Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

[Srijan Wednesday Webinars] Is Your Business Ready for GDPR

Srijan Technologies
Srijan Technologies

The document provides an overview of the General Data Protection Regulation (GDPR) which takes effect in May 2018. It defines key terms like personal data and data controllers. The GDPR aims to strengthen data protection for EU individuals and unify laws across EU members. It impacts any business that collects or processes personal data of EU individuals. Companies must obtain proper consent to use personal data and only keep data for specified purposes. Non-compliance can result in large fines. The GDPR changes how marketing departments can collect and use customer data.

1 of 51
Is Your Business Ready for GDPR? Matt Skinner | Head of Digital Strategy & Data| Proctor + Stevenson #SrijanWW | @srijan
A few of our current clients…
WHAT IS IT? • Regulation to strengthen and unify data protection for individuals within the European Union • Affects the collection, processing and profiling of personal data • Will impact businesses globally • Approved May 2016 • Deadline for compliance: 25th May, 2018 • Updates and clarifications are ongoing
#SrijanWW | @srijan 1. Personal Data - any information relating to an identified or identifiable natural person. 2. Data Controller - the person/entity which determines the purposes and means of the processing of Personal Data. (Master company) 3. Data Processor - a legal entity that processes Personal Data on behalf of a Data Controller. (Outsourced providers, agencies etc) 4. Processing - any operation which is performed upon Personal Data, whether or not by automated means eg: to collect, store, use in any way etc Key Definitions
#SrijanWW | @srijan ● Put individuals back in control of their data ● Create a balance of power between businesses and customers ● Promote transparency ● Harmonise data protection law across the EU ● Make data laws fit for the digital age GDPR: Aims
#SrijanWW | @srijan Anything that identifies an individual. For example: ● Full name ● Job title ● Email address ● Direct phone number ● Data relating to an individual's actions or behaviours ● Computer IP address Any data held on an EU or UK citizen will need to comply. Data on EU citizens will be treated the same, wherever it’s held. What is Personal Data?
#SrijanWW | @srijan The Personal Data you hold must be: ● Fairly and lawfully processed ● Processed for limited/specified purposes ● Given the purpose of the processing, data must be adequate, relevant and not excessive ● Accurate and up to date ● Kept no longer than necessary ● Secure Data Controllers are responsible for demonstrating compliance with these principles Usage of Personal Data
#SrijanWW | @srijan ● A warning in writing in cases of first/non-intentional non-compliance ● Regular periodic data protection audits ● A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater ● A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater Sanctions
#SrijanWW | @srijan Legal Grounds for Processing Data
#SrijanWW | @srijan The GDPR imposes a general obligation on Data Controllers and Data Processors to adopt technical and organisational measures in order to ensure that the Personal Data you hold is kept secure. For example: ● Secure use of staff equipment and IT systems; ● Encryption of digital data; ● Clear desk policy and secure storage of hard copy documents; ● Understand and respect confidentiality obligations and sensitivity re the information you hold; ● Transfer of data between controller and processor Security
#SrijanWW | @srijan Sometimes you will provide Personal Data and/or allow access to your systems to third parties who will work for you. If so, you must… • Enter into a written agreement (Data Protection Agreement) with the third party that includes assurances re. data protection • Ensure the third party is aware of your expectations and requirements around the use of your personal data • Consider the third parties you work with in terms of risk. An agency’s responsibilities under GDPR now link all of their clients together. If one client suffers a breach, it can potentially affect all clients. Third Parties
#SrijanWW | @srijan Impact on Comms and Marketing
GDPR
‘Data harvesting’ will be become impossible Marketing databases will become smaller… …but their value will increase List brokers will become near-obsolete The way data is collected will need to change – “conditional” and “incentivised” provisions mean that common digital marketing strategies will become riskier GDPR Impact on Comms and Marketing
[Srijan Wednesday Webinars] Is Your Business Ready for GDPR
[Srijan Wednesday Webinars] Is Your Business Ready for GDPR
GDPR How users currently enter database Communications sent Website CRMManual addition Bought in list Marketing database (held indefinitely)
GDPR Volume
188,887 contacts in the database 29,985 contacts have opened an email in last 6 months GDPR Volume
188,887 contacts in the database 3,646 have clicked through from an email in the last 6 months GDPR Volume
This means that 98% of the contacts in the database have never clicked on an email GDPR Volume
Contact management In comparison to other system users GDPR Volume
Campaign management In comparison to other system users GDPR Volume
GDPR In detail
Legal grounds for processing data GDPR In detail Consent Legitimate interest Public interest Vital interest Law Contract No processing allowed without a legal ground (exhaustive list) !
GDPR In detail Can I use legitimate interest?
GDPR In detail Can I use contractual grounds?
GDPR In detail How do I continue to avoid relying on consent?
GDPR In detail How do I only rely on consent?
GDPR In detail If your marketing communications are not worth saying yes to, you have a problem with your marketing communications.
GDPR Consent
GDPR Consent Consent Clear affirmative action by data subject (no pre-ticked boxes) When in writing, be clearly distinguished from other matters Be authorised by a parent if given by a child (<16) in relation to online services Be recorded so you can demonstrate consent was given can be withdrawn at any time Freely given, specific, informed and unambiguous
A contractual requirement unless necessary for performing the contract (ie: entering a prize draw) Tied to something else The default ie: Pre-ticked, opt out GDPR Consent Consent cannot be:
Specific, informed and unambiguous Period of retention must be made clear You must not collect more data than is necessary GDPR Consent Consent needs to be:
[Srijan Wednesday Webinars] Is Your Business Ready for GDPR
We need to shift the audience mindset from I don’t object to receiving marketing communications GDPR Consent
To I want marketing communications GDPR Consent
GDPR Consent
GDPR Consent
GDPR Comms Strategy
Treat your comms strategy as a new service line. A separate, standalone subscription service. Manage it as such. GDPR Comms Strategy
Utilise existing systems and channels to promote this service. GDPR Comms Strategy
At every point you speak to or contact a customer, include an option to gain consent. GDPR Comms Strategy
Offline consent process GDPR Comms Strategy
How users currently enter database GDPR Comms Strategy Communications sent Website CRMManual addition Bought in list Marketing database (held indefinitely)
Marketing database (held for defined period) How users should enter database GDPR Comms Strategy Website CRM Consent / legal grounds recorded Communications sent Consent on record
Information you should have on file GDPR Comms Strategy Name: Matt Skinner Interests: Care Bears, data regulations Types of communications requested: events, newsletter, guides Language: English Date consented: 12 October 2017, 18:47 Subscription ends: 12 October 2019, 18:47 You can therefore send information about: events, offers or product updates related to Care Bears and data regulations for 24 months.
GDPR is an opportunity, not a threat Take responsibility as an individual, not as a department Start from consent and work backwards Respect your audience Start experimenting! Have fun! GDPR In Summary In summary
[Srijan Wednesday Webinars] Is Your Business Ready for GDPR
[Srijan Wednesday Webinars] Is Your Business Ready for GDPR
Matt Skinner Head of Digital Strategy + Data Proctor + Stevenson matt.skinner@proctors.co.uk Contact

More Related Content

[Srijan Wednesday Webinars] Is Your Business Ready for GDPR

  • 1. Is Your Business Ready for GDPR? Matt Skinner | Head of Digital Strategy & Data| Proctor + Stevenson #SrijanWW | @srijan
  • 2. A few of our current clients…
  • 3. WHAT IS IT? • Regulation to strengthen and unify data protection for individuals within the European Union • Affects the collection, processing and profiling of personal data • Will impact businesses globally • Approved May 2016 • Deadline for compliance: 25th May, 2018 • Updates and clarifications are ongoing
  • 4. #SrijanWW | @srijan 1. Personal Data - any information relating to an identified or identifiable natural person. 2. Data Controller - the person/entity which determines the purposes and means of the processing of Personal Data. (Master company) 3. Data Processor - a legal entity that processes Personal Data on behalf of a Data Controller. (Outsourced providers, agencies etc) 4. Processing - any operation which is performed upon Personal Data, whether or not by automated means eg: to collect, store, use in any way etc Key Definitions
  • 5. #SrijanWW | @srijan ● Put individuals back in control of their data ● Create a balance of power between businesses and customers ● Promote transparency ● Harmonise data protection law across the EU ● Make data laws fit for the digital age GDPR: Aims
  • 6. #SrijanWW | @srijan Anything that identifies an individual. For example: ● Full name ● Job title ● Email address ● Direct phone number ● Data relating to an individual's actions or behaviours ● Computer IP address Any data held on an EU or UK citizen will need to comply. Data on EU citizens will be treated the same, wherever it’s held. What is Personal Data?
  • 7. #SrijanWW | @srijan The Personal Data you hold must be: ● Fairly and lawfully processed ● Processed for limited/specified purposes ● Given the purpose of the processing, data must be adequate, relevant and not excessive ● Accurate and up to date ● Kept no longer than necessary ● Secure Data Controllers are responsible for demonstrating compliance with these principles Usage of Personal Data
  • 8. #SrijanWW | @srijan ● A warning in writing in cases of first/non-intentional non-compliance ● Regular periodic data protection audits ● A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater ● A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater Sanctions
  • 9. #SrijanWW | @srijan Legal Grounds for Processing Data
  • 10. #SrijanWW | @srijan The GDPR imposes a general obligation on Data Controllers and Data Processors to adopt technical and organisational measures in order to ensure that the Personal Data you hold is kept secure. For example: ● Secure use of staff equipment and IT systems; ● Encryption of digital data; ● Clear desk policy and secure storage of hard copy documents; ● Understand and respect confidentiality obligations and sensitivity re the information you hold; ● Transfer of data between controller and processor Security
  • 11. #SrijanWW | @srijan Sometimes you will provide Personal Data and/or allow access to your systems to third parties who will work for you. If so, you must… • Enter into a written agreement (Data Protection Agreement) with the third party that includes assurances re. data protection • Ensure the third party is aware of your expectations and requirements around the use of your personal data • Consider the third parties you work with in terms of risk. An agency’s responsibilities under GDPR now link all of their clients together. If one client suffers a breach, it can potentially affect all clients. Third Parties
  • 12. #SrijanWW | @srijan Impact on Comms and Marketing
  • 13. GDPR
  • 14. ‘Data harvesting’ will be become impossible Marketing databases will become smaller… …but their value will increase List brokers will become near-obsolete The way data is collected will need to change – “conditional” and “incentivised” provisions mean that common digital marketing strategies will become riskier GDPR Impact on Comms and Marketing
  • 17. GDPR How users currently enter database Communications sent Website CRMManual addition Bought in list Marketing database (held indefinitely)
  • 19. 188,887 contacts in the database 29,985 contacts have opened an email in last 6 months GDPR Volume
  • 20. 188,887 contacts in the database 3,646 have clicked through from an email in the last 6 months GDPR Volume
  • 21. This means that 98% of the contacts in the database have never clicked on an email GDPR Volume
  • 22. Contact management In comparison to other system users GDPR Volume
  • 23. Campaign management In comparison to other system users GDPR Volume
  • 25. Legal grounds for processing data GDPR In detail Consent Legitimate interest Public interest Vital interest Law Contract No processing allowed without a legal ground (exhaustive list) !
  • 26. GDPR In detail Can I use legitimate interest?
  • 27. GDPR In detail Can I use contractual grounds?
  • 28. GDPR In detail How do I continue to avoid relying on consent?
  • 29. GDPR In detail How do I only rely on consent?
  • 30. GDPR In detail If your marketing communications are not worth saying yes to, you have a problem with your marketing communications.
  • 32. GDPR Consent Consent Clear affirmative action by data subject (no pre-ticked boxes) When in writing, be clearly distinguished from other matters Be authorised by a parent if given by a child (<16) in relation to online services Be recorded so you can demonstrate consent was given can be withdrawn at any time Freely given, specific, informed and unambiguous
  • 33. A contractual requirement unless necessary for performing the contract (ie: entering a prize draw) Tied to something else The default ie: Pre-ticked, opt out GDPR Consent Consent cannot be:
  • 34. Specific, informed and unambiguous Period of retention must be made clear You must not collect more data than is necessary GDPR Consent Consent needs to be:
  • 36. We need to shift the audience mindset from I don’t object to receiving marketing communications GDPR Consent
  • 37. To I want marketing communications GDPR Consent
  • 41. Treat your comms strategy as a new service line. A separate, standalone subscription service. Manage it as such. GDPR Comms Strategy
  • 42. Utilise existing systems and channels to promote this service. GDPR Comms Strategy
  • 43. At every point you speak to or contact a customer, include an option to gain consent. GDPR Comms Strategy
  • 45. How users currently enter database GDPR Comms Strategy Communications sent Website CRMManual addition Bought in list Marketing database (held indefinitely)
  • 46. Marketing database (held for defined period) How users should enter database GDPR Comms Strategy Website CRM Consent / legal grounds recorded Communications sent Consent on record
  • 47. Information you should have on file GDPR Comms Strategy Name: Matt Skinner Interests: Care Bears, data regulations Types of communications requested: events, newsletter, guides Language: English Date consented: 12 October 2017, 18:47 Subscription ends: 12 October 2019, 18:47 You can therefore send information about: events, offers or product updates related to Care Bears and data regulations for 24 months.
  • 48. GDPR is an opportunity, not a threat Take responsibility as an individual, not as a department Start from consent and work backwards Respect your audience Start experimenting! Have fun! GDPR In Summary In summary
  • 51. Matt Skinner Head of Digital Strategy + Data Proctor + Stevenson matt.skinner@proctors.co.uk Contact