An Post & Data Ireland came together in January to host a breakfast event called ‘Speed Data’ - a 60-minute session that gave insight and practical know-how for Data Protection in Ireland. The event was a sell-out and the feedback was incredible.
The inimitable Linda NiChualladh gave a highly energised 60 minute presentation with practical information for marketers.
Due to the outstanding demand, we are delighted to host two more Speed Data sessions this year, with the most recent held on Wednesday 19 June.
Speed Data 2: The Birth of a Database
Over 150 marketers joined us at the Westbury Hotel for the second Speed Data Briefing to learn how to build a compliant database in just 60 minutes.
In less than one hour, we covered:
• How to ensure any of your existing databases are fully compliant with data protection laws
• How to acquire new customer details in accordance with regulations
• How to use third party information, and ensure it too is compliant
• The state of play in Brussels concerning the new data protection laws
• The impact of data protection laws and how to prepare for coming changes
• A marketing focused analysis of the DPC’s 2012 Annual Report
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Speed Data 2 - The birth of a customer database
1. SPEED DATE
all you need is love?
Linda NiChualladh
Regulatory Counsel
An Post Group
2. WARNING!!!!! DISCLAIMER!!!!!
The content of my presentation does not constitute legal
advice nor does it purport to be legal advice.
The content of my presentation does not represent nor
does it purport to represent in any way the views,
opinions or positions of An Post, it’s board, directors or
staff.
Any mistakes, errors and/or ‘typos’ are my own, unless I
can attribute them to someone else!
ALWAYS ENSURE YOU GET YOUR OWN
INDEPENDENT LEGAL ADVICE SPECIFICALLY
TAILORED FOR YOUR COMPANY/BODY.
4. Fran’s Story
• Single. Wants to meet new people
• Fran gets information about other single
people:
– “Personal” ad
– Business contacts
– Online contacts
– Contacts from friends etc
5. LESSONS: DATING AND DATA
• Not all that different:
– Partnership
– Connection
– Relationship
– Trust
– Authenticity
– Exclusivity
7. LESSON: THINK LIKE PEOPLE
• People think like people
• The DPC thinks like people
• PURPOSIVE APPROACH
– Aka ‘Surprise!”
8. FRAN’S NEW BUSINESS VENTURE
• Was in IT but was fired
• Watched a lot of Dragon’s Den while
‘analysing the employment market’ at home
• Was always creative
• Living ‘organically’ and now ethically
• Made soap and bath accessories
• Some medicinal/wellness claims
• The Natural Soapy Accessories Company
9. The Natural Soapy Accessories Company
Getting closer to you without
you even noticing
10. Lessons learned.
• Fran looks at whether he needs to register as a data
controller
• He gets to grips with the lingo:
– What is personal data
– What is a data subject
– What is a data controller
– What is a data processor
– Who will he be working with and what DP ‘title’ will they
have?
– Does he have a privacy policy?
– Is worried about SARs ... But who wouldn’t be?!
• Did you do this amount of prep work?
11. Fran learned his lesson.......I hope
The five worst business database mistakes you can make -
By Frazer Hossack | Publication date: 30/01/2013 |
Category: Tactics > B-to-b focus
1. Not keeping it clean… 35% decay rate annually
2. Not planning ahead… do you have enough leads? Is it a
relaunch?
3. Not looking to improve… it probably is broke and it ain’t
good not to fix it
4. Not picking the right man for the job… so why not let
women do it right?!
5. Not choosing the right data specialist…
Source: http://www.catalog-biz.com/tactics/The-five-worst-
business-database-mistakes-you-can-make_4019.asp
12. Lessons learned:
Do we need to bother about the data protection
legislation? What impact could it have on us?
What does registering ('notifying') involve?
What are the penalties likely to be, if we haven't notified
when we should have done?
How do the authorities decide who gets 'assessed'?
We hear there are scams involving notification. How can
we tell if the correspondence we have received is
genuine?
Someone working for one of our sub-contractors now
wants copies of all the information we have in which
his name appears. Do we have to provide it?
Some of our customer records are still held in paper form.
Are they covered by the Data Protection Act?
Do we really have to get our customers to agree that we
can send them marketing information?
Do we have to get our customers to agree if we want to
sell our mailing lists or disclose customer details to
third parties?
What do we have to do, if we want to use a third party to
do payroll processing or direct mail marketing for us?
If we conduct our direct mail marketing through a foreign
firm, what do we have to do to stay on the right side of
the law?
If I take notes at a recruitment interview, can I be forced to
show them to the interviewee?
Is there any problem over us monitoring our employees' use
of office phones, internet access or email system?
Do we have to provide employees (or customers) with
copies of the information we hold on them?
Do we have to provide former employees with copies of the
references that we have given about them to third
parties?
We are thinking of installing CCTV. Will we land ourselves
with any data protection obligations if we do?
We have a problem with petty pilfering, of employees'
belongings as well as stock, and want to install
continuous CCTV. Will that cause us problems?
Do we need to tell customers if we operate a CCTV system?
We put up CCTV cameras to deter break-ins, and caught one
of our staff stealing. Can we use the tapes for
disciplinary or court proceedings?
What sort of penalties might we suffer for breaching the
Data Protection Act?
http://www.lawdonut.co.uk/law/data-protection-and-it/data-protection/data-
protection-20-faqs
13. Lessons learned: Creating a database
• What does Fran have in ways of contacts?
– Agency/ third party suppliers
– Electoral roll – edited
– Publicly available information
– Anyone who has given him information
– Businesses who agree to work with him
• Can NSA contact these contacts?
– Consent
– Legal right
– Legitimate purpose?
• LETS’S DO THE CHECK: WHERE’S THE CONSENT? CAN HE
PROVE IT? LOOK AT HOW STRINGENT GERMAN DP LAWS ARE!
14. Beginning
Getting the
Data
Middle
While you have
the data
End
Disposing of
data
Inform and
get consent
Justification
to process
Respond
to access
requests
Specify
purpose
Only gather
what is
required
Keep
accurate
Keep secure
and dispose
securely
Disclose
only if
compatible
or allowable
exception
Have a
retention
policy
Source: www.dataprotection.ie DPC
website
15. this option. For a electronic communication to a business, an option tounsubscribemustbeincluded.
Postal Text/Email
Phone
Marketing
to
Landlines
Fax
Phone
Marketing to
Mobile Phones
Individual
Customer
Opt-Out
Opt-0ut
(provided similar
product or
service)
Opt-Out Opt-Out Opt-Out
Individual Non-
Customer
Opt-Out Opt-In
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In
Opt-In
Business
Contacts
(Customer &
Non-Customer)
Opt-out Opt-Out
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In if
on NDD,
Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
16. Lessons learned: Creating a database
• Who does NSA need to contact?
– Businesses
• Marketing
• Cloud providers
• Retail partners
• Service providers
– Customers
• New
• Existing
• Can NSA contact these contacts?
– Consent
– Legal right
– Legitimate purpose?
17. Beginning
Getting the
Data
Middle
While you have
the data
End
Disposing of
data
Inform and
get consent
Justification
to process
Respond
to access
requests
Specify
purpose
Only gather
what is
required
Keep
accurate
Keep secure
and dispose
securely
Disclose
only if
compatible
or allowable
exception
Have a
retention
policy
Source: www.dataprotection.ie DPC
website
18. this option. For a electronic communication to a business, an option tounsubscribemustbeincluded.
Postal Text/Email
Phone
Marketing
to
Landlines
Fax
Phone
Marketing to
Mobile Phones
Individual
Customer
Opt-Out
Opt-0ut
(provided similar
product or
service)
Opt-Out Opt-Out Opt-Out
Individual Non-
Customer
Opt-Out Opt-In
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In
Opt-In
Business
Contacts
(Customer &
Non-Customer)
Opt-out Opt-Out
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In if
on NDD,
Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
19. Lessons learned – creating a database
• What channels for contact?
– Leaflet drop
– Posters
– Radio
– Postal
• Addressed
• Unaddressed
– Social Media
– Email
– SMS
• Not really direct advertising?
– Competitions
– Special offers through voucher/discount channels
– Surveys/questionnaires
– Sponsorship
– Trade shows
• New cool advertising
– Like addressed mail but not
– No issues with DP because it’s unique addressing
20.
21. Beginning
Getting the
Data
Middle
While you have
the data
End
Disposing of
data
Inform and
get consent
Justification
to process
Respond
to access
requests
Specify
purpose
Only gather
what is
required
Keep
accurate
Keep secure
and dispose
securely
Disclose
only if
compatible
or allowable
exception
Have a
retention
policy
Source: www.dataprotection.ie DPC
website
22. this option. For a electronic communication to a business, an option tounsubscribemustbeincluded.
Postal Text/Email
Phone
Marketing
to
Landlines
Fax
Phone
Marketing to
Mobile Phones
Individual
Customer
Opt-Out
Opt-0ut
(provided similar
product or
service)
Opt-Out Opt-Out Opt-Out
Individual Non-
Customer
Opt-Out Opt-In
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In
Opt-In
Business
Contacts
(Customer &
Non-Customer)
Opt-out Opt-Out
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In if
on NDD,
Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
23. FRAN’S MANTRA
DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent
24. Fran even gets to grips with other
regulatory laws/ codes
• Anything else I should consider?
– Are there regulatory rules that apply?
• Financial Products
• Consumer protection
– What is the nature of the contact?
• Health?
• Sensitive data?
25. External Contracts
• For your company to operate
– Procurement
– R&D
– Marketing
• For products/services you intend to offer for sale
– OUTSOURCING
– Hosting/cloud/IT
– Data management
• For customers
– What you will do with their information?
MANDATORY or VOLUNTARY
SECTORAL SPECIFIC RULES???
Nondisclosure Agreements
Confidentiality Agreements
Distribution Agreements
Supply Agreements
Licensing Agreements
Procurement Rules
IT Contracts
Hosting
Cloud
Support
BC/DR
User Agreements
Terms and Conditions
Policies
Statements
Receipts
Phone/online/hard-copy
26. Now understands contracts are in fact
‘biographies’
What type of clauses should I include?
Definitions
• (recitals)
• Scope/Services - Obligations
– Usually more detailed in the schedules
• The promises - obligations
– Data protection standards
– Indemnity
– Insurance
– Cooperation with NRAs/ breach
• The checks
– Audit/ Inspection/ reporting/ certificates/registration
• The punishment
– Liability
– Litigation
– Alternative dispute resolution
• The odd bits
– Third party beneficiary
– Severability
– Choice of law and jurisdiction
• THE END
– Termination
• AFTER THE END
– Post-termination
– Indemnity
– Liability
Remember the story you are telling:
What we do
What we promise to do
What we won’t do
What responsibilities we have/haven’t
got
What if it all goes wrong
Who can do what
IF YOU DO NOT UNDERSTAND THE
CONTRACT, HOW WILL YOUR
CUSTOMERS OR YOUR PARTNERS?
THIS IS NOT JUST A LEGAL MATTER.
THIS IS THE STORY OF HOW YOU DO
BUSINESS
27. Beginning
Getting the
Data
Middle
While you have
the data
End
Disposing of
data
Inform and
get consent
Justification
to process
Respond
to access
requests
Specify
purpose
Only gather
what is
required
Keep
accurate
Keep secure
and dispose
securely
Disclose
only if
compatible
or allowable
exception
Have a
retention
policy
Source: www.dataprotection.ie DPC
website
28. this option. For a electronic communication to a business, an option tounsubscribemustbeincluded.
Postal Text/Email
Phone
Marketing
to
Landlines
Fax
Phone
Marketing to
Mobile Phones
Individual
Customer
Opt-Out
Opt-0ut
(provided similar
product or
service)
Opt-Out Opt-Out Opt-Out
Individual Non-
Customer
Opt-Out Opt-In
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In
Opt-In
Business
Contacts
(Customer &
Non-Customer)
Opt-out Opt-Out
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In if
on NDD,
Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE
IDMA OPT-OUT LIST!
29. No more of this
• Promotion
– Enter the competition to win SOMETHING
AMAZING!!!!!!!!!!!!!!!!
– All you need to do is fill out the form with your details
– Terms and Conditions apply
– Please tick here if you want to receive AMAZING
updates about more competitions and exciting stuff
from us
– NSA– Address – Contact -
• What does this allow you to do?
• If they don’t opt out...........
30. BUT MORE OF THIS
– Enter the competition to win SOMETHING AMAZING!!!!!!!!!!!!!!!!
– All you need to do is fill out the form with your details
– Terms and Conditions apply
– We will use your details for the purpose of administering the promotion
only
– Please
• Tick here if you don’t want to receive AMAZING updates about more
competitions and exciting stuff by post from Lindy Luck
• Tick here if you don’t want to receive stuff from Lindy Luck’s partners by post
• Tick here if you want to receive stuff from Lindy luck by email
• Tick here if you want to receive stuff from Lindy Luck by SMS
• Tick here if you want to receive stuff from Lindy Luck’s partners by email
• Tick here if you want to be contacted by Lindy Luck telephone
• Tick here if you don’t want to be contacted by Lindy Luck’s partners by telephone
• CLICK HERE or go to www.lindyluck.ll if you want to opt-out/ change preferences
at any time alternatively you can contact us at 1580 REALLY EXPENSIVE CALL
• Any Problems?
31. WIN BACKS
• If you want to contact a former customer
– Check if they have agreed to post-term contact
• You can specify this: “we would like to contact you about
new products and services during your time with us and
after......Please tick etc etc”
– AND: Follow specific sectoral rules/ time-limits
• Telecommunications
• Financial services
– No post-term contact?
• Choose a method that doesn’t require opt-in
• What method would that be?
32. Fran became THE ‘Rules’ guy?
• Obtain and process the information fairly
• Keep it only for one or more specified and lawful purposes
• Process it only in ways compatible with the purposes for which it was given
to you initially
• Keep it safe and secure
• Keep it accurate and up-to-date
• Ensure that it is adequate, relevant and not excessive
• Retain it no longer than is necessary for the specified purpose or
purposes
• Give a copy of his/her personal data to any individual, on request.
33. Please please please please Mr.
Postman
• “We have received several complaints
concerning communications from
NSA............... Under the DPA we are notifying
you of the commencement of an
investigation.......”
• Fran is shocked.
• What went wrong?
34. Complaints
• Addressed direct mail
– Letters destined for Mr. X at 1 Main St. Were put
into envelopes for 2 Main Street. The whole
sequence out of synch
– Some people found out that other people had
eczema and dermatitis and used prescription-
drugs
– Some people got advertising offers for other
products that NSA liked but didn’t sell
35. Beginning
Getting the
Data
Middle
While you have
the data
End
Disposing of
data
Inform and
get consent
Justification
to process
Respond
to access
requests
Specify
purpose
Only gather
what is
required
Keep
accurate
Keep secure
and dispose
securely
Disclose
only if
compatible
or allowable
exception
Have a
retention
policy
Source: www.dataprotection.ie DPC
website
36. this option. For a electronic communication to a business, an option tounsubscribemustbeincluded.
Postal Text/Email
Phone
Marketing
to
Landlines
Fax
Phone
Marketing to
Mobile Phones
Individual
Customer
Opt-Out
Opt-0ut
(provided similar
product or
service)
Opt-Out Opt-Out Opt-Out
Individual Non-
Customer
Opt-Out Opt-In
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In
Opt-In
Business
Contacts
(Customer &
Non-Customer)
Opt-out Opt-Out
Opt-In if on
NDD,
Opt-Out
otherwise
Opt-In if
on NDD,
Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE
IDMA OPT-OUT LIST!
37. Complaints
• Unnatural amount of text messages sent
• No consent for text messages
– Some sent by NSA
– Some sent by NSA’s service provider
• Other people being contacted by Consumer Information
Authority (CIA) conducting research interviews
• Fruity Beauty Inks (FBI) also contacting customers
– Fran has had on-going arguments with them. His former ‘friend’
who worked the market stall with them upped and left
• Emails about accounts with ‘NSA product placement’ on
the account data
38. Complaints
• Credit card receipts found flying around local
park
– Local authority also ‘doing’ him for illegal dumping
– He’s also being investigated for security breaches.
39. DPC 2012 Annual Report
Sharing personal data in the public sector
• “data sharing can bring benefits in terms of efficient
delivery of public services but cautions that it should be
done in a way that respects the rights of individuals to
have their personal data treated with care and not
accessed or used without good reason. ”
• Department of Social Protection INFOSYS database* :
Full audit report carried out
• Audit “uncovered significant breaches of the data
protection legislation in relation to access to and
governance of personal data”.
40. 2011 - Breakdown of complaints opened by data
protection issue
2011 Percentages Totals
Access Rights 48% 562
Electronic Direct Marketing 22% 253
Disclosure 10% 118
Unfair Processing of Data 6% 62
Unfair Obtaining of Data 4% 42
Use of CCTV Footage 3% 37
Failure to secure data 2% 25
Accuracy 1% 14
Excessive Data Requested 1% 14
Unfair Retention of Data 1% 12
Postal Direct Marketing 1% 11
Other 1% 11
TOTAL 100% 1161
Source: Annual Report 2011 – DPC Website
41. DPC ANNUAL REPORT 2012
Complaints
Table 1 Breakdown of complaints opened 2012/by DP issue*
Electronic Direct Marketing 44.93% 606
Access Rights 32.77% 442
Disclosure 7.86% 106
Unfair Processing of Data 2.59% 35
Unfair Obtaining of Data 0.96% 13
Use of CCTV Footage 2.37% 32
Failure to secure data 2.59% 35
Accuracy 1.41% 19
Excessive Data Requested 1.78% 24
Unfair Retention of Data 1.26% 17
Postal Direct Marketing 0.74% 10
Other 0.74% 10
TOTALS 100.00% 1349