Consent, marketing and those pesky GDPR emails

canstockphoto17854803

In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!

Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.

It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.

Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).

Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.

The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)

But another, equally important, law may also apply. Where companies are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003(PECR) will also apply. PECR is 15 years old yet many companies still fall foul of it. Failure to comply could lead to a fine of up to £500,000.

PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.

The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.

In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.

Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems that they will solve.

The final word to Steve, the deputy Information Commissioner:

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in GDPR, Marketing, PECR | Leave a comment

GDPR and Data Protection Impact Assessments: When and How?

CJgbrkzUwAAJSZA

Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.

DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).

Guidance

Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP) data protection impact assessment guidelinesand the ICO’s DPIA guidance.

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance sates that it requires a Data Controller to do a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to  95):

  • A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purposes.
  • An assessment of the risks to Data Subjects
  • The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).

When should a DPIA be conducted?

DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Designapproach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

What about current data processing operations?

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.

The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’sadvice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.

Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Posted in Data Protection, dpia, DPO, GDPR | Leave a comment

Act Now Launches GDPR Helpline

Classic dial phone

Act Now Training is pleased to announce the launch of its GDPR Helpline.

The General Data Protection Regulation (GDPR) is a complicated piece of legislation not helped by the fact that it has to be read alongside the Data Protection Bill (currently making its way through Parliament) as well as other legislation. Internal legal departments are often over stretched and dedicated Data Protection practitioners are hard to recruit. External legal advice in this area is very expensive and there are few experts in this field with real experience of advising the public sector.

The Act Now GDPR helpline is designed to supplement organisations’ internal DP expertise by acting as a friendly advisor/sounding board for discussing GDPR and data protection issues/requests and helping to avoid attracting the attention of the Information Commissioner. Our data protection experts will guide callers through the relevant legal provisions and make recommendations about how to handle difficult data protection situations.

Ibrahim Hasan, a solicitor and director of Act Now Training, who has 20 years experience of advising and training the public sector, manages the GDPR helpline. It builds on the success of our DPA helpline, which ran for many years and counted a number or local authorities and government agencies amongst its subscribers. More details, including terms and conditions, here.

Act now has also re launched its popular FOI/EIR helpline, which guides subscribers through the maze of information access legislation including the Freedom of Information Act and the Environmental Information Regulations.

 

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

Posted in Data Protection, GDPR, Helpline | 3 Comments

GDPR: Updating Privacy Notices

AdobeStock_185155560.jpeg

Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)?

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked way in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

Contents

Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

  • the identity and contact details of the Data Controller and where applicable any representative
  • the contact details of the Data Protection Officerwhere applicable
  • the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
  • where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
  • the recipients or categories of recipients for the personal data (if any)
  • details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

  • the period for which the data will be stored or, where this is not possible, the criteria used to determine that period
  • the existence of the Data Subjects’ rights e.g. Data Portability andSubject Access, Rectification, Erasure etc.
  • where the processing is based on consent, the fact that consent can be withdrawn at anytime
  • the right to lodge a complaint with the supervisory authority (the ICO)
  • where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data
  • details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.

Format

GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, whichaddresses privacy notices. The ICO GDPR guidecontains useful checklists and their privacy notices codeis worth a read (though it is primarily drafted with the DPA in mind).

Examples

Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex Council I Halifax Bank I Decoded Legal(law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine.  As the Information Commissioner  has said, “It’s important that we all understand there is no deadline. 25thMay is not the end. It is the beginning.”

If you need to raise awareness about GDPR, our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificatecourse in London is fully booked. We have 3 places left in Bristol.

Posted in Data Protection, GDPR, Privacy | 3 Comments

GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!

 

Posted in Data Protection, EU DP Regulation, GDPR, ICO, Information Security, Privacy, schools, Scotland, Scottish Information Commissioner, Training | Leave a comment

Gill Smith Joins Act Now’s GDPR Team

Gill Smith - DP Assist 

Act Now Training is pleased to announce that Gill Smith has joined its team of consultants.

Gill is a specialist consultant and trainer in the practical implementation of Data Protection legislation (including GDPR) and has been involved in managing and assisting organisations with compliance management since 1988. During that time she worked in local government for 15 years managing and administering Data Protection and Security compliance.

Since 2003, Gill has assisted public and private sector organisations as an independent consultant and trainer. This includes the provision of seminars and workshops on Data Protection and Freedom of Information implementation for practitioners, as well as providing in-house training for employees of businesses, local authorities, charities, and government organisations in England and Northern Ireland.

Gill will be delivering some of our existing programme of courses and developing new ones. She will also be servicing our in house training clients in FOI and GDPR.

Ibrahim Hasan said:

“ I am very pleased that Gill has decided to joined our team. She is a well-known and well-respected name in the field of information governance with a proven track record of delivering high quality jargon free training. Her experience will help us deliver more courses across the country and satisfy growing client demand. ”

 

There is still time to raise awareness of GDPR before 25thMay. See our programme of public courses. If you need to train frontline staff, our  e learning courseis ideal.

Posted in GDPR | Leave a comment

Information Rights Expert joins Act Now GDPR Team

BioPic - Scott Sammons 

Act Now Training is pleased to announce that Scott Sammons has joined its team of consultants.

Scott is an experienced information governance practitioner having worked in both the public and private sector for 10 years, most recently as the GDPR implementation lead for Essex County Council. With certificates in Data Protection and Freedom of Information, his experience and expertise makes him a great addition to our team.

Scott’s GDPR experience includes:

  • Implementation of GDPR in a local authority
  • ROPA deployment
  • Information Mapping & risk assessment
  • Consent & Marketing workshops
  • GDPR awareness sessions for the private sector

Currently Scott also volunteers for the IRMS. The IRMS is one of the leading professional bodies for those that work in information governance and information management.

Scott contributes frequently to guidance and awareness of information related matters via blogging as well as volunteering for the IRMS running events and developing materials for information professionals.

Scott said :

“I am really pleased to be joining the Act Now team. I hope to assist in delivering Act Now’s range of information rights courses as well as developing new ones. My public and private sector experience will I believe stand me in good stead to assist Act Now’s clients with their information rights workload.”

Ibrahim Hasan said:

“I am pleased the Scott has become a part of our growing and wonderful team of vastly experienced trainers. His real-world experience and knowledge of information rights will help us expand our services and deliver even more courses to our client base. We have become well known for the trainers we have with their fantastic skill and experience but also for their ability to deliver a difficult subject for many, in a simple and plain speaking way. ”

Act Now Training is growing rapidly and with over 15 years experience in this sector, we have the grounding to help your organisation with their information rights needs. We offer a full range of training and consultancy services including health checks to gauge your preparedness for GDPR and audits as well offering full certificate courses.

Act Now Recently launched its brand new E-Learning Package specifically aimed at frontline staff. It has been a huge success with hundreds of people having signed up. Click here to find out more!

Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require this or any other course delivered at your premises, tailored to your needs, please get in touch and we would be happy to deliver it for you.

 

 

Posted in Consultancy, Data Protection, DPO, e-learning, GDPR, Training | Leave a comment