customer data and the new eu privacy law - may2016

Customer Dataand the new

EU Privacy Law

Key facts for marketersin international business

Version: 18 May 2016

Executive summary

1. Safest policy is to treat all EU customer data as Personal Information

2. For incorrect handling of Personal Information of EU citizens:

Fines up to 4% of global revenues

3. Grace period for making processes compliant: until May 2018

Context

• International business selling into the EU

• B2B & B2C

• Marketing & Sales processes

• Data about EU Prospects & Customers

18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 3

Warning!

This version: May 2016

• Written by an EU Marketer (not a lawyer) for non-EU Marketers

• Highlights issues, impacts & options

• This does not constitute a legal opinion or legal advice

• Use at your own risk / verify with your corporate counsel

Marketing objectives

Build trust – the foundation for face-to-face selling

• Promote products & services

• Gain permission for personalised, one-to-one communication

• Identify individual needs

• Provide each Contact with relevant information about solutions

PII = Personally Identifiable Information

Definition in Europe:

information that can be used on its own

or with other information

to identify, contact, or locate a single person,

or to identify an individual in context

See GDPR, Article 4(1) for precise text

PII = Personally Identifiable Information

Definition in the USA:

any information that can distinguish or trace an individual’s identity,

such as name, social security number, date and place of birth, biometrics

any other information that is linked or linkable to an individual,

such as medical, educational, financial, and employment information

NIST SP 800-122

PII in Marketing Practice

Mr. James Bond This is not necessarily PII

• Firstname Lastnamedoes not always identify a single individual

• Universal Exports

• Caribbean Department

• Company Fax: +44 020 1234567

• Web: www.universalex.com

These are not PII

• Alone or in combination, they cannot identify a single individual

• Business Development Manager

• Caribbean Department

• Universal Exports Ltd.

• London

This may be PII

• A combination of information that may identify an individual

• For example: if there is only one Business Development

Manager in the Caribbean Department of

Universal Exports, London.

• Tel:

+44 020 123456 xt 007

• Email:

james.bond@universalexport.co.uk

These are definitely PII

• Each can be used on its own to identify a single person

This is definitely PII

• In this context, all data points help to identify a single person

Mr. James BondBusiness Development ManagerCaribbean Department

Universal Exports Ltd.

85 Albert Embankment, London SE1 1BD

T: +44 020 123456 xt 007

F: +44 020 1234567

E: james.bond@universalexport.co.uk

W: www.universalexport.com

This is definitely PII, too

In this context, all data points refer to the identity of a single person

This is not PII

This is PII

• What individual people think

• Privately or professionally

NOTE: pseudonymised, but can belinked to the individual via the ID

This is PII

• What people do privately

This is PII

• What people do professionally

These are also PII

If you know ‚who does what‘

• even if pseudonymised

• even if encrypted

metadata

cookies

online behaviour

website clicks

Connecting non-PII data to PII makes it PII, too

Drink: Vodka Martini Vacation: St Moritz Sport: Ski-ing

In this context, the data enriches the knowledge of a single person

This is SPI

[Sensitive Personal Information]

• Health, religion, politicalopinion, sexual preference, union membership, etc.

• Best avoidedin B2B Marketing

From: Medical Officer

Health Report: For Your Eyes Only

RE: Bond, James / 007

This officer smokes 40 filterless cigarettes a

day and consumes 90 units of alcohol per week -

more than is good for him.

He ignores professonal advice and is, I

believe, running a serious risk of long-term

damage to lungs and liver.

Conclusions

Digital customer records:

• Enable personalised communication

• Make marketing more effective

• Prepare for face-to-face selling

Conclusions

But - digital records of EU contacts

• Are covered by EU Privacy Law

• Proof of Contact permission is required

(documented double opt-in & datestamp)

Conclusions

• If a file contains information that identifiesindividuals, the entire file is potentially PII

• If data is linked to a file that identifiesindividuals, the data is PII, too

• What people think and do online is PII (click behaviour, metadata)

Recommendations

• Simple policies are easy to remember

• The safest privacy policy is:

Treat all EU Customer data as

Personally Identifiable Information

Issues, Impacts

& Optionswww.andrewsanderson.eu

a marketing blog

for international business

Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401

customer data and the new eu privacy law - may2016

Marketing

bodyshop may2016

matthew david resume may2016

monday mantras 02 may2016

customer consent and privacy

uan benefitsformembers may2016

know your customer standards and privacy recommendations for

gastrogasm may2016

chapter 14: customer privacy concerns and privacy protective...

dpk may2016

customer privacy

jahan e sehat may2016

eld may2016

compressor tech2 may2016

2008_10 comcast customer privacy notices

worklamps may2016

boletín cultural klr may2016

privacy and security: exceeding customer expectations in...

hana hyder resume may2016

olist 500startups pitch - may2016

programme may2016 final