The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
2. Hello!
Paul King
Head of Marketing Technology
OgilvyOne
Vicky Brown
Deputy General Counsel
WPP
Thomas Crampton
Consulting Principal
OgilvyRED
Rob Blackie
Consultant
OgilvyRED
3. What’s the weather like in your city?
Tell us where you’re dialing in from!
4. Want this deck?
It will be available for download shortly after
the webinar on: slideshare.net/socialogilvy
Ogilvy staff: It’s also on The Market!
themarket.ogilvy.com
Are you on the go? You can join our webinars on mobile, too!
Download the GoToWebinar app from the App Store or Google Play
7. Why is understanding privacy risk and
GDPR important?
Board focus:
• Senior leadership focus and accountability
• Auditor/ industry/ client/ consumer focus
Client and supplier focus:
• Increasing contractual protection demanded for data violation and loss
• Indemnities for privacy risks
• Extension of obligations to sub-contractors
• Concern around cloud computing and use of third parties
• Focus on data transfers/ privacy shield (replacing Safe Harbor)/ model clauses
Internal focus:
• Protection of employee data is crucial and a central focus for good governance
8. 72
Hours given to
report a data
breach
4%
Potenital fines
as a percentage
of global
turnover
• Increased Regulatory oversight: Regulators have made
clear there will be no grace period before enforcement of
GDPR begins in May 2018
• Increased Reputational risk: Major fines and enforcement
action will attract attention from industry, press and clients
• Need to focus on Privacy by Design: Embed good data
governance within your business practices and systems
• Privacy matters: The protection of personal data is
everyone’s problem – not just an issue for the IT community
or lawyers
• Global approach: More and more countries now have privacy
laws – getting ready for GDPR will assist operating
companies in complying with other privacy laws
What does the GDPR mean for business?
7
Core individual rights
afforded under the
new GDPR
80+
New requirements
in the GDPR
250M
Cost of 4% fine for a
typical FTSE 100
company
190+
Countries potentially
in scope of the
regulation
28,000
Estimated number of
new Data Protection
Officers required in
Europe
(APP study 2016)
9. Why does GDPR impact businesses that are non-EU?
The GDPR applies to organisations established outside the EU if they
(either as controller or processor):
• Process the personal data of EU residents when offering them goods or
services; or
• Monitor the behaviour of EU residents (tracking/ profiling)
If you are involved in:
• Handling data belonging to EU customers
• Providing services impacting EU customers
• Providing services which will involve handling EU customer data
• Advising on data collection practices which may involve the EU…
… You will be subject to GDPR wherever you are located
GDPR is much more stringent than current privacy laws so you need to
understand how it affects you.
10. GDPR is much more stringent than current
privacy laws…
Fines and enforcement Fines against annual global turnover (4%) and other sanctions
Expanded personal data definition Includes location data, cookies and other online identifiers
Broader territorial scope
Applies even to players not established in the EU but whose activities consist of targeting
data subjects in the EU
Stricter rules of consent
Must be freely given, specific, informed and unambiguous, provided by a statement or
clear affirmative action
Security breach and notification 72 hours to notify
Obligations on controllers and
processors
Processors now have direct obligations
Accountability
Explicit obligation on controllers and processors to be able to demonstrate their
compliance with the GDPR
Requirement for Data Protection
Officers (DPO)
4 mandatory scenarios which require appointment of a DPO
Increased rights for data subjects
Includes “right to be forgotten” and data portability as well as, access, rectification,
restriction, objection to processing; no automated processing and profiling
11. When is the GDPR in force?
NOW…
However, you must comply from May 25 2018 so you have time to become
GDPR ready…
It’s crucial that you can evidence to regulators that you have:
• Reviewed GDPR
• Adopted a risk-based approach to compliance, and
• Are working on a path to compliance
Doing nothing is not an option.
12. What does this mean for you in practice - top
5 business issues?
1) You need to understand what “personal data” is; and what personal data
are you collecting, processing and transferring
2) Do you need consent?
3) You need to consider contractual arrangements with suppliers and clients
to reflect GDPR requirements
4) You need to understand the rights of EU citizens and think about “privacy
by design”
5) You need to understand the impact of Security Breaches
13. Issue 1: What is “personal data” under GDPR and
what are you collecting/ processing/ transferring?
Expanded definition: Includes online identifiers and cookies.
Mostly a clarification of current law but important consideration
for all
What is personal data?
Means any information that relates to an identified or identifiable
individual…
It’s now clear that an individual can be identified by an online
identifier or geo location data… So information can be
personal data even if you don’t know the individuals name,
email address, phone number or other obvious identifiers.
In most eco-systems personal data includes:
Employee data, data associated with targeted online advertising
(e.g UUID/ GUID), including device fingerprints and cookies
IDs), consumer panel data (e.g client panels, operating
company panels) and data about client and supplier personnel.
Personally Identifiable
Personal Data
Sensitive
De-Identified/ Pseudonymised
Anonymous
Aggregate
14. Issue 1: What is “personal data” under GDPR and
what are you collecting/ processing/ transferring?
What are “sensitive” categories of personal data?
• Racial/ ethnic origin
• Political opinions
• Religious beliefs
• Trade Union membership
• Genetic/ biometric data
• Health or sex life
• Sexual orientation
• Criminal data
How do we establish grounds for processing sensitive personal data?
In most cases, only by explicit consent.
In practice, this is the same as ‘consent’ (freely given, specific, informed, unambiguous) but requires an explicit statement
accompanying the consent mechanisms.
Seek advice from you DPO or in house council.
15. Issue 1: What is “personal data” under GDPR and
what are you collecting/ processing/ transferring?
To demonstrate compliance with GDPR, you need to perform a
Personal Data Inventory and record:
• The categories of personal data collected or received
• The source of the data
• The consent mechanisms applied to collection of personal data
• Which systems in the organisation contain personal data collected from EU citizens
• The purpose of processing the data
• Who has access to the personal data
• Personal data transfers
• What security protocols are in place to protect the personal data
16. Issue 1: What is “personal data” under GDPR and
what are you collecting/ processing/ transferring?
Cross Border Data Transfers from the EU
Restrictions
• Transfers of personal data to recipients in “third countries” (i.e outside of the European Economic Area (“EEA”) continue to be
regulated and restricted in certain circumstances
Risks
• Breach of the GDPR’s data transfer provisions is identified in the band of non-compliance issues for which the maximum level of
fines can be imposed (up to 4% of worldwide annual turnover)
Game-Plan
• Identify and map out your data flows to get a clear picture of what data flows, from where, to which recipients, in which countries
• Design a comprehensive strategy which will legitimise all of those transfers. This will require you to:
a) Identify the available options for legitimising your various data flows out of the EEA (i.e., can you rely on adequacy decisions or derogations or are
additional safeguards required?) This will require a complex risk assessment of your current and proposed data flows taking into account the data
protection frameworks of various countries involved;
b) Assess whether it makes sense to change/ streamline some of your data flows to reduce the compliance burden (e.g., would it make sense to keep
certain data within the EEA or send it to fewer/ other countries?);
c) Assess whether your current transfer mechanisms, such as consent, should be retained and/ or will need to be adapted or added to in order to remain
compliant under the GDPR;
• Continuously map your data flows and assess them against your transfer strategy and periodically review your transfer strategy in
order to ensure compliance in the long-term
17. Issue 2: How do we deal with consent?
Why does this topic matter?
Each and every data processing activity requires a lawful basis to avoid the risk of incurring substantial fines. There are several
lawful bases for data processing and consent provides one such basis
Consent means:
• Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or
clear affirmative action, signifies agreement to the processing of personal data relating to him or her
When should you rely on consent?
• When consent is required under GDPR or ePrivacy law (e.g direct marketing)
How do you get it?
• Pop-ups and dialogs that require an affirmative step - no pre-ticked boxes, no conditions, no inaction
• Use clear, plain language and make consent granular
• Separate consent from other items (e.g agreement to website Ts & Cs)
• Privacy by design: Withdrawal at any time
• Document consents obtained - including time/ date, information presented and how consent was expressed
18. Issue 3: Supply Chain Management and
Amending Contracts
Appointment of Suppliers
The GDPR places direct obligations on processors, stipulates the contractual provision that must be included in data processing agreements and sets out the
conditions for sub-processing.
Agencies that wish to appoint a supplier who will have access to personal data (a “processor”) must only use processors that guarantee compliance with the
GDPR. Agencies need to carry out appropriate due diligence of suppliers and monitor their GDPR compliance. Procurement teams should consider taking
the following steps now:
• Map the flows of personal data through supply chains. Identify the recipients of personal data, including sub-processors and where the personal data is
processed. If this seems difficult now, imagine trying to do it with a statutory 72-hour data breach notification requirement hanging over you.
• Identify existing supplier contracts that involve the processing of personal data and review the data protection provisions. These are unlikely to cover all
the provisions that must be included under the GDPR
• Consider the organisation’s approach to risk in existing and new contracts in light of the GDPR. The financial and reputational risks posed by the
regulation may change the risk profile of data processing contracts, necessitating a different approach to liability for data protection and data security
breaches
• Check whether existing insurance policies will cover data protection and security breaches including breaches by suppliers
• Check internal systems to ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement
• Carry out adequate due diligence on new suppliers to check their GDPR compliance, obtain guarantees regarding the measures that suppliers have in
place and ensure there are rights of audit within the contract together with the other mandated data processing provisions
19. Mandatory Contractual Provisions
Agencies must appoint the processor in the form of a binding written agreement, which states that
the processor must:
• Only act on the Agency's documented instructions;
• Impose confidentiality obligations on all personnel who process the relevant data;
• Ensure the security of the personal data that it processes;
• Abide by the rules regarding appointment of sub-processors;
• Implement measures to assist Agency in complying with the rights of data subjects;
• Assist Agency in obtaining approval from DPAs where required;
• At Agency’s election, either return or destroy the personal data at the end of the relationship; and
• Provide Agency with all information necessary to demonstrate compliance with the GDPR.
Issue 3: Supply Chain Management and
Amending Contracts
20. Issue 4: How does GDPR deal with
rights of EU citizens
Rights included in GDPR are:
• Subject access rights and data portability
• Rectification rights
• Right to object including to direct marketing
• Rights in relation to automated decision making and profiling
• Right to erasure (“to be forgotten”)
21. Issue 5: What happens if there is a breach?
• Notification to EU regulators within 72 hours (if acting as “controller”) of
becoming aware of a breach i.e. a loss of personal data plus potential
notification to affected individuals.
• Companies must keep register of all data breaches
• Fines are huge: up to 4% global turnover
• Enforcement: Requirement to delete data, ongoing reporting to DPAs etc.
22. The increased collection and transfer of data exposes companies to a heightened
risk of data breaches and regulation.
Costs of a Data Breach include:
• Fines
• Investigation and Forensics
• Notification Costs
• Call Center Hotline/ Website
• Credit Protection/ Monitoring
• PR/ Communications
• Settlements/ Judgments/ Compensatory Awards
• Lost Business/ Customer Churn
• Impact on Stock Price
• Mandatory Audits
• Remediation/ Security Improvements
Issue 5: Security breach risks
23. What should you be doing?
• Senior leadership focus on GDPR
• Do you need a DPO?
• Appoint a GDPR Steering committee
• Get personal data due diligence underway – time for a Data Health Check!
• System and data transfer review
• Training and awareness push
24. • Raising Exec Awareness & Sponsorship
• Training & Education sessions
• Data Audit:
1) Get a better understanding of their data landscapes (and document!)
2) Identify gaps between current and future requirements
3) Recommendation of suitable data strategies
• Data Breach – creation of Data Breach Policies & Process
• Subject Access Request process
• Ensuring Privacy by Design is incorporated into future developments
• Inspire – responsible organisations will flourish under GDPR
How are we helping our clients?
27. Use Social network data
Social targeting can be used to target users based on:
Industry Employer Seniority Job Title
Company
Size
Skills Studies Interests Office
Type
Including Instagram / US only : Seniority, Company Size, Office Type
28. • Micro targeted on UK Expats living in
North America
• Generated extremely high returns
• High levels of sharing with their peer
group
Targeting expats
30. • Available on:
• Collect users data (name, email,
phone number, company, etc.)
• Ask custom questions
• Drive opt-ins (terms & conditions can
be customised too for GDPR
compliance)
• Display a context card before the
form
• Pre-filled fields
• Automation with CRM tools
Lead generation options
31. For B2B too
73%
39% of B2B marketers have generated leads
through Facebook (vs 44% on LinkedIn)
of people say they use Facebook for
professional purposes
http://www.hubspot.com/marketing-statistics
33. Social CRM: full funnel on Facebook
AWARENESS
LEAD
CONSIDERATION
PHASE 1
Drive awareness and traffic to
generate custom audiences built for
retargeting.
PHASE 2
Drive consideration by ensuring that
the user is immersed in the different
aspects of the product.
PHASE 3
Drive lead registration by retargeting
specific audiences generated in phase 1
and 2, and with the custom-made ads.
Video
Link
Carousel
Lead
Ads
36. Questions?
Paul King
Head of Marketing Technology
OgilvyOne
Vicky Brown
Deputy General Council
WPP
Thomas Crampton
Consulting Principal
OgilvyRED
Rob Blackie
Consultant
OgilvyRED