Why Marketers need to understand Data Protection Impact Assessments
The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.
One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).
In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.
An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.
When should a DPIA be conducted?
The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.
The following examples are given:
- when conducting ‘large scale’ profiling of individuals for marketing purposes
- matching datasets for marketing purposes
- processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
- using geo-location data for marketing purposes
- tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
- targeting children or other vulnerable individuals for marketing purposes
That certainly sounds like a lot of situations, doesn’t it?
We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.
The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.
The draft code includes a ‘good practice recommendation’:
“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”
So what do you need to do?
When carrying out a DPIA for marketing, organisations must be able to:
- describe the nature, scope, context and purposes of what you are planning to do
- assess its necessity, proportionality and any compliance measures in place
- identify and assess risks to individuals
- identify any additional measures which may be appropriate to mitigate any risks
As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.
Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.
It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.
Gemma Johnson, February 2020
The DPN ran a DPIA webinar on 8th April 2020, hosted by Robert Bond, a partner at Bristows LLP, you can view the recording here.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.