Are we sharing more data than ever before?

May 2021

During lockdown and the subsequent gradual re-opening, there’s been a significant increase in the number of online forms we have to fill in.

Going out for dinner, entering a pub, getting your Covid vaccination, health forms for osteopaths, forms for dentists, hairdresser appointments forms – the list goes on.

The fact is everywhere we go right now seems to involve filling in an online form. And sometimes this includes collecting sensitive health-related information.

Inevitably all these forms are online, to save us catching the lurgy from pencils, pens or pieces of paper!

As collectors and consumers of these forms what should we be concerned about?

1. What data is being collected? It should be limited to what is needed to do the job and no more!

2. Why’s it needed? It should be clearly explained to the customer, event attendee, patient (and so on) why this information is required.

3. How long will it be kept? If visiting the pub, it will only be needed for track and trace purposes, so should be securely deleted after 21 days (under England guidelines). If it’s a trip to the dentist, is it clear this information is being added to your health file or not?

4. What will it be used for? In certain obvious instances data will be collected for health screening purposes. The key question is to establish whether there’s any reason to retain the information after the check-in moment.

5. What other purposes is data collected for? Often pubs or restaurants may ask people to register with their app for table service. As part of this service there may be a request to create an account. Any marketing permissions should be separate and should not be a condition of registering.

6. What privacy notices are displayed? It should be easy to access further privacy information.

7. Is the form secure? Many organisations, especially smaller ones such as beauticians and hairdressers are likely to be using a third party’s software to create the form. Such providers should be subject to a level of scrutiny. Remember the data breach from Typeform in 2018? In their case they hadn’t synchronised back-ups with clients and had retained large quantities of personal data. Lots of companies’ customer and other personal data was affected.

In addition to the above, there’s also the scanning of the Government app QR codes. After a couple of false starts, the NHS is starting to look like a useful resource. It will store Covid test results, a record of vaccinations, as well as other test and trace information. Is it clear how long this is kept for and under what lawful basis?

What about data sharing? The government has been free with public interest as their lawful basis for collecting and sharing data. We have no idea how much has been shared and also no real idea as to how useful this sharing has been.

In conclusion, the pandemic has been extremely good cover for an explosion in data capture and given the public health card has been played so many times no-one really knows how much data is being retained.

 

Data protection team over-stretched? Get in touch to find out more about how we can help with no-nonsense, practical privacy advice and support. Contact us

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!

 

If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches: Why humans are our weakest link

April 2021

Ever felt the sense of impending doom after you realise you’ve left your laptop in the pub? Or, possibly worse, on the 16.43 from Waterloo?

Have you suffered the embarrassment of emailing an attachment to the wrong person? Have you ever absent-mindedly clicked on a links in a fake email?

If you have, you’re not alone. Welcome to a not even remotely exclusive club.

In our recent survey of DPN subscribers, 69% of responders said they’d suffered a personal data breach in the past 12 months. Of these a whopping 90% said those breaches were caused by human error.

We asked what types of mistake people had made which led to a data breach. The following clear themes emerged:

  • Email containing personal data sent to the wrong recipients
  • Incorrectly spelling email recipients and disclosing personal data in error to the wrong person
  • Forwarding attachments with personal data in error
  • Following links in a phishing email
  • Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)

It’s clear our email activities are the DPO’s biggest headache, and the area where people are most likely to act in haste and make a mistake.

Given the torrent of emails most of us handle on a weekly basis, maybe it’s not much of a surprise.

Is an email error a data breach?

An interesting question has been raised recently about whether incorrectly disclosing personal data via email is actually a personal data breach or not.

In a recent ruling, the Belgian Data Protection Authority concluded that mistakenly sending an email (which in the case in point meant personal data was disclosed to the wrong recipient) did NOT represent a data breach.

The Belgian DPA said a personal data breach could only occur as a result of a breach of security controls. In this case, security controls had not been breached.

Happy days! Do we no longer need log (or in some cases notify) all those email errors?

Hmmm, I’m not so sure.

This got me thinking, why is human error cited in every breach report as one of the major causes of personal data breaches?

Data breaches: What does the ICO say?

The UK Information Commissioner’s Office has detailed data breach guidance in which it states:

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

The ICO goes on to provide some examples:

Personal data breaches can include:

      • access by an unauthorised third party;
      • deliberate or accidental action (or inaction) by a controller or processor;
      • sending personal data to an incorrect recipient;
      • computing devices containing personal data being lost or stolen;
      • alteration of personal data without permission; and
      • loss of availability of personal data.

Clearly the UK Regulator does consider ‘sending personal data to an incorrect recipient’ as a personal data breach. After all, data has been provided to someone who shouldn’t have received it. Surely how it happened is, to a certain extent, academic?

I’m reminded of an embarrassing case from a couple of years ago, where a sexual health clinic mistakenly divulged sensitive personal details when recipients were cc’d rather than blind copied.

The clinic received some very unwelcome publicity and was fined by the ICO (albeit a small amount as they were ‘an unincorporated associate rather than a full, money-making charity’).

Data breaches: What does the EDPB say?

Earlier this year the European Data Protection Board helpfully published data breach notification examples. This includes a number of different scenarios including:

  • Stolen material storing non-encrypted personal data
  • Stolen paper files with sensitive data
  • Snail mail mistake
  • Personal data sent by mail by mistake

I’m therefore minded not to dwell on the Belgian DPA ruling, and will continue to consider disclosing personal data via email in error as a data breach (which may or may not be notifiable depending on the level of risk posed).

Although I’m not a lawyer, I do wonder if the Belgian DPA’s decision is perverse. Perhaps other cases passing through the same courts may end up revising the Belgian finding, and it’s certainly one to keep an eye on.

What keeps you awake at night?

In our DPN survey we also asked, ‘when thinking about data breaches, what worries you the most?’. The following common worries were most apparent:

  • Reputational damage
  • Staff not reporting mistakes quickly enough
  • Staff not reporting their mistakes at all
  • Legal action by affected data subjects
  • Customer data being used for fraud / other harm caused to data subjects
  • Timescale challenges
  • Not being aware a serious incident has occurred

Clearly staff not reporting mistakes is a worry. Unfortunately, humans make errors and are tempted to cover them up. As my mother taught me as a child, this seldom ends well!

Quite often it’s not the mistakes that become the biggest problem, it’s attempts to conceal them. Politicians of all stripes, I’m looking at you!

To this point I favour stressing, in any awareness campaigns and in data incident policies; ‘We know people make mistakes, but you must report them.’ (It might help).

A culture that treats mistakes as learning opportunities strikes me as more likely to pick up on errors.

How do we combat human error?

We’ve all rushed to meet a deadline (or finish stuff before we go on leave) and we’ve all had moments where our concentration lapses – we can’t prevent this.

The message just needs to be repeated over and over again, we need to take care.

Regular data protection training is important, but so is reinforcing this message with ongoing awareness efforts – intranet alerts, eye-catching posters in lifts, including data protection awareness in appraisals… whatever it takes.

I will also point out the Regulators are humans too, they understand mistakes happen no matter how much you try to avoid them. What they want to see is clear evidence that you’ve made a concerted effort to try to make people aware and reduce the likelihood.

The ICO’s investigation into a data breach at Heathrow Airport in 2017 found the Airport had failed not only ‘to ensure that the personal data held on its network was properly secured’ but that it had also failed ‘to provide any, or any sufficient training in relation to data protection and information security.’

It is highly likely the fine would have been reduced if Heathrow Aiport could demonstrate sufficient training had been conducted.

We have to accept human error can’t be eradicated, (unless I, Robot becomes reality), but there’s a whole raft of strategies we can use to mitigate risk.

And showing we’ve tried to do the right thing in the first place is half the battle, as a cocktail of human error AND complacency makes for the worst sort of mistake.

 

Data incident support –  Our experienced team can develop or review your incident procedures and provide rapid support in the event of a suspected or actual personal data breach. Find out more

 

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Minimise your data with maximum permissions

March 2021

Deliver successful marketing campaigns without hoarding data

This might seem like a contradiction in terms. How can you minimise the volumes of data you keep whilst also maintaining good levels of marketing permissions?

The answer, of course, is to only keep the data you need. Less is more. I’ll say that again – less is more. However, the challenge for many marketers is to understand which data to discard and which data to keep.

Figuring out which data is needed takes time and effort and draws on some old-fashioned skills we learnt in the pre-internet era to maintain data accuracy and assess what variables/values actually drives a sale.

Before the ubiquitous email, which appears to cost nothing, we used to make some very difficult decisions about who to contact because each contact cost a fortune. Now is the time to re-discover some of those skills and cut down on those emails and digital ads, whilst rebuilding trust with prospects and customers.

1. Data accuracy

Arguably the most boring job for any marketer is to keep their customer and prospect data up to date and accurate.

Questions to consider:

  • How many records hold inaccurate data?
  • Are they worth keeping?
  • How recently did that prospect engage with you?
  • Will they ever engage again?
  • Are the marketing permissions up to date and valid?

Like de-cluttering your house, it’s difficult to throw away data but keeping data for too long can attract large fines and a bad reputation.

2. Effective retention policies

If you understand the patterns of purchase and sale you’ll have a good idea of when people who are customers are no longer engaged and either need to be refreshed or removed.

Asking if people want to be removed from a database after a long period of inactivity is a good idea. Why keep people on a list who don’t want to hear from you?

Questions to ask:

  • Have you reviewed your retention policy and refreshed permissions?
  • Do you have a regular routine in place to identify and update permissions once they reach their retention policy limit?
  • Do you regularly review the responses you generate from the older data sets?
  • Based on your findings, should you adjust the retention policy periods?

3. Reduce the collection of data points

If I provide a phone number when I place an order, what happens to that data?

Unless it’s for a carrier I’ll always provide an inaccurate number. It makes more sense to explain exactly why you need every single data point and provide a “what’s in it for me” reason why this data should be collected. The completion rate will be greater with more accurate information.

Questions to ask:

  • Do have a clear plan for how every single data point is used?
  • Have you communicated that intention clearly?
  • Have you explained clearly the “what’s in it for me”?
  • Which data can be discarded?

4. Special category data

Special category data can be explicitly collected or inferred from the combination of other data sets. This is a particular challenge in Adtech where the quantity of data collected through third party cookies is, frankly, mind blowing.

If you’re able to establish  sexuality from which websites someone uses this, potentially, becomes special category data. Keeping any special category data presents an additional risk and should be carefully considered, whilst consent for marketing needs to be sought under any circumstance. If in doubt get rid of it.

Questions to consider:

  • Do you really need to know anything sensitive about your prospects and customers?
  • What difference will knowing the information make to your ability to sell your products and services?

5. Preference centres

The notion you should give your customers and prospects the choice to manage their preferences in an open and transparent way is at the heart of data protection legislation.

There are technology solutions from a wide variety of providers to create preference centres for cookies, as well as managing marketing preferences for emails, direct mail and so on.

Presenting this information in an easy-to-understand format can feel like a formidable challenge and there’s sometimes the temptation to hide it or just not bother to explain clearly enough.

Not explaining or hiding information is never a great idea, as there is a direct link between openness and transparency and trust.

“Doing the right thing” and building trust is a No 1 priority for many brands and they see it reaps dividends in greater loyalty and repeat purchase.

Not only that but the afore-mentioned technology solutions have relatively inexpensive options for smaller or medium sized businesses. Cost should not be an impediment.

Questions to consider:

  • Are all your marketing and cookie preferences managed centrally?
  • Do you know what all the cookies on your website do?
  • Do you know what happens to the data that is captured by third party Adtech providers?
  • Have you completed a DPIA for Ad Tech activity?
  • Do you have a compliant cookie notice and preference centre with the permissions options applied correctly?

6. Understanding the ROI of your campaigns

Being able to analyse the customer/prospect journey from first point of data capture through to a final sale is the holy grail. An apparently cost-efficient lead at the front end may not translate into high margin sales in the end.

Equally, being able to understand what influences a purchasing decision and what environment is most successful will allow you to filter your marketing effort against fewer key variables.

As the ICO clearly stated in their review of RTB, the sheer volume of data in use by Adtech providers feels disproportionate to the outcome.

Questions to ask:

  • Can you calculate an end-to-end ROI on customer transactions?
  • Do you know which variables will influence purchase more than anything else?
  • Have you done some modelling of your own customer data to create anonymised look alike segments to be used with contextual advertising?

7. How do you move on from third-party cookies?

As we know, Google will stop supporting third party cookies in 2022. This places an immediate pressure on advertisers to focus on their own first party data.

Immediate questions to ask:

  • Do we have any first party data?
  • How else do we add to what we already know?
  • Can we ask our customers to share more data? What interests them, what content do they consume, how do they shop?

If we’re able to create segments from our own data, the opportunity to use that information to create anonymised look-alikes will improve targeting efficiency. We are seeing a proliferation of providers who are using different variables to target customers which does not even involve large quantities of cookie data and this trend is set to grow.

If you understand your data well and create meaningful segments for targeting from first party data, which has been volunteered by customers, marketing teams will be in a strong position to deliver more with less.

 

Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches – is your business prepared?

March 2021

The threat of data breaches affects all kinds of business, both large and small. So, how do you make sure you are prepared and have planned for the worst?

It may be easy to slip into thinking “Oh, it might never happen..” but you’ll kick yourself if it does. The fallout could be devastating and might have been avoidable.

The benefits of taking positive steps to recognise the risks, putting measures in place to prevent breaches occurring and adopting policies and plans which are ready to swing into action as soon as a data incident or breach occurs really can’t be underestimated.

Latest stats on data breaches are concerning

We regularly hear in the news of yet another company suffering a data breach. Let’s look at the scale of the problem.

  • Up to 88% of UK companies have suffered data breaches in last 12 months! Many EU countries have had similar experiences. (Source: Carbon Black highlighted by CSO Online)
  • 37% of UK companies reported a data breach incident to the ICO in the past 12 months.
  • 48% of UK organisations have been hit by ransomware in the last year, according to Sophos. Almost three quarters of these ransomware attacks (74%) resulted in the data being encrypted.

According to the UK Government’s report into cybersecurity breaches:

  • Only 31% of UK organizations have carried out a cyber risk assessment in the last 12 months.
  • Only 57% of large companies have cybersecurity incident response processes in place.

Performing under pressure

The stakes are high. With the clock ticking to meet notification timelines, it’s vital your business’ response is both rapid and effective.

Organisations are increasingly judged not by whether they are compromised, but how well they detect and respond to data incidents. Handling an incident badly could irrevocably harm a business’ reputation.

Being well prepared will help you to keep your brand’s reputation intact and reduce the chances of regulatory action.

Preparation is vital to prevent costly mistakes. So, what can we do to make sure we’re well prepared?

Know your main data breach risks

Carry out a threat assessment to understand where your key data risks lie. External threats like phishing and ransomware continue to be of great concern.

But interestingly, the ICO’s Data Security Incident Trends report (Q2 2020/21) shows that nearly three-quarters of reported breaches were classed as ‘non-cyber’ security incidents. For example:

  • Data emailed or posted to incorrect recipient
  • Verbal disclosure of personal data
  • Loss/theft of paperwork or data left in insecure location
  • Failure to redact personal information.

Many of these breaches might perhaps have been prevented by better training of employees, adopting good practices (which should be routine) and, quite simply, people taking greater care when handling personal data.

Seek Executive support

Take the time to make sure your Executive team are fully engaged in information security. This is time well spent and can significantly increase the success of your data breach response plans.

Your Executive team can support you to drive awareness and training, helping to ensure positive practices and behaviours cascade down and throughout the organisation.

Create a data incident playbook

A good playbook is vital to responding to a cyber incident. This combines the policy, key actions, procedures and communications associated with responding to an incident.

Your playbook should typically cover these topics:

  • Incident reporting and recognition
  • Appointing your Incident Lead and first responder team
  • Establishing the facts key rapidly. Agreeing tasks to be carried out within the first 24 hours. For example, review what you know so far, ensure evidence is documented, carry out forensics, confirm if any personal data has been breached, stop any further data loss, alert key people & partners, and so on.
  • Identifying, assessing and documenting any risks to individuals whose data may have been breached
  • Rapid and effective triage to mitigate these risks
  • Escalation and internal communications
  • When to notify the regulator and when/how to notify data subjects, if appropriate.
  • External communications and PR.

It’s wise to also consider carrying out a simulation exercise using likely scenarios, so you can see how well your plans work in practice.

Learnings after a breach

Prevention is clearly vital, but personal data breaches WILL happen, as the stats clearly show.

Whether it’s caused by a cyber-attack, the actions of an employee, a software vulnerability, loss of an unencrypted device, or indeed something else, a personal data breach has the potential to seriously damage your customers’ trust and your reputation.

Being prepared, means you can act swiftly, following a clear plan, with pre-defined actions and responsibilities. In the words of Lance Corporal Jones from Dad’s Army fame, you really can say “Don’t panic!”.

 

Data breach supportOur experience team can develop or review your incident procedures, run simulations and provide rapid support in the event of a suspected or actual personal data breach. Find out more

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Consent: Getting it right!

March 2021

Are you suffering from consent confusion? When must we rely on it? When is it not a good idea? And what must we do to make sure our consent is valid?

Here’s a short refresher to dispel the myths and a quick ‘consent checklist’ to make sure you are ticking all the right boxes!

For starters, one of the biggest myths surrounding GDPR (fuelled by news stories back in 2018) is that we need consent do almost anything with people’s personal data.

Simply not true.

Consent is one lawful basis, there are others

Consent is just one of six lawful basis. They are all equal, no one basis is better than another and you need to pick the right one for what you are doing.

Yes, sometimes consent is required by law for certain activities, but for many others a different lawful basis may be more appropriate.

But you do need to pick one. Data protection law across the EU and UK requires us have a lawful basis for processing personal data.

(By processing we mean doing anything with people’s personal information – from collecting, storing, sharing and even the action of deleting it).

GDPR raised the bar on what constitutes valid consent

GDPR defines consent and says it must be, “freely given, specific, informed and unambiguous” and  must be given by a “clear affirmative action by the data subject”.

This means you need to clearly tell people what they are consenting to and they need to take an action to give their consent. And consent shouldn’t be bundled up with providing another service or with T&Cs.

Just to be clear, the rules for consent under UK GDPR as the same as for EU GDPR. (See UK data protection and ePrivacy law post-Brexit).

When is consent the right lawful basis?

Consent is most appropriate to use when you can offer people a clear choice and give them control over how you use their data. If you can’t do this, you should look to rely on another lawful basis.

When is consent legally required?

There are some circumstances when the law tells us we must gain consent. Let’s take a look…

1. Marketing

In specific situations you need consent to send marketing emails or SMS messages under the UK’s Privacy and Electronic Communications Regulations (PECR).

This is where things can get a bit nuanced. Consent is not always legally required for all marketing emails/SMS. There are choices you can make.

For example, there’s a specific exemption for existing customers (known as the ‘soft opt-in’) and more relaxed rules for business-to-business marketing. For more detail see Understanding email marketing rules.

There are also circumstances in which you will need consent for telemarketing calls. See the ICO’s Guide to PECR.

2. Cookies

You need consent to place cookies or other online tracking methods on people’s devices (unless those cookies are ‘strictly necessary’). Or to install apps or software on people’s devices.

The ICO has confirmed such consent needs to meet the UK GDPR standard, and that cookies used for analytics, performance or marketing are NOT strictly necessary. See the ICO’s cookie guidance.

3. Special category data

If you are intending to handle special category data, for example health data on individuals, you may need to seek explicit consent to make sure this is lawful. This is unless you can rely on another specific legal condition.

GDPR requires you to have a lawful basis for processing special category data PLUS a specific condition under Article 9.

Special category data is information relating to someone’s health, race, ethnicity, political opinions, religious beliefs, trade union membership, sex life, sexual orientation and covers genetic and biometric data.

A word of caution here, if you’re using special category data for direct marketing or profiling purposes, you’ll need explicit consent.

4. If no other lawful basis applies

As you must have a lawful basis for each processing activity you undertake, if no other lawful basis obviously applies, you will need to obtain consent. Here are a couple of examples:

  • If someone would not expect you to be sharing their data with another organisation, it’s likely you would need to collect their consent to do so.
  • If you are planning to use someone’s data for a completely different purpose, which you didn’t tell them about when you collected their data, you are highly likely to need to collect their consent unless another lawful basis applies (e.g. its needed to meet a legal obligation).

Consent checklist

Consent checklist

You also need to consider other factors, such as if you are requesting consent for another organisation it must be separate and they should be named. Also consent doesn’t last for ever and should be refreshed (especially if anything changes).

If you offer online services which are likely to be accessed by children, you also need to consider whether you will need to seek parental consent and/or implement age verification measures. (Also see Children’s Code – deadline for conforming looms)

When is consent not a good option?

Consent will clearly not be the best approach if you will struggle to meet the requirements.

You should be careful about using consent where there’s likely to be an imbalance of power. In other words, where people might feel they have to give their consent.

This makes consent tricky if used by a business for purposes relating to their employees. Perhaps staff may feel a degree of pressure to give their consent, or feel they will be penalised in some way or treated differently if they refuse.

Saying this, sometimes there seems little option but to rely on an employee’s consent. I know a number of organisations using explicit consent for their diversity monitoring, which clearly entails special category data.

Consent isn’t easy

Collecting valid consent and meeting all the requirements may feel like a bit of a minefield. It does mean you need to take careful decisions. It’s worth double checking what risks may be lurking.

However, it is worth getting right, in the words of the ICO, “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

A final word of caution; be careful not to try and shoe-horn your activities into another lawful basis (such as legitimate interests), when consent really would be the most appropriate approach.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

How is your privacy programme performing?

March 2021

You might regularly review your data policies, carry out staff training, conduct DPIAs when you need to… but how do you monitor the success of your privacy programme?

Let’s take a look at how to track your business’s privacy performance and gain confidence that data compliance is being managed successfully across the wider business.

The ICO is a good starting point – they have some useful tools.

This includes an Accountability Tracker tool which enables you to review and score business performance against each of ten key accountability areas.

In addition to highlighting gaps, the tracker includes its own dashboard (below), which is a useful was to see visually how your business is performing in these areas. For DPOs, this may help with your reports to the Board.

 

Example of a completed dashboard using the ICO’s Accountability Tracker

 

However, a word of caution. The level of detail required to complete the Accountability Tracker may prove too time-consuming for some. There’s a total of 330 questions to complete!

Don’t despair, as fortunately the ICO’s Online Self Assessment tool is much simpler and quicker to use. The results may be a little less forensic than the Tracker, but this method can still give you enough information for you score your business performance against each accountability.

It will help you to answer that vital question: ‘Where are we now?’. Using this approach could help you to prioritise your main focus areas and actions.

Bear in mind that certain accountabilities might need to be treated as higher priority than others in your business or sector.

Tracking wider organisational performance

Larger organisations may wish to monitor internal adherence to privacy laws across the key business functions (such as HR, Operations, Marketing and so on), or across multiple sites, countries or regions. This type of assurance activity is becoming increasingly popular, particularly annual reviews.

For example, how do you know the various functions that collect personal data are providing sufficient privacy information across all the data collection touchpoints?

A simple tracking template can help you achieve this. To the best of my knowledge the ICO doesn’t provide anything quite like this, and I would argue it needs to be tailored to the dynamics of your own business.

Getting assurance across your data processors

Many organisations outsource certain processing tasks to third party processors. It’s important to put due diligence in place to ensure your processors are adequately protecting the data you control.

Auditing your programme

Many business are keen to get independent assurance that their privacy programme is up to scratch and performing well. If you don’t have an internal audit team you might wish to bring in an external specialist.

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What is responsible marketing?

January 2021

What is responsible or ethical marketing?

What core values should you embrace and what type of projects can marketers apply these values to? Following some difficult moments, over the last year or two, trust in advertising remains stubbornly low.

Now more than ever we need to focus on open and transparent marketing campaigns to build back trust with customers.

Here are my six pillars of responsible marketing:

1. RESPECT – put simply, your customers sit at the heart of your campaigns.  As one ICO speaker said to me at a DMA conference a few years ago “don’t piss people off”. That should be easy shouldn’t it? Ask yourself the question, how would you feel if you received the message/communication you’re planning to send out?

2. VALUE – create a credible value exchange. According to DMA research 88% of consumers believe the value exchange between consumers and corporates is skewed towards corporates. If customers receive relevant messages, they consider the value exchange is fair and will happily share their data.

3. TRUST – build trust in your campaigns. According to the Advertising Association, since 1992 consumer trust in advertising has halved to 25%. A project might involve marketing, product, compliance, risk, legal, sales, distribution teams and all of them need to put customers at the heart of their activities. In particular customers need to feel they can trust companies to do the right thing and, recently, this has been in short supply.

4. JARGON FREE – we must speak the same language. For marketers, the data privacy teams can sometimes talk gobblydegook. Article this and recital that, results in everyone else’s eyes glazing over in double quick time. And that’s just within the business. We all need to make a concerted effort to speak the customers’ language.

5. BE OPEN – openness and transparency are watchwords. Responsible brands employ responsible marketing techniques which revolve around providing a clear explanation of how data is used with clear pointers to help customers manage their data preferences. Explaining how data is going to be used and not feeling worried about how customers will react should be the norm.

6. RISK v REWARD – balance risk and reward. Only the business can really decide where this balance lies and that view needs to be shared across all teams. The compliance teams cannot own this, although they can help the business make those decisions. In the end data privacy is a business decision.

So, how can these principles translate into actions and projects? Here are just a few examples of responsible marketing projects:

  • Privacy by Design – what does this mean? If you’ve designed a new workflow or invested in some new technology, you need to consider your customer’s privacy needs from the start. You may have to evaluate the risks to understand the positive and negative impact of your decisions. You may ask your customers how they feel.
  • A brand led privacy communications campaign – have you asked your brand team to develop a clear and easy to understand privacy comms campaign? There are a few teams who have used video or graphics to bring their privacy policies to life, such as Channel 4, The Guardian, Amnesty International and the ICO themselves have materials which work hard to explain their policies clearly.
  • Data strategy –I’m not talking here about deciding what tech to buy but a clear strategy and decision about how to recruit and retain customers. Have you carried out a project in your organisation to figure out what data you really need to make a difference to sales? Have you worked through your database and minimised the volumes of data you need? Have you considered whether you need all the cookie data that is collected? A strategy based on what will make your messages relevant to your customers and prospects will almost certainly use far less data than is being collected at the moment.
  • Making data privacy part of your business culture and values – behaving ethically and treating customers well will reap huge benefits in terms of enhanced trust and increased sales.

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.