GDPR 14th February 2018

1. GDPR
14th February 2018
Marc Michaels

3. So how do you
get it right?
Agenda today

4. Background on GDPR

5. Before we begin
What you are about to hear is based on:
• Current understanding of the GDPR regulations as published
• Together with guidance that has been issued by appropriate bodies
• Research I’ve been involved in through Paragon Customer Communications
• Keeping abreast of general developments and news
Note: Not all guidance has been issued on all topics
There will be different interpretations of how legislation should be applied
I’m based in the UK, but it’s pretty much the same for Ireland except the Information Commissioner’s Office (ICO) is called
the Data Protection Commissioner

6. The context
BUT AND
Marketers want to be timely,
relevant and motivating with
marketing messages to
prospects and customers
Data is a key component of
the fuel that can drive this
successfully
Consumers only want useful
messages but many are
suspicious about sharing
their data in case it is
misused/abused
Others will quite happily part
with their data if they see the
value in doing so
Governments/EU want to
ensure that people’s right to
privacy is respected
And that businesses adhere
to the new regulations
designed for today’s modern
communications landscape

7. ICO tracking study results/other research
36%
Main concerns identified Research I/Paragon
did with Data IQ showed:
• 50% prefer not to share data
• Trust and openness are key
• It’s really hard to get third party
consent
• Shelf-life of consent is shortening –
50% of consumers want to update less than
every six months. Some want it every time
you contact them
• There needs to be a value
exchange
• Trust flies out the window in the
event of a breach
ICO annual tracker 2016

8. An evolution of the Data
Protection Act 1998
Imposed by Europe
Comes into force
May 2018
Affects all businesses
Public authorities have
special rules and exemptions
GDPR – the 12 steps to compliance ‘heaven’

9. Guidance Available
UK INFORMATION COMMISSIONER OFFICE
Issued:
• Preparing for the GDPR – 12 steps to take now
• Overview of GDPR
• Privacy Notices Code of Practice – updated with
GDPR requirements
• GDPR Consent Draft Guidance
• Contracts and Liability
• To follow:
• Risk
• Profiling
WORKING PARTY 29
Issued:
• Guidelines on Data Protection Officers
• Guidelines on the right to data portability
• Guidelines for identifying a lead supervisory authority
• Guidance on issuing administrative fines
• Automated decision making and profiling
• Personal breach notification guidance
• High risk processing and DP Impact Assessment

10. Guidance Available
DATA PROTECTION COMMISSIONER
Mostly appear to be relying on WP29
guidance but has info at
dataprotection.ie/docs/GDPR/1623 and
published their own version of the 12
steps and some Guidance on
appropriate qualifications for a Data
Protection Officer
Set up public/organisation facing
website gdprandyou.ie

11. Profiling and GDPR
New Working Party 29 Guidance
• Need to understand whether the profiling is purely automated means
- Will it have a significant impact to the individual?
• What lawful basis are you processing/profiling
- Profiling can be performed under legitimate interest
- You must carry out a balancing exercise
- You must inform the user - probably in the privacy statement
- Detailing how you are going to use the data

12. Good and bad examples of profiling
An insurance company uses an automated decision making
process to set motor insurance premiums based on
monitoring customers’ driving behaviours, To illustrate the
significance and consequences, it explains that dangerous
driving may result in higher insurance payments and provides
an app comparing fictional drivers, including one with
dangerous driving habits.
It uses graphics to give tips on how to improve these habits
and consequently lower insurance premiums.
A data broker sells consumer profiles to financial companies
without consumer permission or knowledge. The profiles
define consumers into categories (carrying titles such as “rural
and barely making it”, “Ethnic Second-City strugglers”, “Young
Single Parents”) or “scores” them, focusing on consumers
financial vulnerability,
The financial companies offer these consumers payday loans
and other ‘non-traditional’ financial services (high cost loans
and other financially risky products)

13. So what do businesses need to do?
Be fully aware
• Where am I compared to the GDPR requirements? (A Gap Analysis)
• What are the risks?
• What strategy do I need to get there?
• Are there specific issues in my sector?
(e.g. Fundraising Preference Service, Know Your Customer)
• Do I need any external help?
Make it a strategic focus for senior management – now
• Don’t put off for another day
• Provide time and resource
• Don’t just talk about it – start implementing solutions

14. Consent and Legitimate Interest

15. Record keeping is crucial
The Accountability Principle
• Under GDPR you are required to demonstrate that you comply with the various principles
• Evidence and documentation are key - make sure all decisions are documented and kept for
audit purposes
• Key element are data journeys including locations, access, risks, controls. Consider as part
of your design:
• Data Minimisation
• DPIA performed or documented evidence of why the business considered them unnecessary
• Allowing individuals to monitor/be aware of their own processing

16. GDPR requires businesses to have a ‘lawful’ reason for processing and use:
Only ONE of these needs to be true for lawful processing
For Marketing Communications this will tend to be Consent or Legitimate Interest
Organisations must identify which they are using
1. Consent of Data
Subject
4. Necessary to
protect the vital
interests of Data
Subject
5. Task carried out in
the public interest
6. Necessary for the
legitimate interest of
data controller
(not available for public
authorities)
2. Necessary for
completion of a
contract
3. Necessary for legal
obligation
Six lawful reasons

17. The official definition of consent
Consent means: “any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her”

18. Which the UK ICO says means in practice
Offering individuals
genuine choice and
control
Making it easy for people
to withdraw consent and
telling them how
Positive opt-in.
No pre-ticked boxes or other
method of consent by default
Clear and specific statement
of consent, granular options
naming any third parties who
will rely on it
Separate and no coercion,
no imbalance in the
relationship
Keeping evidence
of consent – who,
when, how, and
what you told
people
Keeping
consent under
review, and
refresh as
appropriate

19. Is your existing consent up to scratch?
Existing consumer
consent may not
be sufficient
for GDPR
• If it was co-erced/bundled
• If it was not an affirmative action – pre-ticked boxes or
inferred from silence
• If you haven’t got proper records that they how, and to
what they gave consent
• If it was gained a very long time ago
If so you must:
• Refresh that consent (re-permission) or
• Find an alternative lawful basis (e.g. legitimate interest)
if possible

20. RE – is REally important
• Re-permissioning by email/SMS only allowed to those you already have
permission to market to but it was gathered in such a way that it will no
longer be valid under GDPR
• If you have not got consent, or someone has opted out, or you are
‘unsure’ then you cannot communicate by email or SMS to try to re-
permission. You will need to direct mail (unless of course, they have
opted out of that too)
If you are unsure then you may wish to seek advice from your DPC about
your plans – Honda and Flybe were fined for getting it seriously wrong

21. For example…

22. For example…

23. Even though it is isn’t
necessary some
organisations have
elected to go fully opt in
and rely only on consent
for marketing
communications
Others will rely on
legitimate interest
Note: Non marketing communications such as contractual,
regulatory or real service messages will rely on other legal
bases for processing and communication
Direct Mail – the ‘white knight in shining armour’?

24. But it isn’t a get out of jail free card either
“You won’t need consent for
postal marketing” (UK ICO 2018)

25. Legitimate Interest
• Processing must have a compelling
purpose, real and not trivial or vague
• Must be necessary, targeted and
proportionate to the purpose
• You need to balance interests of the
business against those of the consumer =
LEGITIMATE INTEREST ASSESSMENT
• You need to document as part of your
audit evidence
• From guidance (largely the Data
Protection Network), I’ve created an 8
point approach

26. It’s all about trust and belief
Research shows that people more like to
give permission if they feel in control
and believe the organisation is going to:
• Keep their data safe
• Not share it
• Not bombard them

27. So what are organisations doing/planning?
Source: The six per cent solution, Royal Mail, 2017
(Source: Royal Mail)
Nearly one in five companies in the UK have already started…half haven’t even started!
It’s probably the same in Ireland

28. So what are organisations doing/planning?
(Source: Royal Mail)
Eight out of ten marketers in the UK use or will email…and nearly half also plan to use direct mail

29. Direct Mail ‘leading the charge’
• Being used for re-permissioning a lead media as the physical format itself lends credibility
and builds trust and shows that customer is valued
• Sit back media allows consideration and also can explain to the customer the reasons for
the communication, the benefits of staying in touch and deal with granularity of choice
• Less easy to ignore than a crowded email box (1.3 pieces of mail a day, 65% open rates,
17% leads to a commercial action – new JicMail 1/1/18)
• For some companies where there e-mail base isn’t fully complaint, it may be the only
option available
• DM for acquisition will grow as email data availability shrinks
• Less likely to opt out than digital channels (even though DM will need to be more up front
about offering it) so will become a growing part of CRM communications
• No-one has yet been fined for using mail (as opposed to other channels)

30. Investing in testing
Digital marketing will generally become a bit harder. GDPR is all about catching up with Digital and
putting it back in its box. However, lots of marketers consider print old fashioned. But we know it
works because it’s:
• TANGIBLE and DISRUPTIVE - physical, stand out and retention
• EXPLANATORY - allow us to convey detailed/complex information simply
• TARGETED - specific groups of people geographically and demographically and previous
history => personalisation and individualisation
• INCLUSIVE - working well against the digitally disadvantaged/disinterested
• ACTION FOCUSSED - generating high quality leads and sales/behaviour change
also YOUNGER PEOPLE don’t receive much so it has stand out
BUT ONLY IF WE DO IT RIGHT so worth INVESTING IN TESTING

31. So how do you get it right?

32. Get your short form Data Collection Statement right
• 63% of people read or skim statements - so good copywriting counts
• Organisations reluctant to test variants in the live environment as it affects future
communications possibilities - so research is a viable alternative

33. 1. Identity and contact details of Data
Controller (you) and your DPO (if you have
one)
2. Purpose of the processing and the legal
basis of the processing
3. Legitimate Interest if you are using it
4. Categories of recipients of the data
5. Any transfers to third countries and
safeguards
6. Retention period or criteria used of the
same
7. Existence of data subjects rights
8. The right to withdraw consent at any time
9. Right to lodge a complaint with supervisory
authority
10. Any data required by statutory requirement
11. Existence of automated decision making
and profiling
The Data Subject (your customer) must have the following information:
Get your Privacy Statement right (Fair Processing Notice)

34. Tell your customers their rights
There are 7 individual rights
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated
decision making and profiling
What they mean
1. What are you collecting, why and who can see it?
2. How can I get to see my own stuff?
3. I want to change something
4. I don’t want you to do that anymore
5. Give me my stuff, I want to take it to someone else
6. Stop doing that
7. What decisions have you made which stop me
doing/getting something?

35. Right permissions

36. Repermissioning messaging options – urgency/clarion call
Probably most sophisticated
programme in the charity
space
• Decided on full opt in model
• Focussed on urgency
• Linked the opt in
permission to saving lives
• Simple and easy
• Upbeat and positive
• Thanking people up front

37. Doing the numbers, modelling/testing
• Estimated they potentially lose touch with over 500,000 people
• Needed 255,000 supporters to opt-in (25%) to ensure a sustainable fundraising model
• Built model and tested and contacted individuals three times to ‘re-permission’
• Now have 450,000 (40%) opted-in supporters
• First campaign to new opted-in base 3x more effective than previous campaigns
Also benefitted from £350,000 in donations – despite not asking for donations in the copy!

38. Loss aversion Honesty
• Loss aversion – don’t miss out
• Honesty – why we need to do this
to comply with Govt/EU and
protect you

39. Benefits and more personalised experience
• Link to outcomes –
remind them of the
benefits and why
they signed up
previously
• Get a more
personalised
experience (mini
surveys as well as
preference to show
you are interested in
them) and putting
you (the customer)
in control

40. Spring Cleaning Security
• We’re ‘spring cleaning’ and
want to check in on you
• Focus on security

41. Incentives Auto unsubscribe
• Incentives (added bonus and
as long as the incentive is not
co-ercing permission)
• Urgency – last chance to
(dangerous if you want to
have a few goes before May
2018)
• Auto opt out anyone with no
discernible contact over a
period (24 months?) but offer
them chance to opt back in

42. • Changes to:
- Consent
- Privacy notices
- Legal basis for processing
- Security
- and more…
• Addition of accountability principle
• Potential for massive fines
With a Preference Centre at the centre

43. Preference Centre
Secure Online Preference “Hub”
• Easy to use, easy to digest why data is being
collected/used – frictionless UX
• Manage consent and channel preferences, including child
consent
• Inform/manage individuals rights
• Manage complexity across brands, interest areas
• Evidence for consent and data stamp for re-fresh
• Verify additional key data variables
• Encourage preference breaks rather than full unsubscribe

44. More than just a landing page – data in and out
PREFERENCE
CENTRE = THE HUB
Consumer
Web
Branch
Capture
Call Centre Social MediaEmail Mobile Web Chat
Manual Data
Capture
External Data
Informed MI about
preferences across the
organisation
Communications that
are wanted
Enhanced customer
experience
Improve ROI
Keep data up to date,
and rules for refresh
Reduce wastage
Fuels CRM
communication rules,
processing and
targeting optimisation

45. No single view / clarity for consumer beyond individual
unsubscribe =>
• New Preference Centre built - give customers access
to their data, manage their details and consent at
overall, campaign, sub-brand and channel levels
• Put PHE ahead of the game in terms of being GDPR-
ready, recognising the importance of consent
• Good reset point for PHE - review historic opt-ins and
have complete confidence moving forward
Example: PHE

46. Example: Pension & Life Assurance
Multichannel Repermission
campaign
• DM: Friendly URL
• Personalised Reference Number
• On-page authentication
• Paper Response Option
• EM: Deep link
• “Cross-sell” additional channels
• Captures contact details
• Integration into client data
ecosystem

47. Data breaches and breach notification
• Need to notify the DPC (and possibly other bodies) within 72
hours if the breach is likely to result in a high risk to the individual
• Need to have the right procedures in place to detect, report and
investigate a personal data breach
• Whilst there is no set timeframe, clients need to inform the public
‘without undue delay’ in the event of a serious breach where it
might leave them open to financial loss or high risk to the ‘rights
and freedoms’ of the individual
• Failure to report a breach could result in a fine, as well as a fine
for the breach itself
• Worth having a ‘pre-planned and pre-canned’ set of templates,
and a tested direct mail and email mechanism on standby
‘A Sincere &
Personal Apology’
The #1 proactive action a
company can take to
help prevent the end of a
customer relationship
Source: Ponemon Consumer Study on
Aftermath of a Breach

48. Summary

49. What we are all trying to avoid

50. Embracing GDPR in a positive way
• The new regulation is not unreasonable
• We all have a duty to do the right thing
• Good reset point and we shouldn’t be afraid of the potential impact on our
database size – those left will be truly engaged
• Opportunity to focus on the wider data landscape and how to use data well
• It’s about having confidence in the brands and our skills as marketers to
motivate consumers to take an action and engage with us on their terms

51. Q&A’S