An Introduction to Data Protection (London) - June 2015

Wednesday 10th June 2015 – DMA House, London
Janine Paterson, Solicitor & Legal Manager, DMA
An introduction to data protection

Agenda
8.30am Registration and welcome
9.00am Why is data protection important?
9.05am Understanding the law
The Data Protection Act 1998
Key terms
8 Principles
10.00am Break
The Privacy and Electronic Communications Regulation 2003
Key rules
Key points
10.30am Practical tips for marketers
10.50am Questions
11.00am Close

Why is it important?
• It helps us to protect information about ourselves and others
• It helps us avoid damage to the reputation of our organisation
• It makes good business sense – it can increase efficiency and
effectiveness
• It helps us avoid enforcement action by the Information
Commissioner
– both employers and employees can be prosecuted
– companies can face a monetary penalty of up to £500,000 for
major breaches

Agenda
8.30am Registration and welcome
9.00am Why is data protection important?
The Data Protection Act 1998
Key terms
8 Principles
10.00am Break
The Privacy and Electronic Communications Regulation 2003
Key rules
Key points
10.30am Practical tips for marketers
10.50am Summary and questions
11.00am Close

Understanding the law 1
• Data Protection Act 1998 (DPA)
– Came into force 1 March 2000
– Replaced 1984 Act
– Covers doing anything with data
– Applies electronic records and some manual records

Key terms
• Personal data
– any data that can be used to identify a living individual
– Examples of personal data can include:
• Name and address
• Email address (even business email addresses if they are non generic)
• Name and telephone number
• Photographs
– Only personal data is protected by the DPA
• Sensitive personal data
– any data relating to:
• Health
• Race or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Sex life
• Criminal proceedings or convictions

Key terms
• Processing
– obtaining, recording or holding information or carrying out any
operation on the information including
• Organising
• Adapting
• Retrieving
• Disclosing
• Blocking
• Destroying
• Data subject
– a living identifiable individual to whom the personal data relates

Key terms
• Data controller
- Determines how data will be used
- Usually owns or rents the data (may be done by 3rd party on their
behalf)
- Required to notify (register) as a controller with the ICO
- May be fined by ICO if any data breaches arise
• Data processor
- Processes data on behalf of controller or other processor
- Processing can be anything from data storage to
advanced data manipulation and modelling
- Includes companies that manage / broker / collect data on
behalf of others

The 8 principles
• Fairly and lawfully collected
• Processed for specified and limited purposes
• Adequate, relevant and not excessive
• Accurate and kept up to date
• Not kept for longer than necessary
• Processed in accordance with Individuals’ rights
• Security – appropriate technical and organisational measures
• Not transferred outside the European Economic Area (EEA) unless
adequate protections are in place
• (EEA: The 28 member states of the EU, plus Iceland, Liechtenstein
and Norway)

Principle 1: Fairly and lawfully
collected
• Fair processing information provided
• Organisation’s identity given
• Purpose of collection made clear
• Further information necessary
• Correct permissions obtained
- Implied consent: opt-out mechanism provided
- Express consent: opt-in mechanism provided
• Sensitive personal data only captured if strictly necessary

Principle 2: Processed for limited
purposes
• Only process data for the purpose(s) you told the individual
• Make the purpose(s) clear at the point of data collection
• Change of circumstances – what happens to the data then?
• Subsequent use of data for direct marketing purposes
• Data cleansing – regular and ad hoc

Principle 3: Adequate, relevant and
not excessive
• Minimum amount of information required
• Additional information for specific individuals
• Collect data that you will use now
• Collection of data that ‘may be useful’ in the future is not permitted

Principle 4: Accurate and kept up to
date
• Take reasonable steps to ensure accuracy (but what is ‘reasonable’?)
• Ensure data is not incorrect or misleading
• Undertake regular data cleansing
• Clean data against the relevant preference service files and other
appropriate cleansing files

Principle 5: Not kept for longer than
necessary
• Keep for as long as purpose collected for
• Suppression lists

Principle 6: Processed in
accordance with the right of data
subjects
• Subject access requests
• ‘Where did you get my data from?’
• Right to prevent direct marketing
• Customer service / legally required communications – no opt-out
provision required
• Right to have inaccurate data corrected

Principle 7: Technological and
organisational security
• Data security must be appropriate – take account of:
– Current state of technological development
– Cost of implementing security measures
– Potential harm that could result from a data breach
– Nature of data to be protected – non/sensitive?
• Need for risk assessment and risk management techniques
• Record your findings and assessments

Principle 7: Technological and
organisational security (continued)
• Ensure adequate organisational data security measures
• Prevent unauthorised as well as unlawful processing or disclosure of
data
• Security measures by data controller and data processor
• Data processing and transfer agreements in place
• Staff training
• Data access on a ‘need to know’ basis – individual log-ins only
• Secure disposal of data – internally/externally - keep records

Principle 8: Processed within the
EEA unless adequate protection in
place
• Data can be freely transferred within the EEA (providing data transfer
agreements are in place)
• Do not transfer data unless the country (destination and countries
data is routed via) have an adequate level of data protection
• Need to inform individuals before transferring their data outside the
EEA but do not need their consent

Understanding the law 2
• Privacy and Electronic Communications Regulations 2003 (PECR)
– Came into force 11 December 2003
– Covers electronic communications – email, telephone, SMS

Key rules
• Sender must not conceal their identity
• Communication must have valid address where opt-outs can be sent
• Opt-in required for individuals (B2C)
• Soft opt-in/existing customer exemption – available:
– When you are collecting the address/mobile number in the sale or
negotiations for the sale of a product or service;
– You only send communications about similar products and
services;
– You provided an opportunity at time of collection to opt-out.

Key points
• Existing customer exemption: Not an excuse for unsolicited contact
where correct permissions were never obtained
• B2B – Opt-out and marketing message needs to directly relate to the
work they do.
• Subject headers in emails must be clear and accurate
• Free and simple-to-use opt-out method must always be provided
• Action unsubscribe requests promptly – add to internal suppression
file
• Maintain different flags for different types of communication – helps to
avoid general opt-outs for all channels

Practical tips for marketers
• Data capture forms
• Marketing permissions
• Sourcing data
• Regaining lost permission

Data capture forms
• Key information to include;
– Why the data is being requested
– What the data will be used for
– Provision of an opt-in/out for marketing
– Marketing channels to be used
– Link to privacy policy
• Key information to include in privacy policy
– How the data subject can opt-out of marketing
– If the data will be processed outside the EEA
– How long the data will be kept for
– How to make a subject access request
– How to make a complaint regarding use of data

Marketing permissions
Own marketing 3rd party marketing Own marketing 3rd party marketing
Mail opt-out
opt-out (MPS
screening) opt-out opt-out
Telephone opt-out
opt-out (TPS
screening) opt-out
opt-out (TPS/ CTPS
screening)
Email
opt-in/ soft opt-
in opt-in
opt-in (unless
corporate
subscriber
exemption)
opt-in (unless
corporate subscriber
exemption)
SMS
opt-in/ soft opt-
in opt-in opt-in opt-in
Fax opt-in opt-in opt-out
opt-out (FPS
screening)
B2C B2B

Sourcing data/ due diligence
• Who compiled the list? When? Has it been amended or updated
since?
• When was consent obtained?
• Who obtained consent and what was the context?
• Was it opt-in or opt-out?
• Was information provided clearly and intelligibly? How was it
provided?
• Did it list organisations by name, by description, or any third party?

Regaining lost permissions
• Why was permission lost:
– Poor customer service?
– Poor communications timing?
– Inappropriate offers?
– In-house technical issues – permissions not recorded on CRM
system
• Revalidation exercise – obtaining up-to-date data
• Can very occasionally include request regarding marketing update in
a service message providing it is a minor part of the message
• If you have only lost permission for certain channels, contact via
another channel to update permissions

Data protection toolkit
www.dma.org.uk/product/data-protection-toolkit

Contacts
Janine Paterson, Solicitor & Legal Manager, DMA
T - 020 7291 3347
janine.paterson@dma.org.uk
Legal Advice Email Box
legaladvice@dma.org.uk

An Introduction to Data Protection (London) - June 2015

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à An Introduction to Data Protection (London) - June 2015

Similaire à An Introduction to Data Protection (London) - June 2015 (20)

Plus de Rachel Aldighieri

Plus de Rachel Aldighieri (20)

Dernier

Dernier (20)

An Introduction to Data Protection (London) - June 2015