Presentation is loading. Please wait.

Presentation is loading. Please wait.

Castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie Castlebridge changing how people think about information Compliant Marketing.

Published byGertrude Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "Castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie Castlebridge changing how people think about information Compliant Marketing."— Presentation transcript:

1 castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie Castlebridge changing how people think about information Compliant Marketing & SARs Two Sides of the Same Coin…

2 Introduction  Background Information  Understanding the life cycle of information  Overview of Key Legislation  Overview of GDPR Implications  Marketing communications as a trigger for SARs  How to conduct compliant marketing  How to handle SARs  (Fictional) Case Study Example  Background Information  Understanding the life cycle of information  Overview of Key Legislation  Overview of GDPR Implications  Marketing communications as a trigger for SARs  How to conduct compliant marketing  How to handle SARs  (Fictional) Case Study Example

3 Castlebridge changing how people think about information Background Information Rules, Legislation, Life Cycles (Oh my)

4 All your Data Came from Somewhere… Buy our stuff!! Capture Buy/Rent Store Analyse Use

5 All your Data Came from Somewhere… Capture PlanObtain Store/Share Maintain Apply Dispose The Life Cycle of Information

6 Exercise  Where does the data in your organisation come from?  Do you buy external data?  Do you share data with third parties?  Where does the data in your organisation come from?  Do you buy external data?  Do you share data with third parties?

7 The Legislative Jigsaw Directive 95/46/EC Data Protection Acts 1988 & 2003 ePrivacy Directives SI 336/2011 Obtain Fairly Specified & Lawful Purpose Right to blocking, rectification, erasure Retention Rights of Access electronic Use of electronic marketing methods Requirements for consent Requirements for Opt-out Rules re: access to data written to/retrieved from devices

8 The Legislative Jigsaw GDPR Obtain Fairly Specified & Lawful Purpose Right to blocking, rectification, erasure Retention Rights of Access Specific consent for specific purposes Increased penalties Focus on Governance & Controls Text agreed. Publication of translation expected late February/mid- March ePrivacy Regulation Aligning with GDPR and ECHR Revised rules around cookies(?) More focus on apps and OTT services Aligning consent concepts with GDPR Will likely focus on customer perspective Less emphasis on specifics of technology Public Consultations in March, new Regulation agreed by 2017 Enacted at same time as GDPR

9 The Future… Consent Obtaining Governance Customer- focus Transparency

10 Direct Marketing: The Basic Rules (One Slide Summary) Data must be obtained fairly and for a specific purpose Your processes for getting data in the first place must comply with the DPA Postal : Opt-OUT Must inform at time of data capture of DM purpose Must give easy and free mechanism to opt-out What is Direct Marketing? Communication addressed to an identifiable individual that is asking them to exchange something of value for some potential benefit or gain Core DPA Rules Obtain fairly, Accurate etc. Specify Purpose Be able to say where you got the data from Explanation of automated processing You need to be able to identify where you sourced the data from and explain processing (e.g. matching) Email : Opt-IN Must inform at time of data capture of DM purpose Must give easy and free mechanism to opt-out Land-Line : Opt OUT Must inform at time of data capture of DM purpose and allow opt-out Must check against NDD for Do-Not-Call always Mobile : Opt-in (Calls and SMS) Must inform at time of data capture of DM purpose Calls require an EXPLICIT Opt-In Must give easy and free mechanism to opt-out Reading location data etc. requires Opt-In FAX: Opt-In if B2C, Opt-Out for B2B ©2016 Castlebridge Associates Use it or lose it. eMarketing Consent expires after 12 months

11 Exercise – What is Electronic Marketing?

12 Direct Marketing – The Tricky Stuff “electronic mail” means any text, voice, sound or image message including an SMS message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” - SI336, section 1 What is an “Electronic Mail”? OTT Services currently not explicitly covered, but revised ePD will include them.

13 Direct Marketing – The Tricky Stuff Services of a “Similar Kind” “A person who, in accordance with the Data Protection Acts, obtains from a customer the customer’s contact details for electronic mail, in the context of the sale of a product or service, shall not use those details for direct marketing unless— (a) the product or service being marketed is the person’s own product or service, (b) the product or service being marketed is of a kind similar to that supplied to the customer in the context of the sale by the person, (c) the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of those details— (i) at the time the details are collected, and (ii) if the customer has not initially refused that use, each time the person sends a message to the customer, And the sale of the product or service occurred not more than 12 months prior to the sending of the direct marketing communication, or where details were used for purposes of direct marketing in previous 12 months Does not apply to calls to mobiles or landlines – only SMS, email etc. Must be a similar service to that availed of in the original “sale” Must be communicated at point of initial data capture

14 Direct Marketing – the Tricky Stuff B2B Exemption “(2) Notwithstanding paragraph (1) and subject to paragraph (4), the use of electronic mail to send an unsolicited communication for the purpose of direct marketing to a natural person does not include an electronic mail to an email address that reasonably appears to the sender to be an email address used mainly by the subscriber or user in the context of their commercial or official activity and the unsolicited communication relates solely to that commercial or official activity.” – SI336 Only applies to email (not SMS etc.) John.Smith@corporate-email.ie Must be relevant to that commercial role Must give, and respect, an opt-out Opt-out must be made available to “generic” addresses sales@corporate-email.ie

15 Direct Marketing – the Tricky Stuff Identify the Sender “A person shall not send or cause to be sent electronic mail for the purposes of direct marketing, which— (a)disguises or conceals the identity of the sender on whose behalf the communication was made, (b)encourages recipients to visit websites or otherwise contravenes Regulation 8 of the European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), or (c) does not have a valid address to which the recipient may send a request that such communication shall cease.” Tell them who is sending the email or SMS Give a functioning mechanism for people to contact you back

16 GDPR Changes… Consent must be by a clear, affirmative action It must be freely given, informed, specific, and unambiguous

17 GDPR Changes…  Can’t bury consent in Terms and Conditions or other text  Needs to be distinguishable from other matters  Needs to be clear and intelligible  Failure to meet this invalidates any consent

18 GDPR Changes…  Consent from children for “Information Society Services”  Parental co- consent/authorisation  Between 13 years and 16yrs  Will require national legislation for the specific rules.

19 What is an “Information Society Service”?  “Any Service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”  Definition in Directive 98/34/EC  Adopted again in the E-Commerce Directive 2000  A free service offered by a not-for-profit organisation is not “normally provided for remuneration”.  A free service, provided in exchange for personal data which is used to target advertising, does result in remuneration.  A free service, on which advertising is displayed to recipients of that service, in exchange for advertising revenues, does result in remuneration  “Any Service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”  Definition in Directive 98/34/EC  Adopted again in the E-Commerce Directive 2000  A free service offered by a not-for-profit organisation is not “normally provided for remuneration”.  A free service, provided in exchange for personal data which is used to target advertising, does result in remuneration.  A free service, on which advertising is displayed to recipients of that service, in exchange for advertising revenues, does result in remuneration

20 Castlebridge changing how people think about information Subject Access Requests A Canary in the Coalmine for your Data Protection Compliance

21 Subject Access Request Basics – One Slide Summary ©2016 Castlebridge Associates What is the Right? Confirmation of processing Copy of data in intelligible form Fair Processing notice Right is to have the existence of processing confirmed, a copy of data provided in an intelligible format, and for information to be provided about the nature of the processing Disclosures Sharing Algorithms Cross Border transfers How is it exercised? A request made in writing Cannot specify format Once request is in writing, it is a valid request under the Acts What fee applies? €6.35 maximum Can’t delay start of processing until fee paid GDPR drops the fee Must provide data within 40 days of date of request Entitlement is to ALL data held, unless an exemption can be applied. Data Controller must take precautions to verify identity of the requester Redact personal data of 3 rd parties Technically, can redact non-personal data also Still images: Pixelate any 3 rd parties in the image Video: Remove 3 rd parties also where potentially identifiable Video: Requirement is full video with 3 rd parties redacted, or a still image for every second of footage featuring data subject Audio: Redact any voice that is not the data subject. Provide transcripts of conversations if needed Exemptions & Exceptions Security of a Prison or other place of detention Prejudicial to prevention, detection, or investigation of a crime Required under other enactment Data processed to protect public against financial loss through dishonesty Protection of international relations Information relates to estimation of liability on foot of a claim, where disclosure would be prejudicial Research Data Backup Data Information given on presumption of confidentiality

22 Medical and Social Care Data Example Legislative Restriction: Disclose or not? Withhold if it is likely to cause physical or mental harm to the Data Subject Decision must be taken by qualified Health or Social Care professionals Can disclose any data that is unlikely to cause physical or mental harm SI82 and SI83 of 1989 (Health Data & Social Care Data)

23 Restriction on disclosure of information relating to adoptions and information provided to the Ombudsman Total Restriction SI81 of 1989 – Information on Adopted Children

24 What is actually required to be provided?  Article 12 of Directive:  Confirmation whether or not data is being processed  At least information relating to purposes of processing, categories of data concerned, recipients or categories of recipients with whom data are shared  Copy in an intelligible form of the data undergoing processing  and of any available information as to their source  Knowledge of the logic involved in any automated processing of data concerning the Data Subject, and at least any processing resulting in an automated decision  Details of how to exercise rights of blocking, erasure etc. and how to exercise right of complaint.  Article 12 of Directive:  Confirmation whether or not data is being processed  At least information relating to purposes of processing, categories of data concerned, recipients or categories of recipients with whom data are shared  Copy in an intelligible form of the data undergoing processing  and of any available information as to their source  Knowledge of the logic involved in any automated processing of data concerning the Data Subject, and at least any processing resulting in an automated decision  Details of how to exercise rights of blocking, erasure etc. and how to exercise right of complaint. More than just a dump of data… needs to have additional “context”

25 What is “Request in Writing” In writing = NOT VERBAL ‘Multi Channel’ Perspective UK ICO Code of Practice on SARs:

26 What is the problem with this Privacy Notice?

27 The 40 Day Challenge Do you know where personal data is in your organisation?

28 GDPR Changes…  Article 15 GDPR:  Broadly similar to current legislation  Upfront fees are removed (it is illegal to charge any fee, except for additional copies)  Adds the following items to the SAR response “pack”  Retention periods  Outline of safeguards in place where data is transferred to a third country or international organisation  Requires that request submitted electronically be complied with electronically, using a “commonly used” format.  Article 12(2) – reduces response window for SAR to “one month” from receipt of request, with maximum 2 further months extensions if request is complex.  Note overlap with Article 28/29 and the requirement to keep certain documentation…  Article 15 GDPR:  Broadly similar to current legislation  Upfront fees are removed (it is illegal to charge any fee, except for additional copies)  Adds the following items to the SAR response “pack”  Retention periods  Outline of safeguards in place where data is transferred to a third country or international organisation  Requires that request submitted electronically be complied with electronically, using a “commonly used” format.  Article 12(2) – reduces response window for SAR to “one month” from receipt of request, with maximum 2 further months extensions if request is complex.  Note overlap with Article 28/29 and the requirement to keep certain documentation… €20,000,000, 4% Global Turnover fine for breach of SAR rights (including late responses) €10,000,000, 2% Global Turnover fine for not having paperwork under A28/29 in place

29 Subject Access Requests You are statistically more likely to have a Subject Access Request then a complaint about direct marketing. Source: DPC Annual Report 2013

30 Why do people submit SARs?  Conducted Study in H1 2015  Important to understand why SARs are used..  Doesn’t affect compliance obligation but does influence how you prioritise them…  Conducted Study in H1 2015  Important to understand why SARs are used..  Doesn’t affect compliance obligation but does influence how you prioritise them… Source: https://castlebridge.ie/products/whitepapers/2015/09/subject-access-requests-data-health-check

31 Some other statistics  Respondents who hadn’t submitted an SAR indicated almost overwhelmingly that they would do so in the future…  [VOLUMES MAY GO UP!!]  Respondents who hadn’t submitted an SAR indicated almost overwhelmingly that they would do so in the future…  [VOLUMES MAY GO UP!!]

32 Example Response – Effort & Error “We don’t trust you not to be a total moron and we would like to take this opportunity to patronise you a little while disclaiming responsibility for risk” “But jakers, we’ll gather up all the data we have about you and hand it over without any identity verification checks”

33 Some Practical Tips… Pro-Tip 1 Tippex can be messy and slow Marker can create reflective bounce back that can reveal text

34 Some Practical Tips… Accurate and Tidy Isn’t as obvious a redaction as a black mark Scan or copy the redacted record Send out the COPY Tippex can be scraped off… Pro-Tip 2

35 Some Practical Tips… Scan hard copy records, print electronic to PDF Work of an electronic version of EVERYTHING Pro-Tip 3 (and 3a) Keep a log of documents and reason for redactions

36 Castlebridge changing how people think about information Putting it all together Morpheus Technologies – A Case Study

37 The Background  Morpheus Technologies have developed a new cloud service for document text analysis, search, and retrieval.  They have offered a beta version for a free 30 day trial period to people who register with their site  They have identified that a significant number of these people have logged in once or twice, clicked on a few things, but not converted to a sale.  Morpheus Technologies have developed a new cloud service for document text analysis, search, and retrieval.  They have offered a beta version for a free 30 day trial period to people who register with their site  They have identified that a significant number of these people have logged in once or twice, clicked on a few things, but not converted to a sale. They decide to conduct some outbound direct marketing

38 The Sign Up Page  What issues arise in the design of the sign up form?  What stage in the Information Life Cycle did they not consider for long enough?  What could they do differently?  What issues arise in the design of the sign up form?  What stage in the Information Life Cycle did they not consider for long enough?  What could they do differently?

39 The Email  After 3 months they send the following email to trial users…  It constitutes direct marketing  What is missing from the email?  After 3 months they send the following email to trial users…  It constitutes direct marketing  What is missing from the email? Hi, I am contacting you with reference to your recent subscription to our Morpheus product and seeking your feedback. I am sure you are aware the new GDPR will shortly be coming into effect with possible fines up to €20 million. Morpheus provides Cloud-based services to help you with information search and retrieval to support Subject Access Request and other GDPR requirements I can see you activated your account and used some of the functions, but not all, and I was wondering would you like to set up a demonstration over the phone to show you the key features and benefits of Morpheus? I also would be happy to discuss some elements of the new GDPR which maybe effects your organization. Kind regards, Dave Lister Morpheus Sales Manager

40 The Telemarketing  4 months later they phoned the expired trial customer  They rang them on their mobile phone  4 months later they phoned the expired trial customer  They rang them on their mobile phone  They also SMS’d them Hi, it’s Dave from Morpheus. Text Yes to 5521 if you’d like to find out more about us  What issues arise here?

41 The Access Request  Data Subject sends email to the sales rep  Data Subject sends requests to social media account  What is the next step Morpheus Tech should take?  Who should take it?  What kind of data might Morpheus hold about the Data Subject other than their name, email, mobile?  Data Subject sends email to the sales rep  Data Subject sends requests to social media account  What is the next step Morpheus Tech should take?  Who should take it?  What kind of data might Morpheus hold about the Data Subject other than their name, email, mobile? Hi Dave, Could you provide me with a copy of all data you hold about me and other particulars as required under the Data Protection Acts? Yours Arnold Rimmer Twitter @Morpheus_tech Please send me copy of my data. AJR @ajr_demo Thanks for your interest in our product. Would you like a demo? @Morpheus_tech No. I’d just like a copy of my data. @ajr_demo Yes, our product finds your data. Want a demo?

42 The Complaint  What offences have likely been committed here?  What is the current penalty that Morpheus would face?  What is the GDPR level of penalty?  What offences have likely been committed here?  What is the current penalty that Morpheus would face?  What is the GDPR level of penalty? Dear Sir/Madam, I wish to complain about Morpheus Technologies, a software vendor whose product I trialled a few months ago. They have sent me unsolicited email, called my mobile, and sent me unsolicited SMS messages after I abandoned their free trial (the software was not as advertised so I didn’t buy). At sign up there was no information that my contact details would be used for marketing of this nature. I submitted a Subject Access request 54 days ago and have not received a satisfactory response Yours Arnold Rimmer Morpheus are prosecuted, have to destroy their database, and market credibility is wiped out

43 Root Cause – 5 Whys  Why did Morpheus get prosecuted by the DPC?  Why was there a complaint made about them?  Why did the Data Subject submit the SAR?  Why was the Data Subject put out by the marketing contacts?  Why did the Data Subject not feel they had provided consent?  Why did Morpheus get prosecuted by the DPC?  Why was there a complaint made about them?  Why did the Data Subject submit the SAR?  Why was the Data Subject put out by the marketing contacts?  Why did the Data Subject not feel they had provided consent?

44 All your Data Came from Somewhere… Capture PlanObtain Store/Share Maintain Apply Dispose The Life Cycle of Information

Download ppt "Castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie Castlebridge changing how people think about information Compliant Marketing."

Similar presentations

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection.

Data Protection.
Www.nb2bc.co.uk Email Marketing: Comply with the Law 28 th February 2007 Liz Rowe.

Marketing: Comply with the Law 28 th February 2007 Liz Rowe.
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.

New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection and Records Management

Data Protection and Records Management
Transparency in Public Administration – FOI and EIR

Transparency in Public Administration – FOI and EIR
1 Unsolicited Electronic Messages Ordinance An Overview of Implementation and Enforcement 28 May 2007.

1 Unsolicited Electronic Messages Ordinance An Overview of Implementation and Enforcement 28 May 2007.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Recruitment Process

Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
Email Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.

Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.
Practical Information Management

Practical Information Management
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.

Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

Similar presentations

Ads by Google