Data protection 2013

Friday 8 February

#dmadata

Supported by

Legal and data protection update Tuesday 28 October 2014, DMA House @DMA_UK #dmalegal

James Milligan Solicitor DMA

Agenda 9.00am Registration and breakfast

9.30am Data Protection 1998 and Privacy and Electronic Communications Regulations 2003 Refresher

James Milligan, DMA Solicitor

10.30am Break

10.45am EU Draft Data Protection Regulation

James Milligan, DMA Solicitor

11.45am Summary and questions

12.00pm Close

Why is it important?

• It helps us to protect information about ourselves and others

• It helps us avoid damage to the reputation of our organisation

• It makes good business sense – it can increase efficiency and effectiveness

• It helps us avoid enforcement action by the Information Commissioner

– both employers and employees can be prosecuted

– companies can face a monetary penalty of up to £500,000 for major breaches

Understanding the law 1

• Data Protection Act 1998 (DPA)

– Came into force 1 March 2000

– Replaced 1984 Act

– Covers doing anything with data

– Applies electronic records and some manual records

Key terms • Personal data

– any data that can be used to identify a living individual

– Examples of personal data can include:

• Name and address

• Email address (even business email addresses if they are non generic)

• Name and telephone number

• Photographs

– Only personal data is protected by the DPA

• Sensitive personal data

– any data relating to:

• Health

• Race or ethnic origin

• Political opinions

• Religious beliefs

• Trade union membership

• Sex life

• Criminal proceedings or convictions

Key terms

• Processing

– obtaining, recording or holding information or carrying out any operation on the information including

• Organising

• Adapting

• Retrieving

• Disclosing

• Blocking

• Destroying

• Data subject

– a living identifiable individual to whom the personal data relates

Key terms

• Data controller

- Determines how data will be used

- Usually owns or rents the data (may be done by 3rd party on their behalf)

- Required to notify (register) as a controller with the ICO

- May be fined by ICO if any data breaches arise

• Data processor

- Processes data on behalf of controller or other processor

- Processing can be anything from data storage to advanced data manipulation and modelling

- Includes companies that manage / broker / collect data on behalf of others

The 8 Principles

• Fairly and lawfully collected

• Processed for specified and limited purposes

• Adequate, relevant and not excessive

• Accurate and kept up to date

• Not kept for longer than necessary

• Processed in accordance with Individuals’ rights

• Security – appropriate technical and organisational measures

• Not transferred outside the European Economic Area (EEA) unless adequate protections are in place

• (EEA: The 28 member states of the EU, plus Iceland, Liechtenstein and Norway)

Principle 1: Fairly and lawfully collected

• Fair processing information provided

• Organisation’s identity given

• Purpose of collection made clear

• Further information necessary

• Correct permissions obtained

- Implied consent: opt-out mechanism provided

- Express consent: opt-in mechanism provided

• Sensitive personal data only captured if strictly necessary

Principle 2: Processed for limited purposes

• Only process data for the purpose(s) you told the individual

• Make the purpose(s) clear at the point of data collection

• Change of circumstances – what happens to the data then?

• Subsequent use of data for direct marketing purposes

• Data cleansing – regular and ad hoc

Principle 3: Adequate, relevant and not excessive

• Minimum amount of information required

• Additional information for specific individuals

• Collect data that you will use now

• Collection of data that ‘may be useful’ in the future is not permitted

Principle 4: Accurate and kept up to date

• Take reasonable steps to ensure accuracy (but what is ‘reasonable’?)

• Ensure data is not incorrect or misleading

• Undertake regular data cleansing

• Clean data against the relevant preference service files and other appropriate cleansing files

Principle 5: Not kept for longer than necessary

• Keep for as long as purpose collected for

• Suppression lists

Principle 6: Processed in accordance with the rights of data subjects

• Subject access requests

• ‘Where did you get my data from?’

• Right to prevent direct marketing

• Customer service / legally required communications – no opt-out provision required

• Right to have inaccurate data corrected

Principle 7: Technological and organisational security

• Data security must be appropriate – take account of:

– Current state of technological development

– Cost of implementing security measures

– Potential harm that could result from a data breach

– Nature of data to be protected – non/sensitive?

• Need for risk assessment and risk management techniques

• Record your findings and assessments

Principle 7: Technological and organisational security (continued) • Ensure adequate organisational data security measures

• Prevent unauthorised as well as unlawful processing or disclosure of data

• Security measures by data controller and data processor

• Data processing and transfer agreements in place

• Staff training

• Data access on a ‘need to know’ basis – individual log-ins only

• Secure disposal of data – internally/externally - keep records

Principle 8: Processed within the EEA unless adequate protection in place

• Data can be freely transferred within the EEA (providing data transfer agreements are in place)

• Do not transfer data unless the country (destination and countries data is routed via) have an adequate level of data protection

• Need to inform individuals before transferring their data outside the EEA but do not need their consent

Understanding the law 2

• Privacy and Electronic Communications Regulations 2003 (PECR)

– Came into force 11 December 2003

– Covers electronic communications – email, telephone, SMS

Key rules

• Sender must not conceal their identity

• Communication must have valid address where opt-outs can be sent

• Opt-in required for individuals (B2C)

• Soft opt-in/existing customer exemption – available:

– When you are collecting the address/mobile number in the sale or negotiations for the sale of a product or service;

– You only send communications about similar products and services;

– You provided an opportunity at time of collection to opt-out.

Key points

• Existing customer exemption: Not an excuse for unsolicited contact where correct permissions were never obtained

• B2B – Opt-out and marketing message needs to directly relate to the work they do.

• Subject headers in emails must be clear and accurate

• Free and simple-to-use opt-out method must always be provided

• Action unsubscribe requests promptly – add to internal suppression file

• Maintain different flags for different types of communication – helps to avoid general opt-outs for all channels

Practical tips for marketers

• Data capture forms

• Marketing permissions

• Sourcing data

• Regaining lost permission

Data capture forms

• Key information to include;

– Why the data is being requested

– What the data will be used for

– Provision of an opt-in/out for marketing

– Marketing channels to be used

– Link to privacy policy

• Key information to include in privacy policy

– How the data subject can opt-out of marketing

– If the data will be processed outside the EEA

– How long the data will be kept for

– How to make a subject access request

– How to make a complaint regarding use of data

Marketing permissions

Own marketing 3rd party marketing Own marketing 3rd party marketing

Mail opt-out

opt-out (MPS

screening) opt-out opt-out

Telephone opt-out

opt-out (TPS

screening) opt-out

opt-out (TPS/ CTPS

screening)

Email

opt-in/ soft opt-

in opt-in

opt-in (unless

corporate

subscriber

exemption)

opt-in (unless

corporate subscriber

exemption)

SMS

opt-in/ soft opt-

in opt-in opt-in opt-in

Fax opt-in opt-in opt-out

opt-out (FPS

screening)

B2C B2B

Sourcing data/ Due diligence

• Who compiled the list? When? Has it been amended or updated since?

• When was consent obtained?

• Who obtained consent and what was the context?

• Was it opt-in or opt-out?

• Was information provided clearly and intelligibly? How was it provided?

• Did it list organisations by name, by description, or any third party?

Regaining lost permissions

• Why was permission lost:

– Poor customer service?

– Poor communications timing?

– Inappropriate offers?

– In-house technical issues – permissions not recorded on CRM system

• Revalidation exercise – obtaining up-to-date data

• Can very occasionally include request regarding marketing update in a service message providing it is a minor part of the message

• If you have only lost permission for certain channels, contact via another channel to update permissions

Determining whether data controller or data processor

• Look at activities each party is carrying out

• Data Controller – over-arching decisions

• Data Processor – freedom to use technical knowledge

• If both parties working well together and dealing with data protection compliance – no real issues

• Important to determine for when things go wrong e.g. data breach

• Establish roles and responsibilities before work starts

• Obligations of both parties under DPA 1998

• Need for operational guidance behind data processing contract

• Remember that a data processor will also be a data controller in respect of own employees .

Data protection 2013

Friday 8 February

#dmadata

Supported by

EU Draft Data Protection Regulation

Future new Data Protection Regulation – Why now?

• Data Protection Directive 95/46/EC ("Directive") (implemented in UK by 1998 Data Protection Act) showing its age

• New technologies and more complex information networks

• Lack of common European law and differences in national implementation

• Consumer concern over privacy

• Data protection now a fundamental right under EU Charter of Fundamental Rights

34

EU data protection reform timeline • Jan 2012 -first draft Data Protection Regulation ("DPR")

• December 2012-amendments suggested by the Rapporteur of EC Committee on Civil Liberties, Justice and Home Affairs ("LIBE Report")

• February – May 2013 – Reported that 4000 amendments tabled

• May 2013- partial "compromise" draft from Justice and Home Affairs Ministers ( "CD" )

• October 2013 -LIBE voted on amendments

• October 2013 – Heads of Government meeting

• December 2013 – Inconclusive Justice and Home Affairs Ministers meeting

35

EU data protection reform timeline

• Jan 2014 Civil servants working group and Justice and Home Affairs meetings continue

• Mar 2014 MEPs adopted LIBE report

• May 2014 European Parliament elections

• Nov 2014 New European Justice Commissioner and other Commissioners take office??

• June 2015 Justice and Home Affairs Ministers agree position??

• 2015/16 Regulation is passed in Brussels??

• 2017/18 Implemented into UK law??

37

37

• LIBE report adopted by all MEPs March 2014

• Proposes a number of changes to European Commission original text

• Majority of changes favour consumer rather than businesses

Changes proposed by the European Parliament to the draft Data Protection Regulation (LIBE Report)

The "compromise draft" agreed by EU Justice Ministers 2013-2014

• "More business friendly" compromise draft ("CD") is only partial: Chapters I-IV

• More changes to Chapters I-IV may be needed once the remainder has been updated

• Regulation or Directive? – wording proposed allows for Regulation to be transformed into a Directive (supported by 8 member states)

• June 2014 Chapter V – international issues, transfers of data, applicability of Regulation

• October 2014 Chapter IV – obligations of data controllers and data processors

38

Headline proposed changes

• Expanded definitions: “personal data” and “data subject”

• Explicit consent required

• Right to be forgotten

• Greater emphasis on accountability

• Notification of data security breaches

• More onerous sanctions for breach

• Data processors directly covered

Consent

Consent: Current Position Consent: Proposed Position

- Freely given, specific, informed indication of the data subject’s wishes - Explicit consent required for sensitive personal data only

-Freely given, specific, informed and explicit indication of data subject’s wishes -Given either by a statement or a clear affirmative action - Data controller / data subject relationship to be taken into account

- Burden of proof on controller to demonstrate consent

Introduction of opt-in/explicit consent

• Review language used at point of data collection to ensure that consent is explicit /opt-in

• Opt-in /explicit consent not required for postal marketing in European Parliament version of the text

• Do people understand what they are agreeing to? – nation of liars

• Think about how you will update legacy databases

• Children – consent wording for under 13’s if offering them an information society service

Key points in the draft Regulation IP addresses and cookies

• Definition of personal data extended so could cover some IP addresses and cookies as “online identifiers”

• But IP addresses identify a device not an individual + some IPs are general

• Huge implications for digital marketers • Web analytics & profiling made much more difficult, if not

impossible • Interaction with new cookie rules problematic

IP addresses and cookies

• Think about how you will deal with extension to Include location data, IP addresses, cookies, online identifiers

• Pseudonymous/annonymous data – will you be able to take advantage of exceptions?

• Right for individuals to request organisations to delete any information held on them

• Drafted with social media in mind – but goes beyond this • Problem of information that has already been passed on to

third parties • Possibility of misleading consumers by raising unrealistic

expectations • Changes to current text likely • European Court of Justice Google Spain case

Key points in the draft Regulation - The right to be forgotten

The right to be forgotten • Prepare to respond to requests

• Deletion/ suppression • Other legal requirements to keep information e.g.

accounting, tax, money-laundering

Key points in the draft Regulation - Data Breach notification

• Any data security breach to be notified to ICO and the individuals concerned within 24 hours

• Report to cover: • nature of breach • number of data subjects • categories of data • proposed mitigation

• Not always obvious if there has been a breach or how extensive it is

• Problem of notification fatigue • No threshold level specified

Data security breach notification

• Introduce breach notification detection procedures

• Think about how you will notify data protection authorities and affected individuals within whatever timescale is agreed

• Develop/review your data breach response plan

Key points in the draft Regulation - Subject Access Requests (SARs)

• Data subjects to be able to request full information on data held on them free of any charge

• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests

• Costs organisations £50 million p.a. now to meet SARs

• Proposal that can provide data in electronic form if data subject agrees to this

• Particular problem for financial services with mis-selling issues and claims management firms

Subject Access Rights

• New Regulation may lead to increased public awareness of rights e.g., right to request information ( Data Subject Access Requests, Right to be forgotten)

• Plan ahead for increase in queries from clients/public • Training for client/customer service teams • Amend wording on privacy policies/data collection notices to

take account of new rules on profiling.

Key points in the draft Regulation - Compliance obligations

• Data protection obligations now shared between controllers and processors

• Privacy by Design/Privacy by Default • Appointment of DP officer (250+ employees)

- 2 year appointment - Independent reporting to board - Information and training - Maintenance of documentation - Data protection impact reports

• International transfers of data outside EEA – law would apply to any processing of data or EU citizens

• Council of Ministers - obligations increased for high risk data processing

Compliance obligations • Review amount of data being processed, erasure policies and

data retention policies

• Requirement to demonstrate compliance will mean more documentation in respect of policies and procedures

• Contact centres, mailing houses, email/SMS broadcasters will also be subject to these new obligations, especially in respect of data security

• Review staff training in data protection.

• Appointment of a data protection officer?

• Risk- based approach to compliance and data protection impact assessments

Key points in the draft Regulation - Proposed enhanced sanctions

• Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation

• Up to €1m or 2% of annual worldwide turnover for other compliance failures

• Depends on:-

- size of organisation involved

- nature and gravity of breach

- whether intentional or negligent

- technical and organisational measures

- previous breaches

- co-operation with ICO

Enhanced sanctions/fines

• Watch out if you get it wrong!

• Increase focus on compliance – board level issue

• Review internal policies and procedures

• Main establishment/ one- stop shop provisions

• Think about which country’s national data protection authority will be lead regulator

• Possibility of changing country where head office is located

• Review arrangements for transfers of data outside EEA (28 Member States of EU + Iceland ,Liechtenstein, Norway)

• Global group – application to EU citizens’ personal data.

• European Court of Justice Google Spain right to be forgotten case - link between Google Spain and Google USA

Key Points in the draft Regulation Cross – border issues

Impact on direct marketing

• Existing databases may not be usable: could decimate

prospect lists. Legacy data? • No tracking data, profiling or segmentation without explicit

consent – less targeted and more generic communication? • List broking severely restricted • New information requirements and rights of the data

subject, e.g Right to be Forgotten • Increased costs - £76,000 per business to comply +

possible £47 billion of lost sales in UK

Draft Regulation - DMA View

• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable

• Needs to be a fair balance between privacy and legitimate business interests

• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacles to e-commerce jobs growth

• Will be particularly harmful to SMEs – MoJ says demonstrating compliance will cost £10m p.a.

• Hard to say how Commission’s estimate of 2.3 billion euro saving to businesses was calculated

Ministry of Justice

• Disagrees with Commission’s 2.3bn Euro savings – burdens imposed will far outweigh net benefits: in UK cost @ £100-360 million

• Many unintended consequences, esp for SMEs

• Changes to consent, profiling & definition of personal data particularly costly to industry

• Likely knock-on effects for growth in technological sector and internet economy

• Regulatory Impact Assessment quotes DMA’s figures & examples

• Impact on behavioural advertising

• Creates unrealistic expectations for consumers – R2BF proposal is “unworkable”

Lobbying activity

• In Brussels with key individuals in Council, Commission & Parliament, e.g. MEPs & advisers; party groups

• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury + Opposition spokesmen

• Alliance of interests – UK Data Group, FEDMA, CBI, etc. - for collective lobbying of Council and Parliament & lobbying directly where there is no national DMA

• Position papers on priorities for industry + draft amendments to text

• Research on consumer attitudes to privacy and on economic value of the dm industry

Data protection toolkit www.dma.org.uk/product/data-protection-toolkit

Contacts

James Milligan, Solicitor, DMA T - 020 7291 3347 james.milligan@dma.org.uk

Legal Advice Helpline T - 020 7291 3360 legaladvice@dma.org.uk

60

Data protection 2015

61

Friday 27 February 2015, 30 Euston Square

The DMA’s annual data summit returns to give you the lowdown on the latest developments on the draft EU Data Protection Regulation

(DPR).

With 2015 promising to be a decisive year for the draft DPR, the DMA will provide you with the latest insight and analysis from the experts on what it will be mean for your business when it comes

into law.

Information Commissioner, Christopher Graham will be joined by a line-up of expert speakers from across the industry.

Book your place online – www.dma.org.uk/events