Refer a Friend - Viral Marketing Rules

February 2020

Can you ask your customers to send on your marketing to their friends?

The answer, according to the ICO’s draft Direct Marketing Code, is NO!

The regulator says for email/SMS this breaches the rules, as you won’t have the consent required for such electronic promotional messages. (I suspect email is the prime channel for this type of marketing).

But is the ICO taking a too literal approach? I’ll admit, I’m left wondering whether the GDPR and ePrivacy (i.e. UK PECR) rules were really designed for this. Is the Law of Unintended Consequences at work here?

I recently received a ‘refer a friend’ from a cosmetics company I’d used. This prompted me to go back to the draft code and read carefully what it said.

I seldom receive emails like this, and don’t think I’ve ever forward details to a friend. But what’s the problem? I can delete it. I can unsubscribe.  I am in complete control in a personal capacity if I choose to act upon it. If I do, the recipient (who will be known to me) can ignore it.  The company will only collect my friend’s details if they actively choose to engage.

Asking for contact details of friends/family

In the Direct Marketing Guidance (which the code will replace) the ICO previously referenced these types of viral marketing campaigns. The scenario of asking existing contacts to provide contact details for their friends and family was highlighted. And the clear advice was not to do it. This is because it would be difficult to ensure you had the permission of the friends/family members. But it went no further.

On this point, I completely agree – I wouldn’t be happy if a friend provided my details to a third party without my knowledge. Even if I’d agreed, the company would clearly have no lawful basis under GDPR for processing such information. They’d certainly have no evidence I’d agreed to this.

In this respect, the ICO guidance seems totally correct (and is repeated in the draft code).

‘Instigating’ marketing messages

However, the ICO is now taking this a step further. It says direct marketing rules cover companies who ‘encourage’ their customers to send on a marketing message to friends or family.

The Regulator takes the stance that as the ‘instigator’ of a direct marketing message, you’ll need to comply with direct marketing rules. It states;

“You still need to comply even if you do not send the messages yourself, but instead instigate individuals to send or forward these. Instigate does not necessarily mean that you have incentivised the individual to send your messages.”

It goes one to say:

“Actively encouraging the individual to forward your direct marketing messages to their friends without actually providing a reward or benefit still means that you are instigating the sending of the message and you therefore need to comply with PECR.”

As direct marketing emails and SMS messages require consent (in a business-to-consumer context), the ICO concludes it’s impossible to collect valid consent for a marketing message that arrives in a friend’s inbox. The following example is given:

“An online retailer operates a ‘refer a friend’ scheme where individuals are given 10% off their orders if they participate. The individual provides their own name and email address and the retailer automatically generates an email containing its marketing for the individual to send to their friends and family. The retailer is instigating the direct marketing therefore they have responsibility for complying with the PECR rules. Because the retailer does not have the consent of the friends and family these emails breach PECR.”

It’s clarified you are not responsible if individuals choose to send their friends a link to a product on your website or details of a promotional campaign. This is as long as you haven’t ‘encouraged’ them to do so.

Refer a friend links

In the above example the ICO specifically mentions an automatically generated email containing the organisation’s marketing content. From a purely personal perspective I don’t see this as being too much of a problem. It would be interesting to see the metrics from businesses who use this type of marketing and find it effective.

Of course, I accept the ICO may have specifically highlighted this because it has received complaints from people who are inundated with promotional emails from their friends.

However, this is not the only way refer a friend schemes operate. The email I recently received invited me to click to get a link which I could then share with my friends should I wish to. Both my friend and I would be rewarded should they go on to buy some cosmetics from the company.

I’ll reiterate – I wasn’t being encouraged to forward a marketing message. I was encouraged to copy a link. If I’d done this, I would have been completely in control of what I wrote in my email to a friend and I would be sending this in a personal capacity.

You’d also think this would rely on a good customer experience – people being likely to want to tell their friends about a good brand.

Refer a Friend Benefits

These type of campaigns are clearly attractive to companies who want to reach out to new customers.  They would appear to put the customer completely in control. Friends can simply ignore it if they wish.

Gavin Walles from Mention Me, a company which specialises in referral marketing, says these refer-a-friend programmes are beneficial to both companies and their customers;

“The fact that the referrer is making an introduction means that the brand is not required to spend money on other less efficient marketing channels and so they are willing to share that saving with their customers. Therefore, brands are willing to offer incentives to both the referring customer and the referred friend for participation in their refer-a-friend programmes. These incentives offer real value to both the referrer and their friend, making it a mutually beneficial process for the consumers and giving them the opportunity to benefit from discounts and other rewards they would not otherwise have access to”.

In some ways, it could be alleged the ICO is trying to police the behaviour of private individuals around the information they choose to share… refer a friend is an invitation, not an instruction.

Robert Bond, partner at Bristows LLP comments, “There is also the issue as to how GDPR and PECR can apply to the action of the referrer as the individual is acting in a domestic or household capacity”.

I suspect, many companies would appreciate further clarification from the Regulator on these types of viral marketing campaigns.

ICO Direct Marketing Code 'draft': 12 Highlights

January 2020

Just when I thought January was feeling dull, I got my hands on the ICO’s much-anticipated draft Direct Marketing Code of Practice! This replaces the Regulator’s existing Direct Marketing Guidance and will have statutory status.

It’s stressed that adhering to the code will be seen as a key measure of compliance with UK data protection laws. However, right now it is still a draft and is open for consultation until 4th March.

A detailed document, the code brings together much of the ICO’s other guidance in a marketing context with guidance on lawful bases, profiling, DPIAs, cookies etc.

It also covers more advanced techniques such as online behavioural advertising, social media targeting, mobile apps and location-based marketing. Topics which are either not covered or only touched upon briefly in the Direct Marketing Guidance.

The emphasis is firmly placed on planning your marketing activities and embedding data protection by design. It sets out what the ICO considers ‘right’ to look like.  While much may not come as a surprise to many, there are areas where some push-back can be anticipated and/or a desire for further clarity.

As with the ICO’s updated Cookie Guidance published last Summer, it’s almost certain there’ll be areas where organisations are falling short of what the ICO considers ‘right’ to be. How short they’ll fall remains to be seen, but there are now more and more ways to end up on the ICO naughty step – which is the one with the potential fines attached.

The code is more than 120 pages of adrenaline-pumping data protection action, and I’m sure many of you will be raring to get stuck into it.

However, for those who want the headlines first, I’ve put on my special data geek hat (I do have one) and read the lot. And here are my top twelve highlights! (Albeit, I make no apology for reducing 120 pages to about 5).

1. Direct Marketing Purposes

The code makes it clear from the off that direct marketing ‘purposes’ are broader than simply sending direct marketing communications. It says the focus should be on the purpose of the processing not the activity itself. If the ultimate aim is to send direct marketing communications, then all the processing activities leading up this would be processing for direct marketing purposes. The code states:

If you are processing personal data with the intention that it is used for communicating direct marketing by you or a third party you are processing for direct marketing purposes.

For example, if you are collecting personal data from various sources in order to build up a profile on an individual – such as the products they buy, the services they like to use, or the causes they are likely to support – with the intention that this is used to target advertising at them, whether by you or by a third party.

Other examples given include lead generation, list-brokering, data enrichment, data cleansing, audience segmentation or other profiling, and contacting individuals to ask them for their consent to receive direct marketing.

2. Data Protection Impact Assessments

Unsurprisingly, the code says if your direct marketing activity includes processing of a type likely to result in ‘high risk’, you must do a DPIA before you begin the processing. It gives the following examples that would be relevant in a direct marketing context:

  • large scale profiling;
  • data matching – e.g. for direct marketing;
  • invisible processing – e.g. list brokering, online tracking by third parties, online advertising, re-use of publicly available data;
    tracking the geolocation or behaviour of individuals – e.g. online advertising, web and cross device tracking, tracing services (telematching, tele-appending), wealth profiling, loyalty schemes; and
  • targeting children or other vulnerable individuals for marketing and profiling

It’s worth noting the ‘good practice recommendation’ suggesting a level of due diligence when any piece of marketing work commences;

Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.

3. Consent

The code reiterates the ICO’s Consent Guidance, bringing this specifically into a marketing context and covering where the Privacy and Electronic Communications Regulations (PECR) require consent. The ICO has previously emphasised it sees ‘opt-in’ as the best approach for direct marketing, and this is reiterated here in another good practice recommendation:

Get consent for all your direct marketing regardless of whether PECR requires it or not. This gives you the benefit of only having to deal with one basis for your direct marketing as well as increasing individuals’ trust and control.

(There are quite a few good practice recommendations to watch out for dotted through the document).

The code goes on to say:

PECR requires consent for some methods of sending direct marketing. If PECR requires consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent.

If you have not got the necessary consent, you cannot rely on legitimate interests instead. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation.

It also stresses the requirement that for consent to be valid it should be unconditional. It provides the following example (which many of us will have come across):

A train company has signs in its carriages saying that free wifi is available for its passengers. In order to access the wifi the passenger is required to provide their name, email address and telephone number. There is a notice at the bottom of the sign up process which says: I understand that by submitting my details I am agreeing to receive marketing from the train company.

If the passenger does not tick the box they cannot access the ‘free’ wifi – in other words accessing the wifi is conditional on them receiving electronic direct marketing. It is not necessary for the train company to collect these details for direct marketing purposes in order to provide the wifi, therefore the consent is not valid

4. Legitimate Interests

It clearly sets out that the two lawful bases which are most likely to be appropriate for direct marketing purposes are consent and legitimate interests. It notes neither are an ‘easy option’ and both require work. (Albeit, there’s some concern that too much emphasis is placed on using consent).

If consent is not a requirement under PECR, the ICO says you might be able to rely on Legitimate Interests. There’s reference to the GDPR which states; “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Again, as in the ICO’s Legitimate Interest Guidance the word MAY is highlighted. The requirement for organisations to conduct an assessment is reiterated. An assessment which can demonstrate the use of people’s personal data is proportionate, has minimal privacy impact and would not come as a surprise.

For more information on how to assess legitimate interests see the DPN’s Legitimate Interest Guidance. This includes a template for a Legitimate Interests Assessment (LIA), as does the ICO’s Legitimate Interests Guidance.

5. Special Category Data

If you’re conducting profiling involving special category data for direct marketing purposes it’s made clear you’ll need to gain explicit consent. For example; health data, racial or ethnic origin, political opinions, religious beliefs or sexual life. The following example is given:

A supermarket wants to promote its baby club. It decides to use its loyalty card data to predict which of its customers might be pregnant in order to send them messages about its baby club. Because the supermarket does not have its customers explicit consent to do this, it has infringed the GDPR.

‘Explicit’ consent, is a further step than ‘normal’ consent. The ICO says in practice this means it:

  • must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action;
  • must specify the nature of the special category data; and
  • should be separate from any other consents you are seeking

It’s helpfully clarified that simply holding a list of customer names associated, for example, with a particular ethnicity or religion, will not trigger the conditions of GDPR Article 9. Unless you specifically target marketing on the basis of that inference.

It will be interesting to see what activities hitherto considered fairly unremarkable fall into the Special Category Data definition for marketing purposes.

6. Personal data collected indirectly & right to be informed

The code reiterates the requirement to fulfil the right to be informed when you haven’t collected personal data directly from the individual (e.g. you’ve sourced this from publicly available sources or a bought-in list).

It says the ‘disproportionate effort’ exemption to this right would need to be carefully balanced. If the processing has a minor effect on the individual, an organisation’s assessment might find that it’s not proportionate to put significant resources into information individuals. But it specifically states:

You are unlikely to be able to rely on disproportionate effort in situations where you are collecting personal data from various sources to build an extensive profile of an individual’s interests and characteristics for direct marketing purposes.

This represents a challenge for some. It goes on to say that if you do not actively tell people about your “invisible processing” you must carry out a DPIA before you start.

Also see –  Prospects, Leads, Bought-in Lists – Don’t forget the Right to be Informed

7. Online Advertising

There are no prizes for guessing the code says where cookies and other technologies are used PECR will apply. But it also highlights that where you are personalising adverts (based on for example an individual’s browsing history) this will be direct marketing.  It states:

In the vast majority of cases, online advertising involves the use of cookies and similar technologies and therefore PECR applies. Additionally, if you engage in behavioural advertising – for example by personalising adverts on the basis of things like an individual’s browsing history, purchase history or login information – this will constitute direct marketing.

This is because the decision to target that particular user with a specific advert is based on what you know, or perceive to know, about the interests and characteristics of that individual and the device(s) they use.

8. Data Enrichment, Matching & Appending

The general theme is approach this with caution. The ICO says you need to be careful enrichment isn’t unfair to individuals and it’s unlikely people will anticipate you are doing this or understand what it is. It says:

You are not able to enrich the personal data you hold if you and the third party (where applicable) did not tell people about this.

Furthermore, it says purchasing additional contact details for your existing customers or supporters is ‘likely’ to be unfair, unless they’ve expressly agreed.

9. Using third parties to send your marketing communications

Are you the instigator? (An area some organisations have fallen foul of in the past). The codes states that PECR applies to the ‘sender’, ‘caller’, or ‘instigator’ of the direct marketing message and beware you’re likely to be instigating if you “encourage, incite, or ask someone else to send your direct marketing message.”

So, if you encourage another company to send your B2C marketing emails then both of you need consent (one for being the instigator and one for being the sender).

10. Tell a friend campaigns

In short, and as many of us would have expected, this is a non-starter:

As you have no direct contact with the people you are instigating the individual to send the direct marketing to, it is impossible for you to collect valid consent. It is likely therefore that viral marketing and ‘tell a friend’ campaigns by electronic mail would breach PECR.

11. Social Media Targeting


When using “list-based” tools (e.g. Facebook custom audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing. The code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

Many organisations may be currently relying on Legitimate Interests, especially when using hashed lists, and it’s not made clear why the ICO believes audience tools would not meet the three-part test.


The ICO recognises activities to find customers that are similar to yours are complex. The code says while the social media platform undertakes the majority of the processing activities, organisations using these are the ones instigating this activity.

The ICO’s conclusion is it’s likely the organisation and the platform are joint controllers. Organisations should be satisfied the platform has taken all necessary steps to provide appropriate transparency information to people. It goes on to say:

You also need to inform individuals who have provided information to you that you intend to process their data to create these other audiences and ensure that you have a valid lawful basis.

If individuals have objected to the use of their personal data for marketing purposes, you also must not use their data for the creation of a ‘lookalike’ audience.

12. Right to object & most recent indication of wishes

There’s a section of the draft code dedicated to individual rights, within which it specifically mentions that the most recent indication of an individuals’ wishes about the receipt of your direct marketing is the most important. It gives the following example:

If an individual specifically withdraws their objection or in the future actively solicits direct marketing from you, then this would override their original objection. However, failing to opt-out of your direct marketing at a later date (for example if you are using the electronic mail soft opt-in) does not override an individual’s previous Article 21(2) objection.

So, clarification on a point I know has caused some debate. If someone has unsubscribed, presenting them with an opt-out statement (i.e. relying on legitimate interests) will not override their previous objection.

As said the draft code stretches to more than 120 pages. There’s much detail to mull over and it remains to be seen what changes emerge following the public consultation. 

Personal Data Breaches - to notify or not to notify?

October 2019

As the dark, creeping realisation dawns that a personal data breach may have occurred, staff who think something has gone wrong are faced with an urgent and important decision – should they tell a colleague/manager/data protection officer what they have discovered?

Assuming they’ve received relevant training and are aware of the organisation’s data breach incident process they should immediately tell the nominated people, in line with the organisation’s data policies.

The organisation then needs to act swiftly to ascertain the facts and confirm whether a personal data breach has actually occurred or not.

Once this is established and the organisation is ‘aware’ of a personal data breach, the clock starts to tick and it only has 72-hours in which to notify their Supervisory Authority (e.g. the UK’s Information Commissioner’s Office), unless it determines that the breach is unlikely to represent a risk to the rights and freedoms of individuals.

Being prepared and having a plan will prove invaluable – Personal Data Breaches: Prevention and Plan

What is a personal data breach?

The GDPR defines a personal data breach as, ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’ (Article 4.12)

The ICO Guidance on Personal Data Breaches provides the following examples of personal data breaches:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission
  • Loss of availability of personal data

Broadly speaking whenever personal data is lost, destroyed, corrupted or disclosed this will be a personal data breach.

Is the personal data breach notifiable to a Supervisory Authority?

Not every personal data breach needs to be reported to the ICO (or to another Supervisory Authority). If after assessing the incident, the view is that a risk to people’s rights and freedoms is unlikely, then it doesn’t need to be notified. If the breach does present a risk, then it should be notified.

There is no one size fits all answer to the risk assessment question. Each breach will need to be considered on a case by case basis, taking into account all the relevant factors.

The consequences of a data breach may include emotional distress and/or physical and material damage. Some may only cause inconvenience for the data subject, while others could have a significant detrimental effect on the individual(s) whose personal data has been compromised.

Assessing the severity of the risk

It’s useful to reference the European guidelines – the Article 29 Working Party Guidelines on Notification of a Personal Data Breach (WP29). In particular, Section IV provides helpful pointers on how to assess ‘risk’ and ‘high risk’.

In essence, a risk exists when a breach may lead to physical, material or non-material damage for those whose personal data has been breached. Examples of such damage are:

  • discrimination
  • identity theft or fraud
  • financial loss
  • reputational damage

When it comes to a breach of special category data, the decision to notify or not is more clear cut. The WP29 determines that:

When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions, such damage should be considered likely to occur.

The Guidelines say any evaluation of the risk to the individual’s rights and freedoms must be objective and take into account both the likelihood and severity. It’s recommended the following is taken into account:

  1. The type of breach – A breach in which medical records are disclosed to an unauthorised party would have different consequences to where medical records may have been lost and are no longer available.
  2. The nature, sensitivity, and volume of personal data – Normally the rule of thumb is that the more sensitive the data that has been breached the higher the risk of harm. A combination of personal data will normally represent more of a risk than a single piece of personal data. Even if the disclosure of a name and address may seem fairly unlikely to pose a risk, it can very much depend on the context. Individuals may have reasons for wishing this to be kept secure, for example not wishing an estranged partner to know this. A small amount of highly sensitive data may have more severe consequences than a large volume of non-sensitive data.
  3. Ease of identification – How easy would it be from the data breached for someone who has access to the compromised data to identify specific individuals? This may be judged to be extremely difficult or could be more straight-forward to do.
  4. Severity of consequences – A breach of special category data could result in damage that is severe. Organisations need to assess whether the personal data breached could result in identity theft, physical harm, psychological distress, humiliation and so on. Where personal data is in the hands of people whose intentions are unknown or potentially malicious, this is likely to represent a greater risk than where an organisation has sent personal data accidentally to another known recipient. In such circumstances a trusted recipient who returns or securely destroys the data, could mitigate the risk. This doesn’t mean a breach hasn’t occurred, but may reduce or remove the likelihood of a risk to individuals.
  5. Special characteristics of the individual – Particular consideration should be given where a breach may impact on children or other vulnerable individuals.
  6. Special characteristics of the data controller – The WP29 guidelines provide an example here of the difference between a medical organisation processing special category data as opposed to a mailing list of a newspaper.
  7. The number of affected individuals – In general, the more people affected by the breach, the bigger the impact a breach could have. However, a breach affecting a small number of individuals could have a severe impact on those affected, and a larger breach could have a less severe impact but on more people.

An organisation needs to consider a combination of the severity of the potential impact and the likelihood of these impacts occurring. Annex B of the WP29 guidelines provides some useful examples of types of breaches and whether notification would be required or not.

You should ensure you have appropriate methodology in place for evaluating the risk and document your considerations in every case, as evidence of your assessment and justification for your decision to notify or not.

How much time do we have to report a breach?

The GDPR states that an organisation must report a notifiable breach to a Supervisory Authority (e.g. the ICO) without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Section II of the WP29 Guidelines gives more details of when a controller can be considered to have become aware of a personal data breach. It states;

WP29 considers that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. This will depend on the circumstances of the specific breach. In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time to establish if personal data have been compromised. However, the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.

The challenge many organisations have are often akin to completing a 5,000-piece jigsaw puzzle; collating snippets of information that may be initially disjointed and from different sources isn’t easy.

Trying to piece together a timeline of what happened when takes up a considerable amount of time and resource and quickly eats into the 72-hour window.

The practical efforts to bring the timeline of the incident together may delay the escalation to the DPO and make the potential notification window even narrower.

The best prepared organisations appoint individuals as members of a data breach incident team and name these people in their Personal Data Breach Incident Plan.

This facilitates rapid mobilisation of the response team made up of individuals from around the business who know, in advance, what their responsibilities are if and when a personal data breach occurs. This gives the organisation the best chance of building the timeline and, when appropriate, notifying the supervisory authority within the deadline.

How to notify a breach

Once you have decided a personal data breach is notifiable, you have 72 hours to notify the ICO (or relevant Supervisory Authority).  For the ICO, you can contact them by phone on their helpline number 0303 123 1113 or download and complete the data breach notification form which you then email to with “Personal Data Breach Notification” in the subject line. Alternatively, you can post a copy of the form.

When completing the form you need to include details of what went wrong and why, when it happened, when you discovered it (date and time), how you discovered it. Precise details of the type of personal data breached, how many records are affected and how many data subjects are affected are also required. You should specify the categories of individuals affected, for example, customers, employees, patients. 

The ICO need to know whether you have advised or plan to advise affected individuals that their data has been compromised and also whether you plan to or have advised other organisations about the breach, such as the police or other regulatory bodies. (There is an option on the form to indicate if you have yet to make a decision on this).

One of the questions the ICO ask is whether the members of staff involved in the incident have been trained on data protection within the last two years, so it’s really important to keep your training up to date and maintain thorough records of which members of staff received their training and when.

Controllers must prioritise the investigation, give it adequate resources, and expedite it urgently. The ICO are happy for you to complete and send an initial report before your investigations are fully completed which often happens when an organisation comes up against the 72 hour deadline. This phased reporting is allowed for under Article 33(4) as long as this is done without undue further delay. The ICO says; “You may also want to report a breach online if you are still investigating and will be able to provide more information at a later date.”

You must include the name and contact details of you Data Protection Officer (if your organisation has one) or other contact point where more information can be obtained if the ICO need to get in touch.

Upon receipt of the form, the ICO will send an email in acknowledgement and may assign a case number, although this is not always assigned immediately. It’s important when sending on a follow-up report that you reply to the email they send you and keep the subject of the email consistent so that the ICO can tie in with the initial report.

Informing affected individuals

It may also be necessary to notify any individuals affected, ‘without undue delay’ if the breach is considered likely to result in a high risk of adversely affecting their rights and freedoms.

If you have deemed the risk to be “high” you must tell the individuals affected about the breach without delay. When informing them you should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves.

This must be provided in clear easy to understand language. It can save valuable time if you have already considered this in advance, have pre-prepared communications which can be adapted to the circumstances of the specific breach. Including a communications plan as part of your incident plan is advisable.

However, even though you may have decided that the incident is notifiable, you may assess that there is not a high risk to individuals’ rights and freedoms. An example could be that the personal data is already in the public domain or, in isolation, may not be likely to present a high risk to their rights and freedoms. In such a scenario there may not be a requirement to inform the individuals themselves. Again, your thinking would need to be fully documented as to how you arrived at that decision.

Some reflections on data breach experiences……

The maelstrom of a personal data breach can be a scary and lonely scenario. Below are some quotes from business leaders, academics and employees which may resonate!

“There was this absolutely horrible moment where I realized there was absolutely nothing at all that I could do.”
– Amy Pascal, Former CEO of Sony Pictures

“One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.” – Arnold H. Glasow, Author & Businessman

“Once we escalate to management, there will be no day, no night.” – Mr Ernest Tan Choon Kiat, during the biggest breach in Singapore’s history in Aug 2018

“Teams that say their cyber-security is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online. I learned that really smart engineers can talk English, under extreme pressure.” – Dame Dido Harding, former CEO of TalkTalk, presenting on 4th June 2018

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stéphane Nappo,  Global Chief Information Security Officer, Société Générale International Banking

And finally, at what cost….?

Whilst the focus in a post GDPR world may be on the eye watering potential fines, they represent just one cost in a long list that an organisation may incur, both financial and non-financial, following a personal data breach.

Initially there will be the cost of setting up breach response efforts, investigating the incident and taking steps to avoid a similar scenario. All extremely important but resource hungry activities. Then there could be the cost of compensating the individuals affected and with the advent of class actions in this area, this could be extremely costly for the organisation.

Reputational damage leading to loss of customer trust and potentially loss of existing and future customers could result in reduced market share and this is likely to be the largest and most enduring price an organisation pays, compounded by a falling share price where the company is publicly listed.

With all this in mind, the importance of an organisation taking a layered and multi-faceted approach to data breach “defence” cannot be underestimated.

Some may be technical security measures but the importance of the organisational measures (such as regular staff training and awareness) and developing your data breach handling procedures are equally important and should not be overlooked.

Whist it would be impossible for an organisation to fully mitigate all of the areas of risk, building sound data governance and security practices into its culture will certainly help to strengthen its defences.

Any organisation processing individuals’ personal data needs to equip its people with the appropriate level of awareness and understanding so they are fully prepared to take swift action if the worst does happen.

Personal Data Breaches: Prevention & Plan

We’ve all seen the headlines, data breaches are weekly if not  daily news. Regulators across Europe are busy wading through the swathe of breach notifications they’ve received, under the GDPR regime, and are starting to take action.

Many organisations will have spent thousands on implementing measures to prevent a breach occurring in the first place, and many will have robust, tried and tested incident plans in place. But what if you don’t?

What is a personal data breach? A little reminder…

A personal data breach is about more than just losing personal data, it’s a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. GDPR, Article 4.12

The reasons why personal data is breached vary widely but generally the causes fall into three categories:

  1. The actions of people inside the business
  2. The actions of people outside of the business
  3. Systems failure

Personal data breaches can be categorised under the following three information security principles:

  • “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data
  • “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data
  • “Integrity breach” – where there is an unauthorised or accidental alteration of personal data

A breach may involve one, a combination or all of the above.

Whether it’s caused by a cyber-attack, malicious insiders, software vulnerabilities, loss of an unencrypted device, data sent to the wrong recipient and so on, a personal data breach has the potential to seriously damage your customers’ trust and public perception. 

Yes, the potential fines could be large, but the commercial impacts through loss of trust and customer share, could, and have, resulted in significant ongoing financial losses for organisations. More importantly, the long-term harm for individuals whose data has been breached could be significant.

Preventing a breach in the first place

So, what do organisations need to do to try to prevent a breach? One of the core data protection principles requires organisations to make sure they have in place appropriate technical and organisational measures (TOMs) to keep individuals’ personal data safe. These should be appropriate to the risk your processing represents.

Technical Measures

Ensuring devices, networks and servers are sufficiently protected is vital regardless of the size of your organisation. Firewalls, anti-virus applications and malware protection are all must haves.

Also crucial is having up to date software and operating systems, and installing updates and patches as quickly as possible – previous cases have shown these can be a vulnerability.

Of course, the difficult part here is that there’s a huge array of security measures and technical options in the market and the onus is on the organisation to chose what to invest in. Added to that, is the fact that the security environment is moving fast and there’s a need to adapt to ever evolving threats.

Where the ICO have investigated breaches, it has taken account of the measures the organisation has put in place and made a judgement on whether the organisation has done enough.

Following the cyber-attack experienced by TalkTalk back in 2015, the Information Commissioner, Elizabeth Denham commented;

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customers information. It did not and we have taken action”.

Organisational measures

Alongside technical measures, any Regulator will be looking to assess the equally important organisational measures put in place. These will depend on the size and complexity of your organisation. Such measures could include (but are not limited to);

  • Information Security Policies
  • Risk Assessment
  • Data Protection Policies and Procedures
  • Supplier Due Diligence
  • Business Continuity Plan
  • Management Information & Reporting
  • Reviews & Audits
  • Training & Awareness

The last point should not be overlooked. How and when employees were last trained may well be one of the first questions the ICO asks when starting an investigation. At the 2019 ICO Data Protection Practitioners Conference, the Regulator stressed,

“Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.”

Armed with a good understanding of the risks, staff can also perform a critical role in identifying breaches quickly once they’ve occurred. Internal processes should also be in place to ensure staff know how and who to escalate a potential incident to (usually the DPO, or the individual or team carrying out that function).

One of the findings of the investigation into the Heathrow Airport data breach in October 2017, which was due to a lost memory stick, was inadequate training. The ICO found Heathrow Airport guilty of “failing to ensure that the personal data held on its network was properly secured” and for “failing to provide any, or any sufficient training in relation to data protection and information security.”

Do you have a plan?

A clear and comprehensive Data Incident Plan is invaluable, and Regulators would expect to see evidence of one.

Any plan should cover which key members of staff will be in the incident team and should consider engagement with key stakeholders – both internal and external. In brief, your incident plan should cover the following core points;

  • Discovery
  • Rectification
  • Analysis & Risk Assessment
  • Evaluation
  • Decision
  • Response
  • Recording

Furthermore, developing in advance a customer-focused communication strategy, will save valuable time in the event that you decide your breach reaches the threshold for customers to be notified.

The ICO’s Guidance on Data Breaches provides a helpful checklist for preparing and responding to a breach.

To notify or not to notify, that is the question…

Whether to report a personal data breach to the ICO is a subjective judgement, there isn’t a black and white rule. What makes this particularly challenging is the time constraints, as notification needs to be within 72 hours of becoming aware of a breach which you have assessed as likely to represent a risk to individuals.

It may also be necessary to notify any individuals affected, ‘without undue delay’ if the breach is considered likely to result in a high risk of adversely affecting their rights and freedoms.

To help make the judgement, the organisation needs to consider the likelihood and severity of the risk that the breach has created to the rights and freedoms of individuals (these could be customers, employees, patients, students etc).

If it’s likely there’s a risk, the organisation must notify the ICO. If it’s unlikely to have caused a risk, then it doesn’t need to be reported. It’s essential the incident is fully documented whether it is notified to the ICO or not – as the decision could be challenged later and you will need to be able to justify it.

Your risk assessment needs to consider the potential negative consequences for individuals. Recital 85 of GDPR states:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

There is no one size fits all answer to the risk assessment question. Each breach will need to be considered on a case by case basis, taking into account all the relevant factors. Consequences of a data breach can include emotional distress and/or physical and material damage.

Some may only cause inconvenience for the data subject, others could have a significant detrimental effect on the individual(s) whose personal data has been compromised. You should ensure you have appropriate methodology in place for evaluating the risk.

It’s also worth becoming familiar with the ICO’s data breach notification form – you could run tests on how you would complete this in different scenarios.

Debbie McElhill,  September 2019

Data breach support 

Our experience team can develop or review your incident procedures, run simulations and provide rapid support in the event of a suspected or actual personal data breach. Contact us

Related content: 

EDPB Guidance on Personal Data Breach Notification

Personal Data Breaches – to notify or not to notify? 

Webinar recording – Handling data incidents and breaches

Article – Are humans are biggest breach risk?

Checklist – 10 point checklist for data breach risk assessments 

Article – Personal data breaches: to notify, or not to notify? 

ICO cookie guidance and the impact on website analytics

The ICO has published updated guidance on the use of cookies and other similar technologies. This is to be welcomed as there were some perceived areas of ambiguity that were causing confusion. The ICO have also published a useful myth-busting blog which provides some clarity around these misconceptions.

It’s interesting to see confirmed that GDPR level informed consent is required to drop a ‘non-essential’ cookie regardless of what it does and what information it collects. The old concept of implied consent is dead.

What’s changed?

The so-called “cookie law” of 2011, required ‘consent’ to drop any ‘non-essential’ cookies regardless of whether personal data was collected or not. To be clear, the concept of “non-essential” cookies is not a new one. The ICO’s 2012 guidance on cookies said implied consent (i.e. an opt-out rather than an opt-in) was permitted; “Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”

As we all are more than aware, GDPR upped the bar on what constitutes valid consent and the ICO’s latest guidance confirms; “There is no definition of consent given in PECR or in the ePrivacy Directive; instead, the GDPR definition of consent applies”. Users must therefore take, in the words of the Regulator; “a clear and positive action to consent to non-essential cookies” and “pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies”.

This could not be clearer.

So, what’s an essential cookie?

An essential cookie is one that’s ‘strictly necessary’ for the functioning of your online service, not one that is ‘important’. The ICO guidance states: “The ‘strictly necessary’ exemption means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.”

The guidance stresses that where a cookie is deemed ‘important’ rather than ‘strictly necessary’, there is a requirement to obtain consent. The ICO offers some helpful clarification of what would constitute essential e.g.

  • A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket
  • Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested – for example in connection with online banking services
  • Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computes (this is often referred to as ‘load balancing’ or ‘reverse proxying”)

Analytics cookies are not essential

The ICO guidance also provides the following example of non-essential cookie:

  • Cookies used for analytics purposes e.g. to count the number of unique visitors to a website

The Regulator says it recognises that analytics provide businesses with useful information but say they’re not part of the functionality that a user requests when they use an online service. It’s stated, “if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

What does this mean for business?

While many might have already concluded this is what 100% compliance would require, this may have come as a nasty shock to those businesses who have not yet worked through the implications of this clarification.

All website operators need to review their cookie consent notices even if all they were doing was managing anonymised cookie data to review overall website traffic patterns and popularity of individual pages.

Even for basic analytics cookies, which may collect limited or no personal data at all, businesses will have to switch to an active opt-in to be compliant. If they cannot secure cookie consent, businesses are going to have to think again about how to understand how their sites perform with their customers.

One might argue that businesses have spent significant time and money creating a website or app using analytics to fine tune their content to be relevant and interesting for their audience. And, of course, this is precisely the case that businesses need to make to consumers in an open and transparent way to gain informed consent.

If the consumer can see what’s in it for them, they will consent because what the consumer wants is control and a balanced value exchange between themselves and business.

Are there non-cookie tracking alternatives?

In short, yes. Web logs are likely to be your first port of call where you’ll be able to see volumes of traffic hitting individual pages. This data will obviously be anonymous and it will be difficult to establish unique users but you should be able to track the most important performance metrics.
There is also a growing market for privacy sensitive technical solutions that don’t drop cookies. These include Fathom, Matomo and Simple Analytics. I’ve never used them and I’m not endorsing them but it’s clear there is a movement starting towards a different way of analysing website traffic.

Julia Porter, July 2019

Cookies, Consent & Compliance: 10 takeaways from the ICO’s update report into AdTech and RTB

The ICO has published an Update Report on AdTech and Real Time Bidding (RTB). The clue is in the word “update” in that it has decided to take a thoughtful and iterative approach to tackling the multiple and complex issues associated with the use of personal data in programmatic advertising.

For now, the focus is on RTB, which is a subset of the programmatic landscape. However, we can assume that what happens in this area will impact other areas of programmatic advertising.

Here are our top take outs from the ICO update:

1. Consent or LI? The current methods for obtaining consent as a lawful basis are insufficient and lack transparency, whilst opportunities to use legitimate interest are limited

2. Special Category Data – Processing data fields that constitute special category data requires explicit consent of the data subject. This is not occurring

3. Profiling – There’s concern about the widespread processing of personal data to create profiles in way which the ICO feels is disproportionate and intrusive

4. Too much data? – There’s a lack of insight as to whether all the personal data being collected actually needs to be processed in order to achieve the intended advertising outcome

5. Reliance on contracts – There’s an inappropriate reliance on contractual agreements to protect how bid request data is shared, secured and deleted

6. Lack of DPIAs – Amongst RTB participants, there appears to be evidence of an absence of good data governance with limited use of DPIAs

7. Good data governance – The ICO is aware that programmatic advertising is here to stay but says that appropriate and responsible data protection practices are crucial

8. Vulnerable publishers? – The Regulator is also mindful action could have a detrimental effect on the economic health of vulnerable publishers

9. Continued collaboration – The ICO intends to continue to consult with interested parties including IAB Europe and Google as well as other European DP authorities

10. Regulatory action – The Regulator has given notice it intends to intervene in the market and has given the industry 6 months to start making changes

To their credit the ICO has consulted widely to make sure they’ve gained a complete understanding of the challenges. Is the ICO being too tough or too lenient?

The activist groups are impatient for action whilst some agencies, brands and media owners may be in denial about the need to change. Notwithstanding the differing views, this report sets out a very clear direction of travel and the various players in the advertising industry need to pay attention. The ICO has given fair warning that they will start to take action sooner rather than later.

Julia Porter, 21 June 2019

Prospects, Leads, Bought-in lists … Don’t forget the right to be informed

Transparency, Control and the Right to be Informed

Let me take you back a year, to April 2018 – a time when there was a considerable flurry to ensure Privacy Notices (often called Privacy Policies) were updated to reflect the GDPR information requirements.

Organisations needed to cover the purposes of processing personal data, the relevant lawful bases, overseas data transfers, individual rights, work out what on earth to say about data retention periods… and so the list went on. Once the checklist of requirements was ticked, next was the challenge of presenting this information in a clear, easy to understand and concise way. No easy task.

Fast forward a year and I suspect your Privacy Notices have been tweaked along the way, but are you remembering to not just meet the requirements to provide information to individuals when you collect their personal details directly from them (Article 13), but also the requirements of Article 14? To comply with the latter you should provide privacy information to individuals whose data you process when you have NOT collected their details directly from them.

This could be personal information you may have received from a third party, or perhaps business prospects you have researched from openly-available sources (under your carefully assessed Legitimate Interests, of course). It’s important not to forget to provide privacy information to these individuals too.


Well, an interesting case popped up recently in Poland. The President of the Personal Data Protection Office (UODO), has fined a company 220,000 euros (yes, you read that correctly) for not fulfilling Article 14. The company was found to have obtained records from publicly-available sources, but had not informed many of those individuals that they were processing their personal data. This meant those individuals were denied the ability to exercise their rights.

Admittedly, in this case, the company was processing millions of publicly-sourced records – hence the size of the fine. However, it’s a wake-up call for all of us and tells us that regulators are prepared to enforce the law for Article 14. How can an individual exercise their right to object to processing or request erasure if they don’t even know you’re handling their personal information? And, remember personal data includes business contact information too, not just your customers.

What does Article 14 require organisations to do?

Article 14 sets out the information you should provide to individuals when you’ve sourced their personal data indirectly. This information should include:

  • The identity and contact details of the controller
  • Contact details for the DPO, where applicable
  • Purposes of processing and lawful basis
  • Categories of personal data concerned
  • Recipients or categories of recipients, if any
  • Transfers to a third country, and reference to appropriate or suitable safeguards
  • Data retention periods, or criteria used to determine that period
  • The legitimate interests pursued by the controller or a third party (if relevant)
  • The right to withdraw consent (if relevant)
  • Individual Rights, including right to lodge a complaint with a Supervisory Authority
  • Existence of automated decision-making, including profiling

This should all sound familiar, as it’s the information you would have ticked off as requirements for your Privacy Notice (under Article 13).

Furthermore Article 14, sets out when this information must be provided:

1. Within a reasonable period after obtaining the personal data, but at least within one month
2. If personal data are to be used for communications with the individual, at the latest in the first communication with them.

Plus, if a disclosure to another controller is expected, this information must be provided at the latest when the information is first disclosed.

Are there any exceptions?

The provision of information is not required if the individual already has this information, or the provision of this information proves impossible or would involve disproportionate effort (particularly in relation to processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes). Disproportionate effort is difficult to demonstrate, the scope of the exceptions is limited and therefore to avoid falling foul of the rules it would be wise to endeavour to fulfil Article 14.

What should you do?

For example, with researched prospects, bought-in marketing lists and personal data received from another third party, you should contact the individuals concerned within a month, inform them you’re processing their personal data and why. You should also provide them with an opportunity to object and (at the least) present a clear link to your Privacy Notice to fulfil other requirements.

Philippa Donn, April 2019

Legitimate Interests: It’s legit, isn’t it?

“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate”
UK Information Commissioner’s Office

Let’s say you want to process personal data for a specific purpose and in this situation obtaining consent would be tricky or perhaps inappropriate.The activity isn’t covered by a contract, and certainly isn’t something which is in the individuals’ vital interests. This looks like a case of legitimate interests doesn’t it?

Just because you want to process personal data doesn’t mean you can – lawfully. Legitimate interests may be, in the words of the ICO “the most flexible lawful basis”, but the words “you cannot assume it will always be the most appropriate”, are equally important. You must make an assessment to balance your business interests with the interests and privacy rights of the people’s whose personal data you are processing. This will require some judgement: is your intended purpose really necessary and is it within the reasonable expectations of those whose personal data you are using?

If so we can move on to the ‘balancing test’. Now, we need to identify and evaluate the privacy rights of the individual and judge if these are affected by the intended processing. For example, people have a right to know how their data will be processed, so how will you inform them? Will you add additional information at the time of collection, or update your privacy notice? Will you enable them to object to this processing?

This balancing test must be conducted fairly, without biasing the scales in favour of your business interests. To ensure fairness, some people find it helpful to put themselves in someone else’s shoes. For example, consider whether your Dad (for instance) would expect this activity to be happening or maybe what your aunt would feel if she found out. Your business may think it’s legitimate, but would the people whose data is being used agree?

Some legitimate interests are fairly clear cut, for example processing for the prevention of fraud or for other strictly necessary reasons. But others require more careful thought and assessment.

What does GDPR say about Legitimate Interests?

Article 6 1(f) states:

‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’

Also take care to read Recital 39 which explains the need for transparency and specifically Recital 47, which explains the requirements to take into consideration reasonable expectations, a relevant and appropriate relationship and the need for a careful assessment. This Recital is important for marketers, as it confirms that direct marketing may be considered to be a legitimate interest.

What makes a purpose legitimate?

Let’s run through the steps. To ensure you are compliantly relying on legitimate interests you need to conduct a 3-stage test; what we at the DPN and the ICO term a Legitimate Interests Assessment (LIA). The 3 core elements of the test are:

1. The assessment of whether a legitimate interest exists (i.e. the purpose is a legitimate one)
2. Confirming the processing is necessary (i.e. there’s no alternative way to achieve the result)

and last but by no means least….

3. The performance of a balancing test to decide if a particular processing operation can rely on legitimate interests.

Be careful not to try and overplay your business interests into this assessment or undermine the rights of individuals. You need to take a holistic approach and properly consider your relationship with the individuals whose data is being used, whether you are being transparent, whether you have enabled individual’s to exercise their lawful rights and that the processing would be within their reasonable expectations.

If your reliance on legitimate interests is challenged you will need to be able to demonstrate that you fully considered the necessity of the processing, balanced this and came to a decision that people’s interests and rights did not override your interests. Conducting and documenting LIAs will show you did this, but remember it is no guarantee your decision will be upheld. Legitimate interests may be the most flexible lawful basis but it is risk-based.

For more information, case studies and an LIA template please see our industry-led Legitimate Interests Guidance, which was first published in July 2017 and now features 30 examples of its use. The ICO has also published detailed guidance.

What next for legitimate interests?

We are still in the early months of GDPR and have only seen limited enforcement by supervisory authorities across Europe under this new law. Challenges are likely to have already been made surrounding legitimate interests, more will come, and any regulatory action in this area will be watched with avid interest.

Philippa Donn, January 2019