an introduction to data protection - 26 march 2014
DESCRIPTION
TRANSCRIPT
![Page 1: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/1.jpg)
Data protection 2013
Friday 8 February
#dmadata
Supported by
An introduction to data protectionWednesday 26th March 2014, DMA House
Janine PatersonDMA Solicitor
![Page 2: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/2.jpg)
Agenda9.00am Registration and breakfast
9.30am Why is data protection important?
9.40am Understanding the lawThe Data Protection Act 1998
Key terms
8 Principles
10.40am Break
11.00am Understanding the law
The Privacy and Electronic Communications Regulation 2003
Key rules
Key points
11.30am Practical tips for marketers
12.00am Summary and questions
12.30am Close
![Page 3: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/3.jpg)
Why is it important?
• It helps us to protect information about ourselves and others
• It helps us avoid damage to the reputation of our organisation
• It makes good business sense – it can increase efficiency and effectiveness
• It helps us avoid enforcement action by the Information Commissioner
– both employers and employees can be prosecuted
– companies can face a monetary penalty of up to £500,000 for major breaches
![Page 4: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/4.jpg)
![Page 5: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/5.jpg)
![Page 6: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/6.jpg)
![Page 7: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/7.jpg)
![Page 8: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/8.jpg)
Understanding the law 1
• Data Protection Act 1998 (DPA)
– Came into force 1 March 2000
– Replaced 1984 Act
– Covers doing anything with data
– Applies electronic records and some manual records
![Page 9: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/9.jpg)
Key terms• Personal data
– any data that can be used to identify a living individual
– Examples of personal data can include:
• Name and address
• Email address (even business email addresses if they are non generic)
• Name and telephone number
• Photographs
– Only personal data is protected by the DPA
• Sensitive personal data
– any data relating to:
• Health
• Race or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Sex life
• Criminal proceedings or convictions
![Page 10: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/10.jpg)
Key terms
• Processing
– obtaining, recording or holding information or carrying out any operation on the information including
• Organising
• Adapting
• Retrieving
• Disclosing
• Blocking
• Destroying
• Data subject
– a living identifiable individual to whom the personal data relates
![Page 11: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/11.jpg)
Key terms
• Data controller
- Determines how data will be used
- Usually owns or rents the data (may be done by 3rd
party on their behalf)
- Required to notify (register) as a controller with the ICO
- May be fined by ICO if any data breaches arise
• Data processor
- Processes data on behalf of controller or other processor
- Processing can be anything from data storage to advanced data manipulation and modelling
- Includes companies that manage / broker / collect data on behalf of others
![Page 12: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/12.jpg)
The 8 Principles
• Fairly and lawfully collected
• Processed for specified and limited purposes
• Adequate, relevant and not excessive
• Accurate and kept up to date
• Not kept for longer than necessary
• Processed in accordance with Individuals’ rights
• Security – appropriate technical and organisational measures
• Not transferred outside the European Economic Area (EEA) unless adequate protections are in place
• (EEA: The 28 member states of the EU, plus Iceland, Liechtenstein and Norway)
![Page 13: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/13.jpg)
Principle 1: Fairly and lawfully collected
• Fair processing information provided
• Organisation’s identity given
• Purpose of collection made clear
• Further information necessary
• Correct permissions obtained
- Implied consent: opt-out mechanism provided
- Express consent: opt-in mechanism provided
• Sensitive personal data only captured if strictly necessary
![Page 14: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/14.jpg)
Principle 2: Processed for limited purposes
• Only process data for the purpose(s) you told the individual
• Make the purpose(s) clear at the point of data collection
• Change of circumstances – what happens to the data then?
• Subsequent use of data for direct marketing purposes
• Data cleansing – regular and ad hoc
![Page 15: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/15.jpg)
Principle 3: Adequate, relevant and not excessive
• Minimum amount of information required
• Additional information for specific individuals
• Collect data that you will use now
• Collection of data that ‘may be useful’ in the future is not permitted
![Page 16: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/16.jpg)
Principle 4: Accurate and kept up to date
• Take reasonable steps to ensure accuracy (but what is ‘reasonable’?)
• Ensure data is not incorrect or misleading
• Undertake regular data cleansing
• Clean data against the relevant preference service files and other appropriate cleansing files
![Page 17: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/17.jpg)
Principle 5: Not kept for longer than necessary
• Keep for as long as purpose collected for
• Suppression lists
![Page 18: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/18.jpg)
Principle 6: Processed in accordance with the rights of data subjects
• Subject access requests
• ‘Where did you get my data from?’
• Right to prevent direct marketing
• Customer service / legally required communications – no opt-out provision required
• Right to have inaccurate data corrected
![Page 19: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/19.jpg)
Principle 7: Technological and organisational security
• Data security must be appropriate – take account of:
– Current state of technological development
– Cost of implementing security measures
– Potential harm that could result from a data breach
– Nature of data to be protected – non/sensitive?
• Need for risk assessment and risk management techniques
• Record your findings and assessments
![Page 20: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/20.jpg)
Principle 7: Technological and organisational security (continued)
• Ensure adequate organisational data security measures
• Prevent unauthorised as well as unlawful processing or disclosure of data
• Security measures by data controller and data processor
• Data processing and transfer agreements in place
• Staff training
• Data access on a ‘need to know’ basis – individual log-ins only
• Secure disposal of data – internally/externally - keep records
![Page 21: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/21.jpg)
Principle 8: Processed within the EEA unless adequate protection in place• Data can be freely transferred within the EEA (providing data
transfer agreements are in place)
• Do not transfer data unless the country (destination and countries data is routed via) have an adequate level of data protection
• Need to inform individuals before transferring their data outside the EEA but do not need their consent
![Page 22: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/22.jpg)
Understanding the law 2
• Privacy and Electronic Communications Regulations 2003 (PECR)
– Came into force 11 December 2003
– Covers electronic communications – email, telephone, SMS
![Page 23: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/23.jpg)
Key rules
• Sender must not conceal their identity
• Communication must have valid address where opt-outs can be sent
• Opt-in required for individuals (B2C)
• Soft opt-in/existing customer exemption – available:
– When you are collecting the address/mobile number in the sale or negotiations for the sale of a product or service;
– You only send communications about similar products and services;
– You provided an opportunity at time of collection to opt-out.
![Page 24: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/24.jpg)
Key points
• Existing customer exemption: Not an excuse for unsolicited contact where correct permissions were never obtained
• B2B – Opt-out and marketing message needs to directly relate to the work they do.
• Subject headers in emails must be clear and accurate
• Free and simple-to-use opt-out method must always be provided
• Action unsubscribe requests promptly – add to internal suppression file
• Maintain different flags for different types of communication –helps to avoid general opt-outs for all channels
![Page 25: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/25.jpg)
Practical tips for marketers
• Data capture forms
• Marketing permissions
• Sourcing data
• Regaining lost permission
![Page 26: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/26.jpg)
Data capture forms
• Key information to include;
– Why the data is being requested
– What the data will be used for
– Provision of an opt-in/out for marketing
– Marketing channels to be used
– Link to privacy policy
• Key information to include in privacy policy
– How the data subject can opt-out of marketing
– If the data will be processed outside the EEA
– How long the data will be kept for
– How to make a subject access request
– How to make a complaint regarding use of data
![Page 27: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/27.jpg)
Marketing permissions
Own marketing 3rd party marketing Own marketing 3rd party marketing
Mail opt-out
opt-out (MPS
screening) opt-out opt-out
Telephone opt-out
opt-out (TPS
screening) opt-out
opt-out (TPS/ CTPS
screening)
opt-in/ soft opt-
in opt-in
opt-in (unless
corporate
subscriber
exemption)
opt-in (unless
corporate subscriber
exemption)
SMS
opt-in/ soft opt-
in opt-in opt-in opt-in
Fax opt-in opt-in opt-out
opt-out (FPS
screening)
B2C B2B
![Page 28: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/28.jpg)
Sourcing data/ due diligence
• Who compiled the list? When? Has it been amended or updated since?
• When was consent obtained?
• Who obtained consent and what was the context?
• Was it opt-in or opt-out?
• Was information provided clearly and intelligibly? How was it provided?
• Did it list organisations by name, by description, or any third party?
![Page 29: An introduction to data protection - 26 March 2014](https://reader034.vdocuments.net/reader034/viewer/2022051818/54b88dd14a7959b0668b47db/html5/thumbnails/29.jpg)
Regaining lost permissions
• Why was permission lost:
– Poor customer service?
– Poor communications timing?
– Inappropriate offers?
– In-house technical issues – permissions not recorded on CRM system
• Revalidation exercise – obtaining up-to-date data
• Can very occasionally include request regarding marketing update in a service message providing it is a minor part of the message
• If you have only lost permission for certain channels, contact via another channel to update permissions