Marketers: Will You Need to do a DPIA for that?

February 2020

Why Marketers need to understand Data Protection Impact Assessments

The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.

One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).

In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.

An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.

When should a DPIA be conducted?

The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.

The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes

That certainly sounds like a lot of situations, doesn’t it?

We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.

The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.

The draft code includes a ‘good practice recommendation’:

“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”

So what do you need to do?

When carrying out a DPIA for marketing, organisations must be able to:

  • describe the nature, scope, context and purposes of what you are planning to do
  • assess its necessity, proportionality and any compliance measures in place
  • identify and assess risks to individuals
  • identify any additional measures which may be appropriate to mitigate any risks

As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.

Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.

It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.