Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

4.021 visualizaciones

Publicado el

Watch the webinar on-demand: https://info.trustarc.com/profiling-big-data-consent-gdpr-webinar.html

Required Changes around Profiling & Consent for GDPR Compliance

Some of the most closely followed areas of the GDPR negotiations concerned profiling and consent. Profiling, as defined in Articles 4 & 22, is one of the new provisions in the Regulation which could have a significant impact on businesses seeking to use targeted marketing and other analytics for business growth. Consent remains a legal basis for processing but it’s been restricted under the GDPR and must be “freely given, specific, informed and unambiguous.” There is lots of discussion and privacy scare stories around these two areas alone.

Watch this webinar on-demand where we examine:
- the details of the profiling and consent requirements in the GDPR to help determine what is and isn’t in scope for profiling
- where you can and can’t rely on consent
- what solutions are available and how privacy leaders can work with their business and marketing teams to ensure compliance

To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/

Publicado en: Derecho
  • Inicia sesión para ver los comentarios

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]

  1. 1. © 2017 TrustArc Inc Proprietary and Confidential Information PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program PRIVACY INSIGHT SERIES Profiling, Big Data & Consent Under the GDPR October 11, 2017
  2. 2. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Thank you for joining the webinar • We will start 2-3 minutes after the hour • This webinar will be recorded – both the recording and slides will be sent out via email later today • Please use the GotoWebinar Control Panel on the right hand side to submit any questions for the speakers 2 “Profiling, Big Data & Consent Under the GDPR”
  3. 3. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Today’s Speakers Mark Webber US Managing Partner, Fieldfisher Helen Huang Sr. Product Manager, TrustArc
  4. 4. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Profiling and Big Data 4
  5. 5. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries What is changing? • New definition of profiling • Strengthened individual rights (e.g. automated decision-making) • Greater focus on accountability and governance • Increased transparency requirements • Wider definition of personal data (e.g. location data, online identifiers, technology identifiers etc.)
  6. 6. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Profiling and the GDPR Two key questions: 1) What is profiling under the GDPR? 2) Is it restricted? 6 Not all profiling is legally restricted!
  7. 7. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries What is profiling? “…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (GDPR Article 4) …Targeting …Evaluation… Analytics…
  8. 8. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Grounds for processing 8 Article 6 GDPR – Lawfulness of processing Processing shall be lawful only if and to the extent that at least one of the following applies: (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller (f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overrriden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
  9. 9. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Grounds for processing (2) • Organisations need to ensure that they have clear “grounds” for lawful processing • Under the GDPR – consent is NOT mandatory…… REQUIRED
  10. 10. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries But “consent” is defined… 'consent' of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” 10
  11. 11. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Relying on consent If relying on consent to collect and use an individual’s personal data, the GDPR says that consent must be: “unambiguous” if the data in question is ordinary, non-sensitive personal data (Art 6 of the GDPR says that “consent” is needed, and Art 4 defines consent to be “unambiguous” - hence “unambiguous” consent); but “explicit” if the data in question is sensitive personal data (i.e. relates to any of the categories of sensitive data listed in Art 9(1) of the GDPR, such as physical or mental health data, racial or ethnic origin, and so on)  I Agree 11
  12. 12. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Unambiguous v explicit consent • Unambiguous consent: • given “by a statement or by a clear affirmative action” (Article 4) • given “by a clear affirmative act…such as by a written statement, including by electronic means, or an oral statement” (Recital 32) • “Silence, pre-ticked boxes or inactivity should not…constitute consent” (Recital 32) • Or given through “another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data” (Recital 32) • Explicit consent = Explicit affirmative action, i.e. explicit consent - it’s also clear (unambiguous) • “I agree to my personal data being processed by X for Y purposes” • Ticking an unchecked box to say “I consent” • Event sign-in, participants told that their details will be used for a specific type of profiling and asked (verbally) whether they consent to this processing 12
  13. 13. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Automated decision-making Individual has right not to be subject to “…a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” …Profiling is not in and of itself an automated decision! 1. There must be a decision 2. There must be automated processing (which may include profiling) 3. Decision must be based solely on automated processing 4. Decision must produce “legal effects” or otherwise “significantly affect” the individual
  14. 14. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Automated decision-making (2) Automated decision making IS permitted if: 1. Authorised by Union or Member State law 2. Necessary for the contract between the data subject and data controller 3. Data subject has provided explicit consent. …But don’t forget!  Right to express their view  Right to obtain explanation of decision reached  Right to object / challenge the decision  Sensitive data / children
  15. 15. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Other obligations ► Ensure data is processed fairly and transparently  Use appropriate mathematical or statistical procedures  Implement technical and organisational measures to avoid and correct errors and minimise bias or discrimination  Provide meaningful clear information (i) about existence of automated decision making, including profiling; and (ii) logic involved and significance and envisaged consequences of profiling. ► Comply with principles of accuracy, storage limitation and privacy by design  Data must be kept accurate and up-to-date – garbage in, garbage out?  Ensure data is not kept for longer than necessary  Incorporate processes by default and by design ► Honor the “right to object” exercised by any data subject (whether or not automated) ► Carry out Data Protection Impact Assessment (DPIA) for high risk processing ► Appoint Data Protection Officer (DPO) if required 15
  16. 16. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Profiling and ePrivacy • Cookies still require consent – with browsers and similar software required to provide cookie and tracking controls • Website owners will need to be able to demonstrate that users have consented • Website owners will be responsible for managing consent needed for third party tracking • Cookies will be permitted for first party or third party analytics 16  ePrivacy Directive  New ePrivacy Regulations, May 2018?
  17. 17. PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program © 2017 TrustArc Inc Proprietary and Confidential Information Implementing a Consent Solution Key Features
  18. 18. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries GDPR Consent Considerations • Legal and policy • Business strategy • Technology and architecture • Implementation steps 18
  19. 19. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Poll Question What types of data activities will you rely on Consent as the legal basis for processing? 1. Digital tracking technologies (e.g. cookies) 2. Marketing activities (e.g. email marketing) 3. Other 19
  20. 20. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries GDPR Consent Requirements • Capturing a robust-enough audit trail to show that a person has consented to processing his/her data • Ability to configure the notice as default opted out (checkbox unchecked) to get affirmative consent from the user 20
  21. 21. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries GDPR Consent Requirements • Ability to ensure that no tracking happens until user consents, unless it’s strictly necessary • Ensure you can request consent again when processing purpose or scope of transfer changes • Ability to handle consent for other marketing activities, such as email or SMS marketing 21
  22. 22. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Poll Question How do you plan to comply with GDPR consent requirements? 1. Build in-house solution 2. Reuse an existing software 3. License a privacy technology solution 4. Other 22
  23. 23. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries GDPR Consent Compliance Steps 1. Discovery of consumer touch points 1. Data flow inventory and mapping 2. Cookies and marketing activities 2. Figure out where Consent is used as legal basis for processing 3. Make a build or buy decision for GDPR consent solution 1. Developer resources near-term and long-term 2. Internal software systems to reuse 3. Compliance timeline or “risk appetite” 4. De-risk by working with partner with privacy as core competency 23
  24. 24. PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program © 2017 TrustArc Inc Proprietary and Confidential Information Questions?
  25. 25. PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program © 2017 TrustArc Inc Proprietary and Confidential Information Contacts Helen Huang hhuang@trustarc.om Mark Webber Mark.Webber@fieldfisher.com
  26. 26. © 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries Privacy Insight Series – 2017 Calendar 26 To register for Summer/Fall webinars and/or past webinar recordings visit: www.trustarc.com/insightseries
  27. 27. PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program © 2017 TrustArc Inc Proprietary and Confidential Information Thank You! Please take a quick minute and complete our post-webinar survey that will appear as you exit the platform. Register for the next webinar in our Series – November 15th “6 Months to Go: How will the GDPR be Enforced?”

×