customer data and the new eu privacy law - may2016
TRANSCRIPT
Customer Dataand the new
EU Privacy Law
Key facts for marketersin international business
Version: 18 May 2016
Executive summary
1. Safest policy is to treat all EU customer data as Personal Information
2. For incorrect handling of Personal Information of EU citizens:
Fines up to 4% of global revenues
3. Grace period for making processes compliant: until May 2018
Context
• International business selling into the EU
• B2B & B2C
• Marketing & Sales processes
• Data about EU Prospects & Customers
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 3
Warning!
This version: May 2016
• Written by an EU Marketer (not a lawyer) for non-EU Marketers
• Highlights issues, impacts & options
• This does not constitute a legal opinion or legal advice
• Use at your own risk / verify with your corporate counsel
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 4
Marketing objectives
Build trust – the foundation for face-to-face selling
• Promote products & services
• Gain permission for personalised, one-to-one communication
• Identify individual needs
• Provide each Contact with relevant information about solutions
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 5
PII = Personally Identifiable Information
Definition in Europe:
information that can be used on its own
or with other information
to identify, contact, or locate a single person,
or to identify an individual in context
See GDPR, Article 4(1) for precise text
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 6
PII = Personally Identifiable Information
Definition in the USA:
any information that can distinguish or trace an individual’s identity,
such as name, social security number, date and place of birth, biometrics
any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment information
NIST SP 800-122
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 7
PII in Marketing Practice
Mr. James Bond This is not necessarily PII
• Firstname Lastnamedoes not always identify a single individual
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 8
PII in Marketing Practice
• Universal Exports
• Caribbean Department
• Company Fax: +44 020 1234567
• Web: www.universalex.com
These are not PII
• Alone or in combination, they cannot identify a single individual
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 9
PII in Marketing Practice
• Business Development Manager
• Caribbean Department
• Universal Exports Ltd.
• London
This may be PII
• A combination of information that may identify an individual
• For example: if there is only one Business Development
Manager in the Caribbean Department of
Universal Exports, London.
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 10
PII in Marketing Practice
• Tel:
+44 020 123456 xt 007
• Email:
These are definitely PII
• Each can be used on its own to identify a single person
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 11
PII in Marketing Practice
This is definitely PII
• In this context, all data points help to identify a single person
Mr. James BondBusiness Development ManagerCaribbean Department
Universal Exports Ltd.
85 Albert Embankment, London SE1 1BD
T: +44 020 123456 xt 007
F: +44 020 1234567
W: www.universalexport.com
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 12
This is definitely PII, too
In this context, all data points refer to the identity of a single person
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 13
This is not PII
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 14
This is PII
• What individual people think
• Privately or professionally
NOTE: pseudonymised, but can belinked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 15
This is PII
• What people do privately
NOTE: pseudonymised, but can belinked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 16
This is PII
• What people do professionally
NOTE: pseudonymised, but can belinked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 17
These are also PII
If you know ‚who does what‘
• even if pseudonymised
• even if encrypted
PII in Marketing Practice
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 18
metadata
cookies
online behaviour
website clicks
PII in Marketing Practice
Connecting non-PII data to PII makes it PII, too
Drink: Vodka Martini Vacation: St Moritz Sport: Ski-ing
In this context, the data enriches the knowledge of a single person
This is SPI
[Sensitive Personal Information]
• Health, religion, politicalopinion, sexual preference, union membership, etc.
• Best avoidedin B2B Marketing
Memo:
From: Medical Officer
To: M
Health Report: For Your Eyes Only
RE: Bond, James / 007
This officer smokes 40 filterless cigarettes a
day and consumes 90 units of alcohol per week -
more than is good for him.
He ignores professonal advice and is, I
believe, running a serious risk of long-term
damage to lungs and liver.
PII in Marketing Practice
Conclusions
Digital customer records:
• Enable personalised communication
• Make marketing more effective
• Prepare for face-to-face selling
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 21
Conclusions
But - digital records of EU contacts
• Are covered by EU Privacy Law
• Proof of Contact permission is required
(documented double opt-in & datestamp)
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 22
Conclusions
• If a file contains information that identifiesindividuals, the entire file is potentially PII
• If data is linked to a file that identifiesindividuals, the data is PII, too
• What people think and do online is PII (click behaviour, metadata)
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 23
Recommendations
• Simple policies are easy to remember
• The safest privacy policy is:
Treat all EU Customer data as
Personally Identifiable Information
18/05/2016 Andrew Sanderson | [email protected] | +49 06223 9346 3401 24
Issues, Impacts
& Optionswww.andrewsanderson.eu
a marketing blog
for international business
Andrew Sanderson | [email protected] | +49 06223 9346 3401