Agency CEO, Paul, explores GDPR and the opportunity for brands and marketers as well as how those using Sitecore can tackle the regulation in Versions 8-9.
6. @SagittariusMktg
endorsement.
Southern Marketing Business
of the Year 2013, 14, 15 & 16
2015 & 2016
Best Sports Travel & Tourism 2014
Best Tour Operator Website 2016
2014, 2016 & 2017
2017
Best Tour Operator
Website 2017
Best Tour Operator Website
2014, 2016 & 2017
8. @SagittariusMktg
The information provided and the opinions expressed in this
presentation represent the views of the presenter(s). They do not
constitute legal advice and cannot be construed as offering
comprehensive guidance to the Data ProtectionAct 1998, Privacy &
Electronic Communications (EC Directive) Regulations 2003, the
General Data Protection Regulation or any other statutory measures
referred to in the course of the presentation or subsequent q&a.
before I start… a disclaimer
11. @SagittariusMktg
General Data Protection Regulation
GDPR: what is it?
The EU General Data Protection Regulation (GDPR)
replaces the Data Protection Directive 95/46/EC and
was designed to harmonize data privacy laws across
Europe, to protect and empower all EU citizens data
privacy and to reshape the way organizations across
the region approach data privacy.
12. @SagittariusMktg
Data ProtectionAct 1984
Data Protection Directive 1996
Data ProtectionAct 1998
ePrivacy Directive 2002
ePrivacy Directive 2012
General Data Protection Regulation (GDPR)
Enacted: 27thApril 2016
In force: 25th May 2016
Compliance: 25th May 2018
GDPR: what is it?
13. @SagittariusMktg
GDPR makes it clear that the data subject owns
any data which describes or identifies them
They have the right to determine how it is used,
check it and withdraw it
Anyone who handles this data is held accountable
and must be able to demonstrate how they protect
it and what they do with it
why is it different?
15. @SagittariusMktg
Awareness
You should make sure that decision makers and key
people in your organisation are aware that the law is
changing to the GDPR. They need to appreciate the
impact this is likely to have.
1
Information you hold
You should document what personal data you hold,
where it came from and who you share it with. You
may need to organise an information audit.
2
Individuals’ rights
You should check your procedures to ensure they
cover all the rights individuals have, including how
you would delete personal data or provide data
electronically and in a commonly used format.
4
Communicating privacy information
You should review your current privacy notices and
put a plan in place for making any necessary
changes in time for GDPR implementation.
3
12 steps to take now
Preparing for the General Data Protection
Regulation (GDPR)
Lawful basis for processing personal data
You should identify the lawful basis for your
processing activity in the GDPR, document it and
update your privacy notice to explain it.
6
Subject access requests
You should update your procedures and plan how you
will handle requests within the new timescales and
provide any additional information.
5
Consent
You should review how you seek, record and manage
consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the
GDPR standard.
7
Data breaches
You should make sure you have the right procedures
in place to detect, report and investigate a personal
data breach.
9
Children
You should start thinking now about whether you
need to put systems in place to verify individuals’
ages and to obtain parental or guardian consent for
any data processing activity.
8
Data Protection by Design and Data
Protection Impact Assessments
You should familiarise yourself now with the ICO’s
code of practice on Privacy Impact Assessments as
well as the latest guidance from the Article 29
Working Party, and work out how and when to
implement them in your organisation.
10
Data Protection Officers
You should designate someone to take responsibility
for data protection compliance and assess where this
role will sit within your organisation’s structure and
governance arrangements. You should consider
whether you are required to formally designate a
Data Protection Officer.
11
International
If your organisation operates in more than one EU
member state (ie you carry out cross-border
processing), you should determine your lead data
protection supervisory authority. Article 29 Working
Party guidelines will help you do this.
12
17. @SagittariusMktg
six grounds of lawfullness
consent for specific purposes
controller’s legitimate interests
contractual necessity
controller bound by legal obligation
protect vital interests
public interest, official duty
what is legitimate interest?
18. @SagittariusMktg
one of the six grounds
freely given, specific, informed and explicit
privacy notices and consent.
19. @SagittariusMktg
If consent is given in the context of a written declaration which also
concerns other matters, the request for consent shall be presented;
in a manner which is clearly distinguishable from the other matters,
in an intelligible and easily accessible form,
using clear and plain language.
consent.
20. @SagittariusMktg
When assessing whether consent is freely given, utmost
account shall be taken of whether, inter alia, the performance
of a contract … is conditional on consent to the processing
of personal data that is not necessary for the performance of
that contract.
consent.
21. @SagittariusMktg
(Recital 171)
Processing already under way on the date of application of this Regulation
should be brought into conformity with this Regulation within the period of
two years after which this Regulation enters into force i.e. 25th May 2018.
Where processing is based on consent pursuant to Directive 95/46/EC, it is
not necessary for the data subject to give his or her consent again if the
manner in which the consent has been given is in line with the conditions
of this Regulation.
do we have to re-consent?
27. @SagittariusMktg
what information is being collected?
who is collecting it?
how is it collected?
why is it being collected?
how will it be used?
who will it be shared with?
how to withdraw
what will be the effect of this on the individuals concerned?
is the intended use likely to cause individuals to object or complain?
be transparent & honest.
33. @SagittariusMktg
“the right to be forgotten”
easy to withdraw: Tell people they have the right to withdraw their
consent at any time, and how to do this. It must be as easy to
withdraw as it was to give consent. This means you will need to
have simple and effective withdrawal mechanisms in place.
if a controller has no reason to process data then the ‘data subject’
is entitled to have the data deleted
the right to erasure.
34. @SagittariusMktg
the data subject’s personal identity
where is that data?
even the back ups
including third-parties
if you process personal information online, for example on social
networks, forums or websites, you must endeavour to comply
what do you mean delete?
35. @SagittariusMktg
When does the right apply?
Individuals have the right not to be subject to a decision when:
it is based on automated processing; and
it produces a legal effect or a similarly significant effect on the individual
You must ensure that individuals are able to:
obtain human intervention;
express their point of view; and
obtain an explanation of the decision and challenge it
automated profiling.
36. @SagittariusMktg
The GDPR defines profiling as any form of automated processing
intended to evaluate certain personal aspects of an individual, in
particular to analyse or predict their:
automated profiling.
performance at work;
economic situation;
health;
personal preferences;
reliability;
behaviour;
location; or
movements
38. @SagittariusMktg
get data ‘in order’
build the business case
improve data security
digital transformation
improve client understanding/empathy
improve customer experience (give/get exchange)
build trust
beat the competitors
a fantastic opportunity to:
52. @SagittariusMktg
Apersonal data breach means a breach of security leading to the
destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data - this means that a breach is more than just losing
personal data
when, how and to whom?
breaches occur - no 100% secure systems
within 72 hours
who will supervise/enforce?
robust breach detection, investigation and internal reporting procedures
data protection by default – e.g. encryption
data breach notification.
57. @SagittariusMktg
needs technical, marketing, business strategy & legal expertise
all your suppliers need to be compliant
employee training
policies on websites
user experience and forms need to be updated
get legal advice
no shortcuts.
68. @SagittariusMktg
currently neither Sitecore 8.x or 9.x has
any standalone user tools to facilitate:
the right to erasure (to be forgotten)
the right to data portability
the big issue.
70. @SagittariusMktg
it is a user anonymiser and extraction tool
it is accessed via a new button in Sitecore Launchpad
it enables you to search both xDB and List Manager
it enables you to anonymise a user’s data
it enables you to extract what PII data you are storing
what is it?
73. @SagittariusMktg
it searches the core database, the mongoDB and list manager
it anonomyses a user’s personal information
in mongoDB and core we update the contact information and any populated
custom fields will be blanked out
the user is NOT deleted so all transaction references and analytics remain
the list manager uses the built in Sitecore unsubscribe method,
removing that email address from each list it appears in.
the export button will serialise all the data which is available via
the Sitecore calls to a json file
how does it work?
74. @SagittariusMktg
this tool is built primarily for any version of Sitecore 8.x
with Sitecore 9.x the methods are still supported
Sitecore 9 has additional new methods to achieve the same result
Sitecore 8 & 9?
75. @SagittariusMktg
still no cms interface
new methods via xConnect
expects your CRM to be the ‘controller’of customer data
all data is encrypted at rest and in motion
new ‘Personally Identifiable Information’configuration options
how will Sitecore 9 help more?
78. on-boarding
upgrade to 8+
install our GDPR User Data module – 2 days
custom configuration of extract tool – 1-3 days
QA, Test and deploy
what does it cost?