Five top tips to be compliant when using personal data for analysis

Do you analyse customer data for marketing purposes? Here are five top tips from DMA's Legal and Compliance Manager Chanelle Evans to be compliant:

1. Identify personal data

The first thing you should determine is whether the data you are analysing is personal or not. Personal data is essentially any information that relates, either directly or indirectly, to an identifiable living individual.

It’s important to remember that non-personal data becomes personal data when you combine it with information about an individual.

2. Establish your lawful basis prior to processing

The lawful basis will depend on the nature of the personal data you are analysing and the purposes of processing; this will either be consent or legitimate interests.

For example, you can only process special category data for direct marketing purposes with explicit consent. Additionally, explicit consent is required if you analyse personal data using solely automated decision-making that produces legal or similarly significant effects.

Consent is also required when using analytics cookies or similar technologies.

If none of the above apply, then you can consider relying on legitimate interests of your lawful basis – you must complete a legitimate interest assessment (LIA) to determine if this is appropriate.

3. Be accountable

So you’ve established your lawful basis, but your obligations don’t end there! Being accountable mean’s being able to demonstrate your compliance with data protection laws.

For example, you may be required to conduct a Data Protection Impact Assessment (DPIA) where the processing is likely to involve a “high risk” to the individual. The DPIA process allows you identify and mitigate those risks and helps demonstrate your compliance.

A non-exhaustive list of examples includes conducting large scale profiling, wealth screening, tracking geolocation or online behaviour, processing special category data or “invisible processing” such as obtaining personal data from third parties.

If you use third party profiling or data enriching services, you are obligated to conduct and document thorough due diligence to ensure that the personal data you are obtaining from that third party, has been collected and processed in a way that is fair, lawful and transparent.

4. Be transparent

Data analysis can often involve sophisticated or complex techniques; when this involves personal data, you must explain this processing in a way that will be widely understood by your customers.

Your privacy notice must clearly communicate that you analyse personal data (including from external sources, if applicable), the purposes for doing so, and the lawful basis on which you are relying on.

*TOP TIP*: provide real examples of how YOUR organisation does this. Generic information, especially that’s limited, will unlikely meet the transparency requirement.

5. Respect objections

Individuals have the absolute right to object to direct marketing – this includes analysing personal data for direct marketing purposes. Individuals also have the right to withdraw their consent at any time, where this is being relied on as a lawful basis.

You must explain this in your privacy notice as well as the mechanism by which individuals can object or withdraw their consent.

.

Expand your data knowledge

Understand the data protection regulations you need to know and ensure your company's compliance at our Data & Analytics Skills Bootcamp.

Across 14 sessions, we'll train you in everything from data strategies to storytelling, so that you can turn your data into actionable insights and maximise campaign performance.