3. 3
Public
Tim Roe
Compliance Director for RedEye
• Certified Data Protection Practitioner
• Data Protection Law and IG
• Direct Marketing Associations Privacy taskforce
• Vice chair of the Direct Marketing Associations Responsible Marketing Committee
• Content contributor and course tutor for the Institute of Direct Marketing
• Content contributor and expert content adviser for the Direct Marketing Association
8. 8
- Process what's needed
- Be transparent
- Data source
- Information available
- Lawful basis
- Processing activities
- You need the audit trails to prove compliance and
to prove..
ACCOUNTABILITY
What do you need
to be compliant?
Public
9. What data is covered under GDPR?
Name
Email Address
ID Numbers
Cookies
IP addresses
Profile Information
Segments they belong to
Personal data is
"any information relating to an identifiable person
who can be directly or indirectly identified in
particular by reference to an identifier“
ICO
Public
11. Consent“any freely given, specific, informed and unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her”
Informed Specific Detail
“Remember – you don’t always need consent.
If consent is too difficult, look at whether another lawful basis is more appropriate”.
The ICO
Public
12. 12
Public
Email
SMS
And maybe Social Media and
Cookies!
Just because you’ve got a tick box
for one of those channels, doesn’t
mean you can use them all.
20. Legitimate Interest
• Analysis
• Data matching and augmentation
• Targeting and segmentation
• Profiling
“Remember – you don’t always need consent.
If consent is too difficult, look at whether another lawful basis is more appropriate”.
The ICO
Public
21. Using Legitimate Interest?
This right to object must
be explicitly stated,
prominently displayed and
is easy to exercise that right
Collect the minimum data
necessary and delete
records after use
Ensure you have a valid reason
to process an individual’s
personal data using your legal
legitimate interests
The processing of personal data for direct marketing
purposes may be regarded as carried out for a
legitimate interest. Rec 47
Public
22. 22
Public
Can targeting, profiling and segmentation
be Legitimate Interest?
The text of the regulation refers to profiling in Article 4(4) as:
“…any form of automated processing of personal data consisting of the use of personal
data to evaluate certain personal aspects relating to a natural person, in particular to
analyse or predict aspects concerning that natural person’s performance at work,
economic situation, health, personal preferences, interests, reliability, behaviour,
location or movements.”
23. Predictive
modelling
Customer ID
& Cross-device
tracking
Orchestration
Reporting
& Analytics
DataIntegration
Personal
& Demographic
Onsite Behavioural
Data
Engagement
Data
Transactional
Data
Mobile & Device
Data
Data
APP Data
Lifestyle Data
Email
Direct Mail
Paid Social
SMS
AdWords
Web
Push
Store
Multi-channel
& Data
Segmentation
23
Public
24. Public
Profiling Example
An airline studies the behaviour of its online customers. It
examines what they search for, look at and how much time they
spend considering each destination. This data will be combined
with the location and route the customer is most likely to use
based on their previous flight history. The profile will then be
used to serve the customer with a marketing communication
that highlights the destination and route they are most likely to
be interested in.
24
25. Public
Special
categories of
data
Profiling can infer special categories of data
Example: profiling food consumption or musical tastes
might lead to the inference of ethnic origin or religion.
If you infer special categories of data, the profiling maybe
prohibited without explicit consent.
25
30. Public
30
Privacy Notices and personal data
• Why do you need it?
• Use a layered privacy notice/policy
• Easy to understand
• Detail segmentation, targeting,
profiling, augmentation
• Detail your cookie usage
Public
38. Analyse, with real users, the UX of
your forms & data capture points
What can be done
- Remote user testing
- Expert UX review
- Landing page(s)/
My account comms page
- Mobile & desktop
What this gives you
- Identify UX issues &
recommendations
- Suggested: messaging,
layout, hierarchy, priority
- mock ups of proposed new
experience
Public
41. What does the future hold?
New Regulatory regime
ICO about to issue first fines
E-Privacy challenges
Web tracking consent
And Brexit, of course.
41
Public
42. New regime gives rights and protections to individuals
Privacy focus is an opportunity to build trust
Transparency and control
GDPR has educated people on their information rights
42
Public
43. Summary
Processing personal data for marketing, presents certain challenges,
some of which we have looked at today
It can be a complex operation to ensure compliance
But the new regulations shouldn’t stop you doing the clever stuff
Design your systems and processes to put privacy at their core
Look closely at how you are using tracking technology and ensure your privacy
notices and cookie banners actually do what they should be doing
And e-Privacy is just around the corner, its time to start planning now.
Hello, and welcome to this presentation on compliant digital marketing practice.
My name is Tim Roe and I am the compliance director for RedEye.
Id like to start by giving you some background to the business I work for, RedEye,
RedEye delivers improved conversion and ROI through Marketing Automation Technology and Conversion Rate Optimisation services
RedEyes proprietary technology uses data from the web, transactions and multiple customer touchpoints, which is combined in a single platform to deliver multi channel marketing communications via web, email, social media, direct mail and mobile.
We use profiling, tracking, analysis and predictive modelling in our solution, so data protection and privacy has been important to us for a long time.
Now a bit about me.
British Computer Society Certified Data Protection Practitioner
Hold Post Grad Certificate in Data Protection Law and IG
Chair of the Direct Marketing Associations Privacy taskforce
Vice chair of the Direct Marketing Associations Responsible Marketing Committee
Content contributor and course tutor for the Institute of Direct Marketing
Content contributor and expert content adviser for the Direct Marketing Association
What data are we talking about?
What are the appropriate lawful basis for processing ?
What is and what isn’t consent ?
Electronic marketing and the law
Gaining consent
Legitimate Interest, processing and profiling
Cookies and behavioural advertising
Privacy Notices
What is UX testing and why is it important when collecting data ?
Beyond GDPR and onto e-privacy – how to prepare for the future and e-Privacy day!
Not legal advice
Broad based practitioner guidance, drawn from ICO publications, DMA guidance and the EDPB guidance.
This advice focuses on data protection and privacy law
Data protection is a complex subject
Absence of case law on GDPR makes giving advice difficult, the first enforcement action is yet to happen
Knowledge of the subject requires a great deal of reading and study and input from industry organisations and the regulator
There's now lots of authoritative advice from the ICO, WP29, DMA and other industry organisations
Seems like ages ago now, GDPR day, came and went.
The sky didn’t fall on our heads
1000’s of ICO enforcement officers, didn’t break down the doors of struggling marketing departments.
Although for some organisations, Armageddon did come to their marketing lists. The cost of this is still to be counted.
The storm clouds have cleared and the sun has come out.
And relax!
Wouldn’t that be nice,
the truth for many organisations is that there is still much to do, from acquisition campaigns to replace lost contact data, to embedding the compliance processes and systems in to business as usual.
So, lets take a look at what you need to be compliant.
a nutshell
You must only process the data you need to
You need to tell people what you are doing with their data
You need to know where you have obtained the data
You need to know what people have been told when it was collected
You need to know what your lawful basis for processing is
You need to know how and why you are processing the data
You need the audit trails to prove compliance and to demonstrate..
ACCOUNTABILITY
So when we talk about personal data, what do we mean?
Name, Email Address, ID Numbers, Cookies, IP addresses, Profile Information and Segments people belong to.
So that segment that you’ve creatively named “Grumpy Gits” is actually part of their personal data!
“Special categories” of data have replaced “sensitive personal data”
Special category data is more sensitive, and so needs more protection. Processing Special Categories
of Data is generally Prohibited
Race; Ethnic origin; Politics; Religion; Trade union membership;
Genetics;
Biometrics
Health;
Sex life; or Sexual orientation.
Important to ensure that this is not being processed inadvertently
But you can process Special categories of data under explicit consent
To process this data, we need some sort of legal basis.
Marketing is most likely to be undertaken either under;
Consent: Freely given, Specific, informed, unambiguous with affirmative action.
Legitimate Interest: Balancing the privacy rights of the individual with the needs of a business
Both have different uses and are appropriate for different parts of your marketing processing.
Lets take a look at consent first, what it is and what it isn’t
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
To be informed, enough
information must be made
available at the time.
It’s got to be specific enough to be valid; What exactly is the consent for?
There should be no doubt as to what the consent is for and that it has been given.
Consent also requires a clear positive action.
So, where is consent most likely to be the most appropriate legal basis?
Unless certain situations apply, you are most likely to need consent for electronic marketing.
Also, In certain circumstances you might need to consent for certain marketing processing activities too (especially if you are processing special categories of data)
If you wish, you can use it for any type of marketing, phone or Direct mail
Remember;
Electronic marketing needs to be compliant with GDPR and Privacy and Electronic Communication Regulations.
Electronic marketing means emails, SMS, social media.
If you are capturing data to use for marketing purposes, make sure that you are transparent about all the channels you are using. If you’ll use email, SMS and Social, you must point this out before consent is obtained.
Id like to take a look at some examples of data capture processes, where the organisation has obtained consent.
Lets take a look at this example from Eurostar, simple, clear and informative.
The find out more takes you to the privacy notice. Its pretty obvious what you are signing up for and there are three affirmative actions here too!
They are adding their email address to a form specifically to sign up for email.
They are then asked to tick a box
Finally, they are asked to select a box saying “Sign Up”
It doesn’t need to be complicated
One of the best registrations I have found, is the BBC registration process.
Each piece of data they ask for, allows you to easily find out more, without leaving the registration process.
You can also delve in to more detail via further linked information.
Take a look at how the BBC gives the individual an explanation as to why the date of birth is required. Capturing this data allows the BBC to see how people of different ages are using the BBC and to ensure there is content for everyone.
Sounds good to me!
Be Informed and Specific, Transparency builds Trust.
Further through the process, you get to the point where marketing permission is sought.
In the box for email marketing, there is a simple, specific explanation about the content of the emails that the BBC are going to send you.
“These are regular emails, including a weekly update, to tell you about BBC programmes and services. From time to time, we might contact you to get your views on other issues about the BBC. To help you get the best out of the BBC, we may personalise them based on your location and how you use the BBC online. You can unsubscribe at any time. Find out more about the emails here.”
Simple, Informed and specific consent.
Lets take a look at what consent isn’t.
What would you expect to be signing up for here? Would you be expecting marketing emails from this company?
What is in clause F?
F. Without prejudice to the provisions of the preceding paragraph E, and only with your consent, to send you via email, phone, mail, SMS or MMS the best deals and offers on products and services we think you might find interesting which are marketed by us or our partners or business partners operating in the following sectors: tourism, leisure, entertainment, high technology, fashion, decoration, consumer goods, food and beverage, finance, banking, insurance, energy, environment, communication, mass media, real estate, pharmaceuticals, clothing and textiles, education and training, energy, publications and publishing, information and communications technology, retail, sport, telecommunications and general services.
So, if you entered you email address in that box, and agreed to those terms, does that mean the organisation has consent to share your data with virtually anyone they want?
No, this is not consent. Text like that, unexpected processing and non relevant data sharing, should be brought to the attention of the data subject, not hidden in the t’s and c’s. This is why the law was enacted, to stop abuse of data.
But does electronic marketing always need consent?
Maybe not:
If the contact details meet these requirements.
Gathered during the process of a sale or in the context of a sale
The marketing relates to similar goods or services
The individual was given the opportunity to opt out at the time
And has been given the opportunity to opt out since.
You could have another option
So this is still ok. Under the new e-privacy regulations, although still in draft, look likely to retain the soft opt in.
As long as you have a relevant commercial relationship with the individual, such as they have brought or are buying from you, this method is acceptable.
Its not consent, its giving the person the opportunity to object by using preticked boxes.
The information on what people are going to be sent, is still included, so the individuals are still being informed.
Which brings us to the next legal basis for marketing processing Legitimate Interest.
What is LI processing
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
“the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
But, this isn’t an automatic legal basis for processing marketing data. Marketing is necessary, but is what you are doing unbalanced against the individual?
You need to undertake a balancing test where you will balance the impact of processing you are doing, against the rights and freedoms of the individual.
You might use legitimate interest for:
Analysis, Data matching and augmentation, Targeting and segmentation, Profiling
You can you use legitimate interest for many things (as long as they are legitimate of course)
Where you collect the data you must tell the individual that you intend to use the data for direct marketing and they have the right to object.
It must be explicitly stated, prominently displayed and away from any other information. It must be easy to exercise that right.
You must collect the minimum data necessary only process the data for the reasons stated in your privacy notice and delete records after use.
You must also document your valid reason to process an individual’s personal data using your legal legitimate interests.
What about you targeting, analysis, and segmentation you do, is that legitimate interest?
This type of processing broadly falls under the classification of “Profiling” under GDPR.
“…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
For marketing, the key words are personal preferences, interests, behaviour, and location.
So, most modern marketing involves profiling.
Depending on the context, profiling can also be quite intrusive if it includes online tracking.
Modern marketing, creates enormous amounts of data. Much of which can be leveraged to optimise marketing effort and increase ROI. This is the legitimate interest of the organisation that is using it.
Much of this data can also be classified under the new privacy rules as personal data.
The new legislation doesn’t STOP you from using data this way.
It just asks you to be transparent and informative to the individual
As soon as we start to profile, we are creating new personal data that relates to the individual. This “profile” could include data from many sources
Website search and browsing history
Customer relationships and buying habits
Credit card, store card and transactional history
Credit scoring
Complaints, feedback or enquiries
Location
Lifecycle habits
Social media
Property ownership
Some use of data might be expected and relevant, some might not. Context is important. Be careful about the way you use the some of the web tracking data. Is the individual going to be expecting how you track them online? How transparent is your processing?
What does profiling look like; Here is a typical example of profiling, used to make sure that the content of marketing and some web pages, are made as relevant to the recipient
An airline studies the behaviour of its online customers. It examines what they search for, look at and how much time they spend considering each destination. This data will be combined with the location and route the customer is most likely to use based on their previous flight history. The profile will then be used to serve the customer with a marketing communication that highlights the destination and route they are most likely to be interested
In this instance, all the tracking, analysis and profiling, is in context of what the individual is doing and where, so is more likely to be undertaken under legitimate interest.
Profiling can trip you up
Profiling can sometimes infer special categories of data
Example, profiling food consumption or musical tastes might lead to the inference of ethnic origin or religion.
If you infer special categories of data, the profiling maybe prohibited without explicit consent.
This is why it is important to undertake privacy impact assessments when any new processing activity
If privacy risks are identified, you can mitigate those risks by changing the process, or using a more appropriate legal basis, such as explicit consent
Is the profiling LI, or does it need consent?
Its possible that much of the profiling that is done for marketing, can be undertaken using legitimate interest.
This is because it is unlikely to cause a legal or significant effect on the individual.
The article 29 working party says:
Profiling is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. However, Article 6(1) (f) does not automatically apply just because the controller has a legitimate interest.
A balancing test still needs to be undertaken, you must consider the key elements, Context, Expectation, Relevance and Impact (to the individual)
Its also possible for the profiling to stray into the realms of having a significant effect.
The ICO has cited some research that shows it is possible to for harm or a significant effect to be caused by profiling.
Ohio State University found that behaviourally targeted adverts can have psychological consequences and affect individuals’ self-perception.
For example, if individuals believe that they receive advertising as a result of their online behaviour, an advert for diet products and gym membership might spur them on to join an exercise class and improve their fitness levels. Conversely it may make them feel that they are unhealthy or need to lose weight. This could potentially lead to feelings of low self-esteem.
Profiling can make ads more effective and have a greater impact on the individual. This was one of the key concerns about the issues with Cambridge Analytica’s use of Facebook data, where the hidden profiling has allegedly been used to influence voting preferences.
We undertake marketing, profiling, targeting and segmentation, because it works. We can use these techniques to persuade and influence. To stay on the right side of the law, transparency is vital
Quite a lot of the clever stuff we do with the data, starts with the setting of a cookie on an individuals browser
Article 29 working party
When giving an opinion on an example of profiling….
“The extent and manner of profiling (use of click-stream data, predictive algorithms) also suggest a high level of intrusiveness. ”
Cookie tracking and profiling, can be intrusive if it isn’t transparent.
So, what do we mean about transparent?
Here is an example of a web page.
On visiting this webpage, The cookies reported on the right of the screen, are placed on my browser.
In this case, before they have been accepted.
Before anyone says, these are essential cookies, checkout the Facebook Custom Audience cookie!
Unfortunately, placing cookies and the operation of the banners, don’t link together well on lots of sites.
Tracking links clicked by certain visitors
You might be building web profiles, or using them for presenting personalised content or to identify people responding to online campaigns, or you might be using them to track how people use your website
These cookies can normally be first party and the data use controlled within your website or direct partners.
Behavioural advertising
Cross website tracking
These are third party cookies that will track users beyond your website and serve your adverts on other sites and services.
What about behavioural advertising?
GDPR has classified the individuals data, that is traded between advertisers (Brands) and Publishers as personal data.
This type of data use is among the most intrusive and hidden data processing that goes on.
If this data is being gathered or used on your website, you may be jointly liable for its use with the others in the chain.
A recent court ruling in Germany, set out that you don’t need access to the data to be a controller of it. You might gather it on your website, but you still remain responsible for its use throughout its use in the programmatic system.
If you are using programmatic advertising, a privacy impact assessment is probably essential?
Information and transparency, is a key part of the compliance piece. Much of the information on how data is used, will be contained in your Privacy notices, or privacy policy. This is where you;
Explain why you need an individual’s personal data, thinking back to the BBC example, the extra detail of why you need date of birth, would be contained in the privacy notice.
Use a layered privacy notice/policy, it doesn’t all have to be put in one place, make it easy to find what your need.
It needs to be easy for people to understand, not written in legalise. Important information must not be hidden in your privacy notice (like the organisation earlier that wanted to share you data with the world)
This is where you would detail segmentation, targeting, profiling, augmentation and the reasons for it.
The privacy notice is also where use of cookies and other hidden tracking technology should be explained.
Belmond have a simple to use privacy notice, that allows the individuals to easily drill down and find out what they need. If I want to find out about all those cookies on my browser, I can easily find out where that information is.
The Belmond example, drills down in to the individual cookie usage, giving you the name of the cookie, what it is used for and a link to the website of the tracking provider.
Won’t cookies require consent?
Under the New e-Privacy Regulation, yes they will!
No changes in the latest revision of the e-Privacy Regulation relating to tracking. Consent remains the only option for marketing tracking.
However;
Amendments to recital 20 means that a website owner could restrict access to content, subject to someone giving consent to cookies.
This means consent must be gathered before all but strictly necessary cookies are placed.
Consent will mean GDPR level consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Unambiguous
Informed
Specific
Positive indication of the data subjects wishes.
This will mean real consent control and reporting. Getting positive consent BEFORE cookies are placed.
Someone's failure to act does not constitute consent.
If you are using the cookie data, you are responsible or jointly responsible with the advertiser.
These extra requirements for displaying information and ensuring effective data capture processes, mean that these processes must go through a more rigorous testing regime than ever before.
What must you do to ensure you are making the most of each opportunity?
Due to E-Privacy and GDPR your opt-in forms and preference centres are a critical part optimised marketing and compliance.
So, How do you manage the requirements for customers to provide positive opt-in whilst
maximising the volume of customer details you capture?
Analysing the user experience of your key data acquisition points will help you make the most of GDPR, minimising losses and getting you ahead of the competition.
Here’s some examples of the points of data capture that can be fine tuned using User Testing.
Especially for those organisations that have lost much data due to re consent campaigns, getting these working right is essential.
Without “compliant” customer data you will not be able to enhance the customer experience by personalising and streamlining the experience for users, thus creating unnecessary barriers for users putting conversions, retention and customer loyalty at risk.
Using UX testing
Remote user testing of: forms, sign-ups,
preference centres (all data capture points)
Expert UX review of key ‘data capture’
customer journeys
Email/Landing page(s)/
My account comms page
Mobile & desktop
User videos and eye tracking
This will help you with
Identify UX issues & recommendations
Suggested: messaging, layout, hierarchy, priority
Where required mock ups of proposed new experience
Without customers/users there is no business – use their experience to your advantage
Helps you understand the "Why?" behind your users behaviour, not just the “what”.
Identifies areas for needs driven improvements & innovation
Optimises spend on the website,
So now lets take a small step in to the near future and see what might lie ahead.
We are in a new Privacy Regulatory regime
Rumours across Europe that the DPA’s are preparing to levy the first enforcement under GDPR
E-Privacy provides more challenges, but changes can be made now.
Designing your web tracking consent mechanisms to be robust “before” EP-day
Brexit will make no difference, if you intend to track no EU citizens, if you do, then it will.
The new data protection regime gives rights and protections to individuals
It is a positive step for people
And as we are all people, that’s good right?
Privacy focus is an opportunity to build trust
Transparency will build trust
Transparency and trust could become a key differentiator in business relationships
More powerful than “targeted campaigns and lifecycle marketing”
Transparency and control
On the first contact and data exchange
And ongoing control of the data the individual is sharing
GDPR has educated people on their information rights
People become less tolerant of bad practice
More aware of organisations efforts to “do the right thing”
Processing personal data for marketing, presents certain challenges,
some of which we have looked at today.
It can be a complex operation to ensure compliance.
But the new regulations shouldn’t stop you doing the clever stuff
Design your systems and processes to put privacy at their core
Look closely at how you are using tracking technology and ensure your privacy notices and cookie banners, actually do what they should be doing.
And e-Privacy is just around the corner, its time to start planning now.