Wednesday 29 April 2015, Tangible Barge

James Milligan, Solicitor, DMA

@DMA_UK #dmadata

An introduction to data protection

Agenda1.00 pm Registration

1.30 pm Welcome and why is data protection important?

1.35 pm Understanding the law

The Data Protection Act 1998

Key terms

8 Principles

2.40 pm Break

3.00 pm Understanding the law

The Privacy and Electronic Communications Regulation 2003

Key rules

Key points

3.30 pm Practical tips for marketers

3.50 pm Summary and questions

4.00 pm Close

Why is it important?

• It helps us to protect information about ourselves and others

• It helps us avoid damage to the reputation of our organisation

• It makes good business sense – it can increase efficiency and

effectiveness

• It helps us avoid enforcement action by the Information

Commissioner

– both employers and employees can be prosecuted

– companies can face a monetary penalty of up to £500,000

for major breaches

Understanding the law - DPA

• Data Protection Act 1998 (DPA)

– Came into force 1 March 2000

– Replaced 1984 Act

– Covers doing anything with data

– Applies electronic records and some manual records

Key terms• Personal data

– any data that can be used to identify a living individual

– Examples of personal data can include:

• Name and address

• Email address (even business email addresses if they are non generic)

• Name and telephone number

• Photographs

– Only personal data is protected by the DPA

• Sensitive personal data

– any data relating to:

• Health

• Race or ethnic origin

• Political opinions

• Religious beliefs

• Trade union membership

• Sex life

• Criminal proceedings or convictions

Key terms

• Processing

– obtaining, recording or holding information or carrying out any

operation on the information including

• Organising

• Adapting

• Retrieving

• Disclosing

• Blocking

• Destroying

• Data subject

– a living identifiable individual to whom the personal data relates

Key terms

• Data controller

- Determines how data will be used

- Usually owns or rents the data (may be done by 3rd party on their

behalf)

- Required to notify (register) as a controller with the ICO

- May be fined by ICO if any data breaches arise

• Data processor

- Processes data on behalf of controller or other processor

- Processing can be anything from data storage to

advanced data manipulation and modelling

- Includes companies that manage / broker / collect data on

behalf of others

Determining whether data controller or

data processor

• Look at activities each party is carrying out

• Data Controller – over-arching decisions

• Data Processor – freedom to use technical knowledge

• If both parties working well together and dealing with data protection

compliance – no real issues

• Important to determine for when things go wrong e.g. data breach

• Establish roles and responsibilities before work starts

• Obligations of both parties under DPA 1998

• Need for operational guidance behind data processing contract

• Remember that a data processor will also be a data controller in

respect of own employees.

The 8 principles

• Fairly and lawfully collected

• Processed for specified and limited purposes

• Adequate, relevant and not excessive

• Accurate and kept up to date

• Not kept for longer than necessary

• Processed in accordance with Individuals’ rights

• Security – appropriate technical and organisational measures

• Not transferred outside the European Economic Area (EEA)

unless adequate protections are in place

• (EEA: The 28 member states of the EU, plus Iceland,

Liechtenstein and Norway)

Principle 1: Fairly and lawfully collected

• Fair processing information provided

• Organisation’s identity given

• Purpose of collection made clear

• Further information necessary

• Correct permissions obtained

- Implied consent: opt-out mechanism provided

- Express consent: opt-in mechanism provided

• Sensitive personal data only captured if strictly necessary

Principle 2: Processed for limited

purposes

• Only process data for the purpose(s) you told the individual

• Make the purpose(s) clear at the point of data collection

• Change of circumstances – what happens to the data then?

• Subsequent use of data for direct marketing purposes

• Data cleansing – regular and ad hoc

Principle 3: Adequate, relevant and

not excessive

• Minimum amount of information required

• Additional information for specific individuals

• Collect data that you will use now

• Collection of data that ‘may be useful’ in the future is

not permitted

Principle 4: Accurate and kept up to

date

• Take reasonable steps to ensure accuracy (but what

is ‘reasonable’?)

• Ensure data is not incorrect or misleading

• Undertake regular data cleansing

• Clean data against the relevant preference service

files and other appropriate cleansing files

Principle 5: Not kept for longer than

necessary

• Keep for as long as purpose collected for

• Suppression lists

Principle 6: Processed in accordance

with the right of data subjects

• Subject access requests

• ‘Where did you get my data from?’

• Right to prevent direct marketing

• Customer service / legally required communications –

no opt-out provision required

• Right to have inaccurate data corrected

Principle 7: Technological and

organisational security

• Data security must be appropriate – take account of:

– Current state of technological development

– Cost of implementing security measures

– Potential harm that could result from a data breach

– Nature of data to be protected – non/sensitive?

• Need for risk assessment and risk management techniques

• Record your findings and assessments

Principle 7: Technological and

organisational security

• Ensure adequate organisational data security measures

• Prevent unauthorised as well as unlawful processing or disclosure of data

• Security measures by data controller and data processor

• Data processing and transfer agreements in place

• Staff training

• Data access on a ‘need to know’ basis – individual log-ins only

• Secure disposal of data – internally/externally - keep records

Principle 8: Processed within the EEA

unless adequate protection in place

• Data can be freely transferred within the EEA (providing

data transfer agreements are in place)

• Do not transfer data unless the country (destination and

countries data is routed via) have an adequate level of

data protection

• Need to inform individuals before transferring their data

outside the EEA but do not need their consent

Understanding the law - PECR

• Privacy and Electronic Communications Regulations 2003

(PECR)

– Came into force 11 December 2003

– Covers electronic communications – email, telephone,

SMS

Nuisance calls

• 2013 2 parliamentary inquiries

– All Party Parliamentary Group on Nuisance Calls

– Commons Select Committee on Culture Media and Sport

• 2014 Government Published Nuisance Call Action Plan

• Which? Taskforce on Consent

• Govt. consultation end of 2014 on lowering threshold

– Need for significant damage and distress

– 3 options in consultation paper

• Option 1- do nothing

• Option 2 – annoyance, inconvenience or anxiety

• Option 3- remove existing legal threshold

– Govt. opted for option 3

Nuisance calls

• Threshold may have been removed but still have to

prove serious contravention and criminal

negligence on the part of the organisation

• In force since April 6 2015 – applies to activities

after this date

• 2015 Budget – £ 3.5 million to be invested in ways

to protect vulnerable consumers from nuisance

calls

Key rules

• Sender must not conceal their identity

• Communication must have valid address where opt-outs can

be sent

• Opt-in required for individuals (B2C)

• Soft opt-in/existing customer exemption – available:

– When you are collecting the address/mobile number in the

sale or negotiations for the sale of a product or service;

– You only send communications about similar products and

services;

– You provided an opportunity at time of collection to opt-out.

Key points• Existing customer exemption: Not an excuse for unsolicited contact

where correct permissions were never obtained

• B2B – Opt-out and marketing message needs to directly relate to the

work they do.

• Subject headers in emails must be clear and accurate

• Free and simple-to-use opt-out method must always be provided

• Action unsubscribe requests promptly – add to internal suppression

file

• Maintain different flags for different types of communication – helps to

avoid general opt-outs for all channels

Practical tips for marketers

• Data capture forms

• Marketing permissions

• Sourcing data

• Regaining lost permission

Data capture forms

• Key information to include;

– Why the data is being requested

– What the data will be used for

– Provision of an opt-in/out for marketing

– Marketing channels to be used

– Link to privacy policy

• Key information to include in privacy policy

– How the data subject can opt-out of marketing

– If the data will be processed outside the EEA

– How long the data will be kept for

– How to make a subject access request

– How to make a complaint regarding use of data

Marketing permissions

Own marketing 3rd party marketing Own marketing 3rd party marketing

Mail opt-out

opt-out (MPS

screening) opt-out opt-out

Telephone opt-out

opt-out (TPS

screening) opt-out

opt-out (TPS/ CTPS

screening)

Email

opt-in/ soft opt-

in opt-in

opt-in (unless

corporate

subscriber

exemption)

opt-in (unless

corporate subscriber

exemption)

SMS

opt-in/ soft opt-

in opt-in opt-in opt-in

Fax opt-in opt-in opt-out

opt-out (FPS

screening)

B2C B2B

Sourcing data/due diligence

• Who compiled the list? When? Has it been

amended or updated since?

• When was consent obtained?

• Who obtained consent and what was the context?

• Was it opt-in or opt-out?

• Was information provided clearly and intelligibly?

How was it provided?

• Did it list organisations by name, by description, or

any third party?

Regaining lost permissions

• Why was permission lost:

– Poor customer service?

– Poor communications timing?

– Inappropriate offers?

– In-house technical issues – permissions not recorded on

CRM system

• Revalidation exercise – obtaining up-to-date data

• Can very occasionally include request regarding marketing

update in a service message providing it is a minor part of the

message

• If you have only lost permission for certain channels, contact

via another channel to update permissions

Data protection toolkitwww.dma.org.uk/product/data-protection-toolkit

Summary and questions

Contacts

James Milligan

DMA Solicitor

T - 020 7291 3347

james.milligan@dma.org.uk

Legal Advice Email Box

legaladvice@dma.org.uk