Under the new EU law, international business that do not handle Personal Data of EU citizens correctly may be fined up to 4% of global revenues.
The grace period for adapting processes to comply with the law begins 25 May 2016 and ends 25 May 2018.
This presentation explains why *all* customer data counts as "personal information".
Written by an EU marketer for non-EU marketrs in international business. Enjoy.
Customer data and the new EU privacy law - May2016
1. Customer Data
and the new
EU Privacy Law
Key facts for marketers
in international business
Version: 18 May 2016
2. Executive summary
1. Safest policy is to treat all EU customer data as Personal
Information
2. For incorrect handling of Personal Information of EU citizens:
Fines up to 4% of global revenues
3. Grace period for making processes compliant: until May 2018
3. Context
• International business selling into the EU
• B2B & B2C
• Marketing & Sales processes
• Data about EU Prospects & Customers
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 3
4. Warning!
This version: May 2016
• Written by an EU Marketer (not a lawyer) for non-EU Marketers
• Highlights issues, impacts & options
• This does not constitute a legal opinion or legal advice
• Use at your own risk / verify with your corporate counsel
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 4
5. Marketing objectives
Build trust – the foundation for face-to-face selling
• Promote products & services
• Gain permission for personalised, one-to-one communication
• Identify individual needs
• Provide each Contact with relevant information about solutions
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 5
6. PII = Personally Identifiable Information
Definition in Europe:
information that can be used on its own
or with other information
to identify, contact, or locate a single person,
or to identify an individual in context
See GDPR, Article 4(1) for precise text
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 6
7. PII = Personally Identifiable Information
Definition in the USA:
any information that can distinguish or trace an individual’s identity,
such as name, social security number, date and place of birth, biometrics
any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment information
NIST SP 800-122
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 7
8. PII in Marketing Practice
Mr. James Bond This is not necessarily PII
• Firstname Lastname
does not always identify
a single individual
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 8
9. PII in Marketing Practice
• Universal Exports
• Caribbean Department
• Company Fax: +44 020 1234567
• Web: www.universalex.com
These are not PII
• Alone or in combination,
they cannot identify
a single individual
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 9
10. PII in Marketing Practice
• Business Development Manager
• Caribbean Department
• Universal Exports Ltd.
• London
This may be PII
• A combination of information
that may identify an individual
• For example:
if there is only one Business Development
Manager in the Caribbean Department of
Universal Exports, London.
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 10
11. PII in Marketing Practice
• Tel:
+44 020 123456 xt 007
• Email:
james.bond@universalexport.co.uk
These are definitely PII
• Each can be used
on its own
to identify a
single person
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 11
12. PII in Marketing Practice
This is definitely PII
• In this context,
all data points
help to identify
a single person
Mr. James Bond
Business Development Manager
Caribbean Department
Universal Exports Ltd.
85 Albert Embankment, London SE1 1BD
T: +44 020 123456 xt 007
F: +44 020 1234567
E: james.bond@universalexport.co.uk
W: www.universalexport.com
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 12
13. This is definitely PII, too
In this context, all data points refer to the identity of a single person
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 13
14. This is not PII
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 14
15. This is PII
• What individual people think
• Privately or professionally
NOTE: pseudonymised, but can be
linked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 15
16. This is PII
• What people do privately
NOTE: pseudonymised, but can be
linked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 16
17. This is PII
• What people do professionally
NOTE: pseudonymised, but can be
linked to the individual via the ID
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 17
18. These are also PII
If you know ‚who does what‘
• even if pseudonymised
• even if encrypted
PII in Marketing Practice
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 18
metadata
cookies
online behaviour
website clicks
19. PII in Marketing Practice
Connecting non-PII data to PII makes it PII, too
Drink: Vodka Martini Vacation: St Moritz Sport: Ski-ing
In this context, the data enriches the knowledge of a single person
20. This is SPI
[Sensitive Personal Information]
• Health, religion, political
opinion, sexual preference,
union membership, etc.
• Best avoided
in B2B Marketing
Memo:
From: Medical Officer
To: M
Health Report: For Your Eyes Only
RE: Bond, James / 007
This officer smokes 40 filterless cigarettes a
day and consumes 90 units of alcohol per week -
more than is good for him.
He ignores professonal advice and is, I
believe, running a serious risk of long-term
damage to lungs and liver.
PII in Marketing Practice
21. Conclusions
Digital customer records:
• Enable personalised communication
• Make marketing more effective
• Prepare for face-to-face selling
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 21
22. Conclusions
But - digital records of EU contacts
• Are covered by EU Privacy Law
• Proof of Contact permission is required
(documented double opt-in & datestamp)
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 22
23. Conclusions
• If a file contains information that identifies
individuals, the entire file is potentially PII
• If data is linked to a file that identifies
individuals, the data is PII, too
• What people think and do online is PII
(click behaviour, metadata)
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 23
24. Recommendations
• Simple policies are easy to remember
• The safest privacy policy is:
Treat all EU Customer data as
Personally Identifiable Information
18/05/2016 Andrew Sanderson | as@ansaco.de | +49 06223 9346 3401 24