The document summarizes Travelodge's approach to planning and deploying GDPR compliance. It outlines key functional tasks like data retention policies, training, and audits. It describes reviewing internal processes by department and assessing legal basis, data types, and prioritization. It identifies risks like over-reaction and lists marketing areas of focus such as the difference between GDPR and ePrivacy regulations, the legitimate interest assessment, and requirements for profiling and consent.
2. • Consultant eCRM & Marketing Automation specialist with over 15
years agency & client side delivery experience.
• Owner of Twist Consultancy, helping improve how business connect
to people.
• Interim Head of eCRM for Travelodge for the past 18 months.
• Legal Hub (Email Council) member
5. GDPR functional tasks
Data Retention
Policy
Team Training /
Education
Change
deployment
Reporting &
impact
assessment
Appoint Data
Steward and
Owners
3rd Party & Data
Process Audit
Privacy Impact
Assessments
Internal Process
reviews
Process
Remediation &
Control planning
Subject Access
Request policy
6. Data Stewards
Operations IT Payroll
Sales &
Call
Centre
Marketing Legal
Comms &
Training
Customer
Service
Health &
Safety
• Activity
• Current Issues
• Key Risks
• Decisions /
Considerations
7. Process review approach
•Department
•Named owner
•Description
1.
Identification
•Why completed
•Outcome
•Legitimate
Interest / Consent
2.
Legal Basis
•Type
•Actions
•Retention policy
3. Data
•Light review
completed
•Is full PIA
required?
4. PIA
•Process
complexity
•Remediation
effort
•GDPR impact
5.
Prioritisation
8. Privacy Impact Assessment (light)
Question Yes/No?
1 From the viewpoint of the individual “Is the information about individuals likely to raise
privacy concerns or expectations”
2 Does or will the process involve the collection of new or sensitive information about
individuals?
3 Are you using information about individuals for a purpose it is not currently used for, or in a
way it is not currently used?
4 Will the process require you to contact individuals in ways which they may find intrusive? (ie
likely to require consent)
5 Will information about individuals be disclosed to organisations or people outside of
Travelodge staff or who have not previously had routine access to the information?
6 Does the process involve you using new or existing technology which might be perceived as
being privacy intrusive e.g. biometrics or facial recognition Surveillance?
7 Will the process result in you making decisions or taking action against individuals in ways
which can have a significant impact on them?
9. GDPR strategic view and aim
Upper fine threshold 4% or EU 20m
Lower fine threshold 2% or EU 10m
£x Residual risk 25th May 2018
Today Year End 25th May 2018 3
years
Elapsed time
3
Risk
Reduction by adoption
of key principles,
control standards,
Custodians, training
and data minimisation.
Reduction via new or
revised policy, process,
procedure and training.
BAU process
improvements audit
and maintenance.
10. Identified risks
● Over or under reaction.
● Misinterpretation of requirements.
● Lack of precedent.
● Lack of ownerships (Data Owners, Custodians & stewards).
● No agreed external technical standards
● Poor statutory documentation maintenance.
● Weak and poorly defined internal processes
○ Video handling
○ Subject access
○ Room damage charging
● Resource constraints (Scrum Master and Business Analysis)
9
11. Dashboarding GDPR
3
There is not yet an agreed external
control standard for GDPR for us to
comply with.
We are using the 12 controls from
PCI to measure our status as an
interim measure, (nb not a perfect fit)
The PCI standard do not cover all
areas under GDPR e.g.
● Parts of consent
● Parts of right to be forgotten
● Mandatory reporting
● Parts of privacy
As formal standards come into force
we will reassess an appropriate
framework to report against.
Dials are based on an assessment of the 12 PCI controls applied to
customer data
13. Marketing specific areas of focus
GDPR is not
e-Privacy
B2C vs.
B2B
Legitimate
Interest
Assessment
Displaying
Privacy
T&C’s
Profiling
“They had their names removed using the right to be forgotten”
14. GDPR and e-Privacy
https://dma.org.uk/article/gdpr-consent-or-legitimate-interest-email-marketers-need-both
You need a legal basis
to send email, SMS and
automated telephone
marketing (defined by
PECR and ePrivacy).
You need a separate
legal basis to collect,
store, process, share
and use the contact
details and all that
ancillary data used for
targeting, segmenting,
personalisation (defined
by DPA and GDPR).
These are different laws
and they work together.
15. B2C vs. B2B e-Privacy changes
Roundup from Zach Thornton, external affairs manager, DMA.
A change re Opt-in for B2B marketing to corporate companies (and the need that B2B
marketing via electronic channels would require a prior opt-in consent)
● 25 May 2018: GDPR comes into force
● 29 March 2019: UK leaves EU
● 25thMay 2019: E-Privacy Regulation comes into force? (with 6 month grace period)
Current advice from the DMA is not to change to ‘opt in’ for email and SMS at this
time.
https://dma.org.uk/article/10-things-b2b-marketers-need-to-know-about-the-gdpr-and-data-protection
16. Profiling for direct marketing
Roundup from Janine Paterson, solicitor and legal manager, DMA
Profiling (Articles 21 and 22) Right to unsubscribe/opt-out from decision based on profiling, which
produces legal effects concerning the individual or similarly significantly affects the individual.
Does direct marketing produce legal effects or similarly significantly affect an individual?
Article 29 Guidance on Profiling out for consultation
“In many typical cases, targeted advertising does not have a significant effect on individuals”
However it is possible it may do depending..
• intrusiveness of profiling process
• expectations and wishes of individuals concerned
• the way the advert is delivered
• the particular vulnerabilities of the individuals targeted.
18. Displaying Privacy T&C’s
Layered approach to GDPR T&C's (use of a headline
with expanding descriptions, as too much content to have
in one page) Good examples:
• BBC
• ICO
• Guardian newspaper
• Channel 4
• Gmail
• Vodaphone
• BT
https://dma.org.uk/article/writing-a-privacy-notice-a-key-part-of-gdpr-compliance
19. Unexpected benefits from audits
• Identified ‘forgotten’ sign up points so email not being captured
• Identified now incorrect web tagging where data captured incorrectly