail” as follows: “electronic mail” means any text, voice, sound or image message including an SMS message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient; “electronic mail” therefore means and SMS.

24 Direct Marketing by “Electronic Mail” - some essentials…
Conducting Compliant Marketing & SARs Workshop - CMG Events Direct Marketing by “Electronic Mail” - some essentials… “A person shall not send or cause to be sent electronic mail for the purposes of direct marketing, which— disguises or conceals the identity of the sender on whose behalf the communication was made, encourages recipients to visit websites or otherwise contravenes Regulation 8 of the European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), or does not have a valid address to which the recipient may send a request that such communication shall cease.” Identify the Sender Tell them who is sending the or SMS Give a functioning mechanism for people to contact you back (c) Castlebridge - distributed with permission

25 Direct Marketing – The Tricky Stuff
“electronic mail” means any text, voice, sound or image message including an SMS message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” - SI336, section 1 What is an “Electronic Mail”? OTT Services currently not explicitly covered, but revised ePD will include them.

26 Direct Marketing – The Tricky Stuff
“electronic mail” means any text, voice, sound or image message including an SMS message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” - SI336, section 1 What is an “Electronic Mail”? While not EXPLICITLY covered by the ePrivacy rules, “Over the Top” services are potentially subject to the same controls. Will be addressed in next update to the ePrivacy rules, consultation completed over summer: 76% want OTT services included

27 Direct Marketing by “Electronic Mail” – Beware of Mixed Messages
Conducting Compliant Marketing & SARs Workshop - CMG Events Direct Marketing by “Electronic Mail” – Beware of Mixed Messages A person shall not use or cause to be used any publicly available electronic communications service to send to a subscriber or user an SMS message for a non-marketing purpose which includes information intended for the purpose of direct marketing unless the person has been notified by that subscriber or user that he or she consents to the receipt of such a communication. - SI336, Regulation 13(7) Need to be clear what the purpose of the message is (c) Castlebridge - distributed with permission

28 Marketing to Existing Customers…
Marketing on behalf of 3rd parties requires SEPARATE consent Needs to be a similar product/service to the one that was originally bought Need to be able to opt-out at point of sale (better to go for opt-in) Need to have an opt-out on each message

29 Marketing to Existing Customers…
Applies only to and SMS. Does NOT apply to other contact mechanisms

30 Direct Marketing by “Electronic Mail” - some essentials…
All messages must provide a simple and cost-free mechanism for people to opt-out SMS – Free short code to opt-out – link to an “opt-out” page Provision of control/self-service to customers via CRM systems is an option provided by some organisations. Each Message must have Opt-out

31 The Importance of Closing the Loop
Conducting Compliant Marketing & SARs Workshop - CMG Events The Importance of Closing the Loop Why are they still sending me stuff? Special Offers New Products Special Events Partner Promos Different SMS codes, purposes Special Offers New Products Special Events Partner Promos Text “Opt-Out” (c) Castlebridge - distributed with permission

32 The Importance of Closing the Loop
Conducting Compliant Marketing & SARs Workshop - CMG Events The Importance of Closing the Loop Special Offers New Products Special Events Partner Promos Different SMS codes, purposes Special Offers New Products Special Events Partner Promos Text “Opt-Out” Communicate what happened (c) Castlebridge - distributed with permission

33 Pre-ticked boxes are NOT permitted
I would love to receive s, sms, and calls to my mobile from ACME Inc. (untick if you don’t want to) What does a ticked box mean? Consent? “Didn’t see the box”? What does an “unticked box” mean? No Consent? Misread the question? Pre-ticked boxes are not allowed by A29 Working Party (and they are just a really bad idea)

34 GDPR – What is Changing Overview of key Relevant Changes in GDPR that impact Marketing

35 Conducting Compliant Marketing & SARs Workshop - CMG Events
The Good News… Direct Marketing is defined as a “legitimate interest” of a data controller in Recital 47 of the Regulation This means it continues to be an “opt-out” for postal marketing under GDPR… So long as you have appropriate safeguards to ensure that the fundamental rights of the Data Subject are respected… …so Fairly and transparently obtained, Easy for people to opt-out Strong emphasis on other Data Protection Principles and obligations under the Regulation… (c) Castlebridge - distributed with permission

36 Key Changes affecting Electronic Marketing
Consent Consent of Children Documentation of Processing Activities Incl. knowing what technologies you are using Accountability Principle Processor/Controller Relationships – key changes Penalties

37 Conducting Compliant Marketing & SARs Workshop - CMG Events
GDPR Changes… Consent must be by a clear, affirmative action It must be freely given, informed, specific, and unambiguous (c) Castlebridge - distributed with permission

38 GDPR Changes… Consent from children for “Information Society Services”
Parental co-consent/authorisation Between 13 years and 16yrs Will require national legislation for the specific rules. Legislation on Dáil Calendar for 2016 but no sense of urgency associated to it

39 To conduct marketing in a compliant manner under GDPR, you will need to document the processes and information flows relating to your marketing activities.

40 Subject Access Requests
Conducting Compliant Marketing & SARs Workshop - CMG Events Subject Access Requests (c) Castlebridge - distributed with permission

41 Subject Access Requests
Source: DPC Annual Report 2013 You are statistically more likely to have a Subject Access Request then a complaint about direct marketing.

42 Why do people submit SARs?
Source: Why do people submit SARs? Because it is my right Because data was wrong Because of spam Conducted Study in H Important to understand why SARs are used.. Doesn’t affect compliance obligation but does influence how you prioritise them…

43 Some other statistics Respondents who hadn’t submitted an SAR indicated almost overwhelmingly that they would do so in the future… [VOLUMES MAY GO UP!!]

44 Forecast of Complaint Trends*
E-Marketing Complaint Forecast SAR Complaint Forecast Most likely range? Most likely range? * 95% confidence level. Forecasts based on historic trends, does not factor in impact of future-looking legislative change, public awareness changes, or technology impact

45 Single Slide Summary of Key Data Subject Rights
Conducting Compliant Marketing & SARs Workshop - CMG Events Single Slide Summary of Key Data Subject Rights Right to confirmation of processing 21 days to respond to request in writing No Charge Provide “Fair Processing Notice” type information Right to Access to data – right to receive an intelligible copy of information being processed 40 calendar day response window. Must be submitted in writing, must validate identity Provide data + “Fair Processing Notice” info for context Some exemptions, some restrictions on disclosure Right to blocking, rectification, erasure Must respond within 40 calendar days. Must write back to confirm blocking, correction or erasure No charge Right to Object to Automated Processing Automated processing that has a legal or equivalent impact on Data Subject must have a human component Right to Object to Processing likely to cause substantial damage or distress Must respond in 20 days. Don’t have to stop processing, just justify basis. Right to Compensation through the courts for breach of Duty and Standard of care (rights under Directive 95/46/EC) (c) Castlebridge - distributed with permission

46 Subject Access Request Basics – One Slide Summary
©2016 Castlebridge Associates Subject Access Request Basics – One Slide Summary What is the Right? Confirmation of processing Copy of data in intelligible form Fair Processing notice Data Controller must take precautions to verify identity of the requester Audio: Redact any voice that is not the data subject. Provide transcripts of conversations if needed How is it exercised? A request made in writing Cannot specify format Exemptions & Exceptions Security of a Prison or other place of detention Prejudicial to prevention, detection, or investigation of a crime Required under other enactment Data processed to protect public against financial loss through dishonesty Protection of international relations Information relates to estimation of liability on foot of a claim, where disclosure would be prejudicial Research Data Backup Data Information given on presumption of confidentiality Redact personal data of 3rd parties Technically, can redact non-personal data also Once request is in writing, it is a valid request under the Acts Right is to have the existence of processing confirmed, a copy of data provided in an intelligible format, and for information to be provided about the nature of the processing Disclosures Sharing Algorithms Cross Border transfers Must provide data within 40 days of date of request Still images: Pixelate any 3rd parties in the image Entitlement is to ALL data held, unless an exemption can be applied. Video: Remove 3rd parties also where potentially identifiable What fee applies? €6.35 maximum Can’t delay start of processing until fee paid GDPR drops the fee Video: Requirement is full video with 3rd parties redacted, or a still image for every second of footage featuring data subject

47 What is a “Request in Writing”
In writing = NOT VERBAL UK ICO Code of Practice on SARs: ‘Multi Channel’ Perspective

48 What is actually required to be provided?
Echoed in GDPR in Article 15 Article 12 of Directive: Confirmation whether or not data is being processed At least information relating to purposes of processing, categories of data concerned, recipients or categories of recipients with whom data are shared Copy in an intelligible form of the data undergoing processing and of any available information as to their source Knowledge of the logic involved in any automated processing of data concerning the Data Subject, and at least any processing resulting in an automated decision Details of how to exercise rights of blocking, erasure etc. and how to exercise right of complaint. More than just a dump of data… needs to have additional “context”

49 Expressions of Opinion
Expressions of opinion by one person about another may be disclosed without the consent of the person making the disclosure UNLESS: The opinion is made by or on behalf of someone in charge of an institute of detention AND relates to a person who is or who was detained in that institution OR The opinion was given in confidence or on the understanding it would be treated as confidential This exemption is closely interpreted by DPC. Cannot withhold an entire record, only the specific expression of opinion. Must be very clear the basis under which the presumption of confidence applies. Stamping “confidential” on a document is not enough…

50 Key Steps in a Subject Access Request
“Release” must involve communication of the data – it must be sent in some way Providing access to view data may be insufficient (e.g. viewing CCTV), but may satisfy a case by case issue.

51 Validating the Request
Is it in writing? Has information been provided that would reasonably enable you to identify the data subject and locate relevant data? Account number or phone number Date and time range for CCTV footage and a photo of the data subject If no: Not a valid request…. Time has not started DPC has recently begun to interpret the failure on the part of the Data Subject to cite the Data Protection Acts in their request as invalidating the request. This is an error in the DPC’s interpretation and is open to challenge; Does not conform to requirement under Directive and Charter of Fundamental Rights

52 Validating the Requester
Have you received information that can definitively identify the data subject? Is it data that a 3rd party would be unable to supply? Ask questions about data held that only the Data Subject would know Last transaction in store and type of card used to pay Ask them to provide photo id Watch out for risk of id theft Have retention period for the id verification If you have contact details for data subject on file, phone them to verify request If request by , and you have for Data Subject, check if they are the same or the address on file to validate request If request came by SMS, check if you have mobile number on file. Don’t phone the sending number to verify -

53 The 40 Day Challenge Do you know where personal data is in your organisation?

54 GDPR Changes… Article 15 GDPR:
Broadly similar to current legislation Upfront fees are removed (it is illegal to charge any fee, except for additional copies) Adds the following items to the SAR response “pack” Retention periods Outline of safeguards in place where data is transferred to a third country or international organisation Requires that request submitted electronically be complied with electronically, using a “commonly used” format. Article 12(3) – reduces response window for SAR to “one month” from receipt of request, with maximum 2 further months extensions if request is complex. Note overlap with Article 30 and the requirement to keep certain documentation… €20,000,000, 4% Global Turnover fine for breach of SAR rights (including late responses) €10,000,000, 2% Global Turnover fine for not having paperwork under Article 30 in place

55 Record Keeping re Requests
Advisable to keep a record of requests made Identify similar or identical requests made in an unreasonable frequency Identify the nature of the responses you have made and records given and the basis for redactions / reliance on exemptions Whether there has been any material change to records since the last request Good for lessons learned and training of staff in handling SARs

56 Example Response – Effort & Error
“But jakers, we’ll gather up all the data we have about you and hand it over without any identity verification checks” “We don’t trust you not to be a total moron and we would like to take this opportunity to patronise you a little while disclaiming responsibility for risk”

57 Why Requests in Writing Are Important
Help record nature of request (so correct response) Help record frequency of requests from individuals Provide audit trail of request/response Provides a date stamp to count the calendar day response windows from But clock starts ticking from when request in writing is received.

58 Conducting Compliant Marketing & SARs Workshop - CMG Events
Data Privacy Information Governance Information Quality (c) Castlebridge - distributed with permission

Download ppt "Running Compliant Direct Marketing"

Similar presentations

Data Protection.

Data Protection.
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.

New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
Data Protection and Records Management

Data Protection and Records Management
Transparency in Public Administration – FOI and EIR

Transparency in Public Administration – FOI and EIR
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Email Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.

Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act [1998]

The Data Protection Act [1998]
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Serving the Public. Regulating the Profession. CANADA’S ANTI-SPAM LEGISLATION (CASL) Training for Chapters Based on Guidelines for Chapters First published.

Serving the Public. Regulating the Profession. CANADA’S ANTI-SPAM LEGISLATION (CASL) Training for Chapters Based on Guidelines for Chapters First published.
Castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie Castlebridge changing how people think about information Compliant Marketing.

Castlebridge associates | | Castlebridge changing how people think about information Compliant Marketing.

Similar presentations

Ads by Google