Here's a short presentation on the GDPR, first presented at the Morning Advertiser MA500 event in Edinburgh on 14th September. This is an overview regulations.
BDSM⚡Call Girls in Sector 144 Noida Escorts >༒8448380779 Escort Service
The GDPR - A data revolution
1. The GDPR: a data revolution?
Presented by Dan Brookman
Twitter: @danbrookman // @AirshipTeam
2. Who we are
Airship is a digital customer experience
specialist.
At our heart is the Airship CRM, a powerful data
acquisition, segmentation and broadcast
platform that drives revenue through intelligent
customer journeys.
Revolution
Tasty PLC
Brewhouse and Kitchen
Stonegate
Living Ventures
Hickory’s
Cote Restaurants
Yummy
Apartment Group
Rosa’s Thai
Mission Mars
Hydes
JW Lees
West Cornwall Pasty Co
Bargain Booze
Some Clients
3. Introduction
General Data Protection Regulation (GDPR)
Comes into force on 25th May 2018
GDPR is new legislation which introduces a wide range of reforms with
significant effect on data collection, processing and storage activities.
It provides individuals with a suite of new rights in relation their data.
No brexit impact, the laws have already been adopted. There maybe
implications in the future but the ICO (Information Commissioner's
Office) have been pushing for tougher laws for years (so probably not).
4. It needn’t be a burden...
It should be seen as an opportunity;
- Build customer trust
- Higher engagement
- Enhance your reputation
You are going to see a decline in the amount of new data acquired;
however, this is a good thing.
The issue of poor quality data and over-acquisition has blighted
businesses for years. Opt-ins have been too soft or non-existent,
company boards have focussed on the big number, customers have
been seen as data records… rather than customers.
The GDPR is an opportunity.
5. More Trust
A 2016 study by the Chartered Institute of Marketing revealed:
- 57% of respondents say they do not trust an
organisation to use their data responsibly.
- 70% of consumers still fail to see the benefit of sharing
their personal data at all.
- However, two-thirds (67%) of customers actually say they
would share more personal information if organisations
were more open about how they will use it.
Conclusion
The GDPR will help build trust with
consumers: be on your front foot, clarity
for your customers will yield results!
6. Don’t...
MoneySupermarket, Flybe & Honda
- All have been recently prosecuted for
sending emails to customers who they had
not had permission to market to or had
previously unsubscribed.
Don’t use GDPR as an excuse to pull a fast one on
your customers: if they are currently opted out, they
remain opted out.
8. Don’t Panic
While the regulations come into force on 25th May 2018, it's more than likely going to take a while
for them to bed in. A number of provisions are ambiguous and guidance is being drafted by the
ICO. No doubt there’ll be a number of test cases before legislation is amended.
We’ve all heard the scaremongering around the hefty fines and they are certainly true… the higher
of up to £17m or 4% of global turnover plus court litigation… however…
The ICO closed 17,300 cases last year and only 16 resulted in fines for the organisations
concerned. The ICO’s commitment is to guiding, advising and educating organisations about how
to comply with the law. This will not change under the GDPR. "We have always preferred the
carrot to the stick."
I’m not recommending that you ignore GDPR; I’m recommending that you get your businesses up
to speed on GDPR, do your audits, follow the guidelines set out by the ICO, do not panic, and hit
the ground running come May 2018.
9. Understanding your
data sources
Digital
Inhouse:
Paper sign-ups
Comment Cards
Business Card Drops
Sales Enquiries
All businesses have many
data sources, as part of your
audits you’ll need to ensure
that you understand each of
those sources and ensure
that they are compliant with
the GDPR.
In the same way, you’ll need
to ensure that any inhouse
activity is collected under the
regulations.
The digital sources above are transactional tables within
the Airship CRM where we store each instance of
customer engagement.
10. WiFi Session:
Week View
Data automatically categorised
by day, session and manually by
event.
Where you segment
customers or profile them
based on their activity, you’ll
need to let them know how
the information is used.
This dashboard shows how we
take WiFi data and segment
customers based on what’s on
in the venue at the time they are
in their WiFi session.
12. To be informed
Consent must be “freely given, specific, informed and unambiguous” and in the case of
automated decisions, consider whether “explicit” consent is required.
1. All consent opt ins should require a recordable manual action completed by a customer.
1. All consent should be granular. For example, where a customer is giving consent for email
marketing they should be asked separately if they give consent to be sent text messages or
receive sales calls.
1. All consent should be simply and clearly explained directly in the touchpoint they are using. The
explanation should be written in a way that is fair to expect customers to understand, and
positioned so that the customer can see the explanation in line with the request for consent.
Reliance on linked privacy policies or legalese is no longer appropriate.
13. Legitimate Interests
Consent is not always practical or necessary so consider the “legitimate interests”
condition as well as other lawful processing conditions. Many businesses process data
on the basis of their legitimate interests of sending marketing material.
You will still need to collect the opt-out either at the point of collection or soon after.
This may become a condition which is tested more thoroughly as a consequence of the
GDPR changes affecting consent.
Don’t use legitimate Interests as a catch-all for your activity.
15. The right of access
Under the GDPR, individuals have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information - this largely
corresponds to the information that should be provided in
your privacy notice.
- You can no longer charge a fee for the customer to
access their data.
16. 2. The right of access
Purple WiFi have already implemented their first
draft of a ‘right of access’ this example for Airship
client Revolution Bars shows the stored personal
information and the bars visited.
It's their consideration that they meet the
legitimate interest condition.
17. Other rights…
- of rectification; (the customer has a right to update incorrect
information)
- of erasure (to be “forgotten”); (the customer has the right to
have their data deleted)
- to restrict processing; (where you are doing additional
segmentation or profiling, the customer has the right to opt-out)
- of data portability; (the customer has the right to request an
export of their data. A scenario for this might be a customer
taking data from their insurance company and supplying it to a
competitor for a quote)
- to object; and (if a customer objects, you must stop all activity
immediately).
- certain rights related to automated decision making and profiling
(this final point is quite interesting; a scenario might be that
you’ve applied for a loan and been refused, you can request the
decision making process is shared with you)
18. Other key points to consider
1. Accountability and governance - The new accountability
principle 5(2) requires you demonstrate that you comply
with the principles and states explicitly that this is your
responsibility.
2. Breach Notification - whether you are the data processor or
controller
19. Privacy by Design
Although not a new concept privacy by design is a key part of implementing GDPR. The ICO describes
it as ‘an approach to projects that promotes privacy and data protection compliance from the start’.
Whereas this is currently just a recommendation, GDPR makes this a requirement.
The best approach to ensure the implementation of privacy by design is through completing privacy
impact assessments when planning or reviewing IT projects.
Storage of Personal Data
It is important where possible to minimise the storage of ‘personal data’ while also ensuring that we
have the data you need to deliver your goals. To this end it is important that we use anonymisation
and pseudonymisation so that data can be stored in a way which would only in some cases be
considered personal data.
20.
21. Conclusion
So do you ‘just’ comply or do you become a lean, clean data-driven marketing
machine? Saving time and money: maintaining and learning about your customers,
and creating better relationships.
I know what I would choose and what Airship will be recommending to their
clients.
The hospitality industry can take a lead on this: it’s time to clean-up.
Thanks for your time.
22. The Lawyer bit… Disclaimer….
Thanks to our lawyers, Excello Law, for their help in drafting this presentation.
The details provided in this presentation are for information purposes only and should not be relied on as legal advice for the purposes
of your business. You are recommended to seek independent legal advice with regard to any of the above before acting upon the
same. Both Airship and Excello Law exclude any liability as a consequence of any reliance on this presentation. .
Contacts:
Dan Brookman E: dan.brookman@airship.co.uk M:07966 796581
Peter Rawlinson: specialist commercial, IT and data protection contract lawyer:
E: prawlinson@excellolaw.co.uk M: 07899906476 DD: 0114 2755517