customer data and the new eu privacy law - may2016

Customer Dataand the new

EU Privacy Law

Key facts for marketersin international business

Version: 18 May 2016

Executive summary

1. Safest policy is to treat all EU customer data as Personal Information

2. For incorrect handling of Personal Information of EU citizens:

Fines up to 4% of global revenues

3. Grace period for making processes compliant: until May 2018

Context

• International business selling into the EU

• B2B & B2C

• Marketing & Sales processes

• Data about EU Prospects & Customers

18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 3

Warning!

This version: May 2016

• Written by an EU Marketer (not a lawyer) for non-EU Marketers

• Highlights issues, impacts & options

• This does not constitute a legal opinion or legal advice

• Use at your own risk / verify with your corporate counsel


Marketing objectives

Build trust – the foundation for face-to-face selling

• Promote products & services

• Gain permission for personalised, one-to-one communication

• Identify individual needs

• Provide each Contact with relevant information about solutions


PII = Personally Identifiable Information

Definition in Europe:

information that can be used on its own

or with other information

to identify, contact, or locate a single person,

or to identify an individual in context

See GDPR, Article 4(1) for precise text


PII = Personally Identifiable Information

Definition in the USA:

any information that can distinguish or trace an individual’s identity,

such as name, social security number, date and place of birth, biometrics

any other information that is linked or linkable to an individual,

such as medical, educational, financial, and employment information

NIST SP 800-122


PII in Marketing Practice

Mr. James Bond This is not necessarily PII

• Firstname Lastnamedoes not always identify a single individual



• Universal Exports

• Caribbean Department

• Company Fax: +44 020 1234567

• Web: www.universalex.com

These are not PII

• Alone or in combination, they cannot identify a single individual



• Business Development Manager

• Caribbean Department

• Universal Exports Ltd.

• London

This may be PII

• A combination of information that may identify an individual

• For example: if there is only one Business Development

Manager in the Caribbean Department of

Universal Exports, London.



• Tel:

+44 020 123456 xt 007

• Email:

[email protected]

These are definitely PII

• Each can be used on its own to identify a single person



This is definitely PII

• In this context, all data points help to identify a single person

Mr. James BondBusiness Development ManagerCaribbean Department

Universal Exports Ltd.

85 Albert Embankment, London SE1 1BD

T: +44 020 123456 xt 007

F: +44 020 1234567

E: [email protected]

W: www.universalexport.com


This is definitely PII, too

In this context, all data points refer to the identity of a single person



This is not PII



This is PII

• What individual people think

• Privately or professionally

NOTE: pseudonymised, but can belinked to the individual via the ID



This is PII

• What people do privately




This is PII

• What people do professionally




These are also PII

If you know ‚who does what‘

• even if pseudonymised

• even if encrypted



metadata

cookies

online behaviour

website clicks


Connecting non-PII data to PII makes it PII, too

Drink: Vodka Martini Vacation: St Moritz Sport: Ski-ing

In this context, the data enriches the knowledge of a single person

This is SPI

[Sensitive Personal Information]

• Health, religion, politicalopinion, sexual preference, union membership, etc.

• Best avoidedin B2B Marketing

Memo:

From: Medical Officer

To: M

Health Report: For Your Eyes Only

RE: Bond, James / 007

This officer smokes 40 filterless cigarettes a

day and consumes 90 units of alcohol per week -

more than is good for him.

He ignores professonal advice and is, I

believe, running a serious risk of long-term

damage to lungs and liver.


Conclusions

Digital customer records:

• Enable personalised communication

• Make marketing more effective

• Prepare for face-to-face selling


Conclusions

But - digital records of EU contacts

• Are covered by EU Privacy Law

• Proof of Contact permission is required

(documented double opt-in & datestamp)


Conclusions

• If a file contains information that identifiesindividuals, the entire file is potentially PII

• If data is linked to a file that identifiesindividuals, the data is PII, too

• What people think and do online is PII (click behaviour, metadata)


Recommendations

• Simple policies are easy to remember

• The safest privacy policy is:

Treat all EU Customer data as

Personally Identifiable Information


Issues, Impacts

& Optionswww.andrewsanderson.eu

a marketing blog

for international business

Andrew Sanderson | [email protected] | +49 06223 9346 3401

http://www.andrewsanderson.eu/