These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
4. Services
Lightful is a technology company for social good. We help
charities and social enterprises raise more funds, awareness
and support using digital and social
Platform Labs
#Lightful #GDPR
7. 7
GDPR – An Overview & What It Means For Charities
HAYDN THOMAS & ANDREW CROSS
@HMTIV @Crozzmeister
#Lightful #GDPR
8. 8
Data Protection Introduction
Data Protection Act (DPA) of 1998
Privacy, Electronic and Communications Regulation (PECR) of 2003
Freedom of Information Act of 2000
E-Privacy Regulation (2018, on course to launch with GDPR)
General Data Protection Regulation (GDPR) of 2016
(Compliance – NOW!, Enforced from May 25th 2018
Data Protection Bill (DPB); Implements GDPR with UK
Variations.
The story so far…
Which will become….
#Lightful #GDPR
9. 9
GDPR – The lowdown
What?
The General Data
Protection Regulation
(GDPR) and
EU Legislation for Data
Protection (DP)
When?
May 2016 >
25th May 2018
Who?
All EU Organisations that
process Personal Data or
organisations overseas that
process data on EU Citizens
How?
ICO Guidance,
Regulatory bodies,
Seminars
#Lightful #GDPR
10. 1
0E – Privacy lowdown
What?
Overhaul of PECR 2003
regarding processing of
electronic communications
data
When?
Likely 25th May
2018
Who?
As Before (EU States and
EU Citizens)
How?
ICO Guidance on how
to handle new e-
privacy regulation
#Lightful #GDPR
12. 1
2
The 6 principles of GDPR
Process lawfully, fairly and in a transparent manner.
Collect for specified, explicit and legitimate purposes.
Only keep what is adequate , relevant and limited to what
is necessary.
Store accurate information and keep up to date.
Retain only for as long as necessary.
Process in an appropriate manner to maintain security.
And the bonus principal….accountability
#Lightful #GDPR
13. 1
3Consent
• Any freely given, specific, informed and unambiguous indication of his or her wishes by which
the data subject, either by a statement or by a clear affirmative action, signifies agreement to
personal data relating to them being processed
• What does this mean?
• Usually on point of Data Collection (Web Forms, Paper Forms or Via verbal pathways) that the
Data Subject is given a statement that corresponds to what their information is being used for,
usually including who will be storing the data (Data Controller); how they can find out more
(DP Policy Link); with clear information on how to opt out of certain processing.
Affirmative Opt-In boxes: Mail/Tel/Email/SMS
Clearly labelled Optional Information (Separate from the main form)
Re-Permissioning – Consent needs to be refreshed on a regular basis
Consent Centre – My Life Digital (MLD) , Lightful Salesforce Application and
Communities/Platform Preference Centre
What is consent?
What constitutes as “Valid” consent?
#Lightful #GDPR
15. 1
5GDPR - Data Subjects Rights
Data Subjects have the following rights:
Whilst the GDPR builds on the Data Protection Act which all entities within the UK need to adhere
to, the following represent the key changes for organisations.
1. The Right to be informed – How data will be used through a Fair Processing
Notice/Policies.
2. The Right to Rectification – To correct personal information If we possess
inaccurate/outdated data.
3. The Right to Erasure – To remove yourselves from our databases.
4. The Right to Object/Restrict Data Processing.
5. The Right to Object/Restrict Data Processing for Marketing Purposes.
6. The Right to Data Portability
7. The Right to Refuse Automated Profiling and Decision Making
8. The Right to Access your Information – (Formally Subject Access Request)
#Lightful #GDPR
16. 1
6GDPR - Consequences
• Tiers of monetary penalties, above and beyond the maximum £500,000 the ICO can currently dish out, this is
circumstantial and depends upon the violation itself and if there has been any previous violation by the Data Controller
or Data Processor.
TIER 1:
Up to 20 million Euros or 4% of Annual
global turnover – Whichever is highest.
TIER 2:
Up to 10 million Euros or 2% of Annual
global turnover – Whichever is highest.
With both the Tier 1 and 2 fines it is likely there needs to be cases of precedence before there will
be some general rules of thumb being dished out by the ICO.
OTHER ACTIONS AS BEFORE COULD BE:
Enforcement Action
Undertakings
Advise
#Lightful #GDPR
17. 1
7Subject Access Requests + Data Protection Officer
• Subject Access Requests – This is where the Natural Person enacts their right to obtain all the personal
data that your organisation holds on them; this request has to be done in writing and with proof of
identification, also at present a small fee can be chargeable (£10). This fee disappears under the
GDPR; however, for “excessive” cases there is some justification to make a charge.
Data Protection Officer– Do I need One?
The role of the Data Protection Officer, then comes into play and the assessment around the requirement for needing one also must
be evaluated. The GDPR stipulates that one is only required when one of the certain conditions are met:
* Exceptions do apply – (Courts acting in their judicial capacity)
The organisation in question is a public body*
The organisation carries out large scale monitoring of Individuals
The organisation carries out large scale processing of special categories of data
or processing of any data that relates to criminal convictions or offences
#Lightful #GDPR
18. 1
8What you need to do
Be able to report Data Breaches to the ICO within 72 hours
Be able to answer a Subject Access Request (SAR) within 30
Calendar Days
Have clear lines of accountability and a nominated representative
(DPO)
Have compliant data processes –Acquisition, use, retention,
deletion)
Document Data Privacy Impact Assessments
(DPIA)
Informed Consent documented and “Recent” or
reliance on Legitimate Interests clear
#Lightful #GDPR
21. 2
1Appendix - Standard Terminologies I
Data Subject/Natural Person – This is the Living Individual that the Personal Data Relates to.
Personal Data – This is Data that can be used to personally identify the individual, would include things like Names, Addresses, Phone
Number, Email, Facebook Account, Twitter Handle.
Sensitive Personal Data – This would include things such as Religion, Ethnicity , Trade Union Membership, Medical records, Sexual
Orientation and Criminal convictions. Biometric and Genetic data are now included under sensitive with the GDPR
Data Controller – is an entity who (either alone or jointly or in common with other entities) determines the purposes for which and the
manner in which any personal data is, or is to be, processed.
Data Processor – This would be an entity that processes data on behalf of an organisation.
Data Privacy Impact Assessment (DPIA) – These are risk matrices that cover the realms of Data Protection.
Subject Access Request (SAR) – These are requests to an organisation asking for all information that they hold on the Data Subject.
Data Processing Agreement (DPA) – This is an agreement between the Data Controller, either to a Data Processor or another Data
Controller. The former is more common.
Non-Disclosure Agreement (NDA) – This is usually to protect Intellectual Property (IP) rights of an organisation and does in some context
exist as part of a Data Processing Agreement. This is more commonplace if the individual isn’t processing data on behalf of an
organisation, a creative designer for example.
#Lightful #GDPR
29. “It is therefore justified to require that consent of the end-
user is obtained before commercial electronic
communications for direct marketing purposes are sent to
end users in order to effectively protect… the legitimate
interest of legal persons.”
Recital 33
Consent > legitimate interest?
30. “However, it is reasonable to allow the use of e-mail contact
details within the context of an existing customer
relationship for the offering of similar products or services.”
(A bit further in) Recital 33
Actually no, it’s fine
31. “It is necessary to prohibit the masking of the identity and
the use of false identities, false return addresses or numbers
while sending unsolicited commercial communications for
direct marketing purposes.”
Recital 34
Don’t be an idiot
32. “In order to allow easy withdrawal of consent, legal or
natural persons conducting direct marketing
communications by email should present a link, or a valid
electronic mail address, which can be easily used by end-
users to withdraw their consent.”
Recital 35
Let people unsubscribe easily
34. “Data used to trace and identify the source and destination
of a communication, data on the location of the device
generated in the context of providing electronic
communications services, and the date, time, duration and
the type of communication.”
Article 4, 3(c)
Get consent for metadata
35. “ ‘Direct marketing communications’ means any form of advertising,
whether written or oral, sent to one or more identified or identifiable
end-users of electronic communications services, including the use of
automated calling and communication systems with or without
human interaction, electronic mail, SMS, etc.”
Article 4, 3(f)
‘Direct Marketing’ is broad
36. “The definition of and conditions for consent provided for
under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU
shall apply.”
Article 9, 1
‘Consent’ comes from GDPR
37. “The providers of publicly available directories shall obtain
the consent of end-users who are natural persons to include
their personal data in the directory.”
Article 15
Directory providers: source consent
38. “Where a natural or legal person obtains electronic contact details for electronic
mail from its customer, in the context of the sale of a product or a service, in
accordance with Regulation (EU) 2016/679, that natural or legal person may use
these electronic contact details for direct marketing of its own similar products
or services only if customers are clearly and distinctly given the opportunity to
object, free of charge and in an easy manner, to such use.”
Article 16,2
Legitimate interest rules!.. Allow unsubscribes.
39.
40. €10,000,000 or 2% of annual revenue:
Data breachers
Software providers
Directory providers
Unsubscribe ignorers
Article 23,2
Small <sic> fines
41. €20,000,000 or 4% of annual revenue:
“Infringements of the principle of confidentiality of communications,
permitted processing of electronic communications data, time limits
for erasure” or non-compliance with the ICO
Article 23,4
Big fines for wire tappers, networks and idiots
43. Don’t market electronically to
people unless you have consent
or a legitimate reason!
1. Consent (from GDPR)
2. Privacy policies
3. Contracts with processors
45. Consent and GDPR
DP Directive GDPR
“any freely given, specific
and informed indication
of his wishes by which
the data subject signifies
his agreement to
personal data relating to
him being processed”
“any freely given, specific,
informed and unambiguous
indication of the data subject's
wishes by which he or she, by a
statement or by a clear affirmative
action, signifies agreement to the
processing of personal data
relating to him or her”
46. 1. Keeping records
2. Transparency of consent messages
3. Right to withdraw consent
4. Freely-given consent
47. 1. Transparency of consent messages
2. Right to withdraw consent
3. Freely-given consent
4. Keeping records
Be upfront
48.
49. Records
1. Who consented?
2. When they consented
3. What they were told at the
time
4. How they consented
5. Whether they have withdrawn
consent (and if so, when)
52. Legitimate interest
“The processing of
personal data for direct
marketing purposes may
be regarded as carried
out for a legitimate
interest.”
Recital 47
60. 1. Contact details of controller / DPO
2. Purpose(s) of the processing
3. Categories of personal data
4. Types of people with access to personal data
5. Details of international transfers / safeguards
6. Retention period
7. All of the data subject’s rights
8. (The right to withdraw consent)
9. (Legitimate interests)
10. (The existence of automated decision-making)
Articles 13 & 14
Intro NetSquared – voluntary thing
Which of us are organisers
Thanks to Outlandish
We might ask for donations
AGENDA
Health and safety
Go around room?
HAYDN
HAYDN
HAYDN
HAYDN
HAYDN
HAYDN
HAYDN
ANDREW
ANDREW
ANDREW
ANDREW
ANDREW
ANDREW
ANDREW
HAYDN
Direct marketing practices – who you can email, SMS, etc. is currently covered by the Privacy and Electronic Communications Regulation (2003)
Consent and other bits
But actually, ePrivacy regulation also coming in on 25 May
(As well as GDPR)
Two things: cookie consent messages likely just for 3rd party cookies (analytics, demographics, etc). More obligation on blocking them from the browser side.
OTTs include WhatsApp, Skype, etc. – all count now within messaging.
Two things: cookie consent messages likely just for 3rd party cookies (analytics, demographics, etc). More obligation on blocking them from the browser side.
OTTs include WhatsApp, Skype, etc. – all count now within messaging.
More of an issue for ESPs
Only one identifiable person?....
Only one identifiable person?....
Only one identifiable person?....
Soft opt-in still counts if you can use it
Don’t email people if you’re not allowed!
These are mostly geared at software suppliers, not charities – but comply with the ICO if you have to
Key elements remain.
Now it has to be a clear affirmative action.
This is only a starting point.
The Fundraising Regulator has set up the Fundraising Preference Service (FPS).
The FPS operates as a sector-wide withdrawal of consent to charity fundraising.
If an individual wishes to stop receiving marketing from charities, they can use the FPS to withdraw consent from all charities at once.
Flybe:
£70,000 for 3.5 million emails – to unsubscribers
Honda:
£13,000 for 350,000 emails – plus non-compliance
The difference between the two.
It’s in processors’ interests to comply because:
1. Otherwise they’d lose business
2. They are liable for breaches if they don’t comply
These should actually be a quick thing to fix – it’s the processes that you use as an organisation that will take longer
These are mostly geared at software suppliers, not charities – but comply with the ICO if you have to
Econsultancy have two good guides
The ICO have put out a good checklist
Thank you!!
Follow up:
Find the write up of tools – please share
Sign up for next meetup
Tell friends
Go to pub
Thank you!!
Follow up:
Find the write up of tools – please share
Sign up for next meetup
Tell friends
Go to pub