Data Protection 2018 Round tables - What was discussed?

Let’s cast our minds back to our Data Protection 2018 event that took place earlier this year. Picture the crowds of data and marketing specialist buzzing with questions and remember the hum of talk about the new regulation. We had eight roundtables set up to help you with all your GDPR queries.

“This feels like GDPR speed dating” one of our roundtable attendees said. And indeed that’s what it was like!

Follow the journey of how data is acquired, used and kept under the new regulation:

First step: Profiling

So what exactly is profiling? There are several different definitions of profiling covered by GDPR but which one is correct? And how do you know what level of detail you can go in to when you are creating an audience profile?

Questions such as these were discussed in the Profiling roundtable and broken down to clarify what exactly is GDPR compliant. Discussions soon fell into where the responsibilities lie when using third party data, especially with the data Controller and data Processor. In terms of legacy data, privacy policies must find a way to inform the customer of how their data will be used. BBC, Dyson and Channel 4 were all highlighted as being proactive in trying to engage their customers in an interesting way to educate them about why their data was being collected.

This roundtable was left with the knowledge that ‘sensitive’ data can be anonymised, but a clarification of the ‘legal affect’ of profiling under GDPR needs to be clarified. Keep an eye out for our upcoming DMA Guidance: Profiling to find out more on this topic.

Second step: Consent

Once you have a profile of who you want to target, how can consent be gained to get the data you need and how do you get this consent in a GDPR-compliant way?

All the sessions at the Consent roundtable debated over if consent or legitimate interest should be used in regard to profiling, especially in the B2B field. Similarly to the discussions taken place in the Profiling roundtable, it was agreed that the privacy policy should communicate clearly to the customer what is being done with the data collected.

This roundtable encouraged everyone to undertake a ‘Legitimate Interest Assessment’ to ensure their business was not running a high risk strategy in preparation for the 25^th May.

Third step: Legitimate Interest

If consent doesn’t work for your business, then the road of legitimate interest may be able to help.

Under Legitimate interest, you can use data for direct marketing purposes. However, your customers must have the right to object and you must share an easily accessible privacy notice (which should be updated regularly). It’s also good to get in the practise of notifying the data subject what you have collected and why within 30 days of that first contact.

But what of legacy data? How long can I keep it? This is a good opportunity to review your unsubscribe route. And to prevent your business from holding unnecessary data, it’s best to review your current data collection point to ensure you are only collecting the data you need.

Ok, so Legitimate Interest sounds quite good, but should I be choosing Consent? Which is the better route? This all depends on your business. This is something your business should be thinking about if they are transitioning from consent to Legitimate Interest and vice versa. To help the transition, the advice given at this roundtable was to run Legitimate Interest and Consent routes in parallel so you do not lose all the existing database for communication during the transition.

Take a look at the DMA Guidance: Consent and Legitimate Interest for some more detail.

Fourth step: Using your data

Every business wants to use the data they have collected to better benefit their company, make profit and keep their customers happy. But there are several different types of data that can be used in a variety of different businesses which can make GDPR seem like a huge challenge.

But this doesn’t have to be the case! If you have the correct data and don’t have an excessive amount of unnecessary data that you don’t have a use for, this can be a good starting point when revising how you are going to use the data that you gather. Stopping the problem at the beginning can mean you can avoid any misinformation or ambiguity, which is something most of this roundtable sessions covered. The new regulation offers a chance for businesses to be more transparent (which can reduce complaints from consumers and boost trust) whilst also being compliant with the new law.

Fifth step: Acquiring Data:

There are two types of data:

1. Data Acquisition
2. Re-acquisition of legacy data

There are also three key categories for how data can be acquired:

1. Directly recorded data – Transaction history, user registration etc.
2. Observed data – Website clicks etc.
3. Data purchased from 3^rd parties

All of these need to have a Legitimate Interest Assessment (LIA) that determines where the data needs to be stored. The organisation must be able to trust in the data you hold. Ask yourself… would you invest your own money in the method you use? Your answer will reflect how your current model functions!

Here’s a test you can do – imagine in an apocalyptic scenario, all of your data has been breached and you have to explain to the press why you hold the kind of data you do (and the history of that database), are you happy with your answer? Are there any gaps? If you’re unhappy with the answer then you need to review what data you have and make sure you are happy with your Legitimate Interest Assessment.

As a data processor you are required to do what you are required to do by the data controller and you should have a standard contract that states the rights of the controller. The customer should be at the heart of your model in the light of GDPR <3

Sixth step: Managing Data at rest

I’m sorry to say that ‘data at rest’ doesn’t quite mean that your data is resting on a nice holiday. Good definitions can actually be found on the Digital Guardian which can also make a good pairing with the ICOs encryption guidelines.

GDPR makes available the opportunity for your customers to feel like you’re really in tune to what they want. This is why it is important to always triage incoming requests to be sure you know what it is individuals want. This can mean that Erasure may not always be what the individual really wants- it is also not an absolute right. Or, if an individual asked for a SAR, you need to know what data you will and will not provide. This is a great chance for you to assess if you really know your data.

Ask yourself – where do you store your data? Where did it come from and why are you holding it? And, when applicable, you need to check the right data is deleted in accordance with your own retention policy (and are you complying with your own data retention policy?)

Seventh step: Accountability

What is the difference between accountability and responsibility? At the end of each session, it had become clear that this is a grey area that needed some clarity. Luckily, the DMA has some guidance on Accountability and what it means for marketers

Ultimately, “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.” – page 6 of DMA Guidance: Accountability

Final step: Getting rid of your data

GDPR is approaching but there are alternative options to deleting all your data and wiping your database. One of those options is Anonymization. This allows you to still keep track of certain parts of data without being able to trace is back to a specific person. Or, you can follow a procedure called Pseudonymisation which can only reveal itself once you successfully crack a security procedure (e.g. password or secret answer).

This table recommended that you shouldn’t hoard data anyway and to whittle your data down to only the information you need. Updating this on a regular basis will also meet a satisfactory hygiene process.