New EU data protection law How to avoid disaster

Stephen Groom

1

osborneclarke.com

Osborne Clarke

• An international law firm

• 600 lawyers

• 8 countries

• 18 offices

• 6 key sectors including digital business

• Leaders in marketing and privacy law

• Marketinglaw.co.uk

2

Current data protection obligations in a nutshell

Restrictions on transfers outside the

EEA

Keep data accurate & up-to-date

Retain data for an

appropriate period

Respond to data

subject requests

Annual

notification obligation

Get opt in / out consent for email /

SMS marketing

Screen against

TPS/FPS "do not call"

lists

Get opt-in consent to

use cookies

Data must be relevant

and not excessive

Notify ICO of security

breaches (not yet

compulsory for all)

Knowledge/ Consent

Data protection obligations

New data protection obligations from February 2017?

Restrictions on transfers outside the

EEA

Keep data accurate & up-to-date

Retain data for an

appropriate period

Respond to data

subject requests

Annual

notification obligation

Get opt in / out consent for email /

SMS marketing

Screen against

TPS/FPS "do not call"

lists

Get opt-in consent to

use cookies

Data must be relevant

and not excessive

Notify ICO of security

breaches (not yet

compulsory for all)

Knowledge/

Consent

Data protection obligations DPO requirement

Enhanced data

subject rights:

- right to be forgotten

- data portability

24 / 72 hours to

notify data / cyber

breaches

Fines to increase (<2% world-

wide turnover or €1m)

Expanded

definition of

personal data

Data

processor

responsibility

Higher level of

consent

required

Increased use of

Privacy Impact

Assessments (PIAs)

and emphasis on

accountability

Processor BCRS

Profiling only with

explicit prior

consent

osborneclarke.com

5

Non-compliance – the penalties Key regulator weapons and other impacts

1. Fines – Are on the increase: • UK (ICO has had power to fine up to £500k from April 2010)

2. Weapons used by National Regulatory Authorities: • Good Practice Assessments

• Enforcement Notices/Undertakings

3. It's not just about fines • Negative impact on share value

• Customer and staff perception and trust

• Brand damage

• Diversion of time and resources

osborneclarke.com

Increase in Enforcement 2013/4 marketing law milestones

• June 2013: ICO fines Save Britain Money £225,000 for nuisance calls

• December 2013: ICO fines payday lender First Financial UK Ltd

£175,000 fine for spam texts

• January 2014: Spain – jewellery companies first in Europe to be

fined for non compliance with cookie laws

• January 2014: UK High Court Vidal-Hall vs Google – behavioural

targeting (ongoing)

• February 2014: Trading standards criminal prosecution against cold

callers Apple Group Holdings £36,000

• March 2014: "serious breach" £500K hurdle may be lowered to

"serious nuisance and annoyance"

6

osborneclarke.com

£0.00

£20,000.00

£40,000.00

£60,000.00

£80,000.00

£100,000.00

£120,000.00

£140,000.00

£160,000.00

£180,000.00

£200,000.00

2010 2011 2012 2013 2014

Av

era

ge m

on

eta

ry p

en

alt

y

* Statistics for 2010 only include November and December Based on data from http://ico.org.uk/enforcement/trends

Average Monetary Penalty Notice amount per year*

7

osborneclarke.com

Data privacy and marketing The bottom line

• So with stricter data protection laws round

the corner..

• enforcers taking more action under the

existing law and..

• the threshold for six figure fines likely to be

reduced…

• doing nothing until new data protection laws

arrive …

• is not an option.

8

osborneclarke.com

9

Technology and business trends What makes our phone ring?

• Cloud computing

• BYOD

• Location marketing

• Tracking / Cookies

• Social media

• Digital sales

• Near field communications/payments

• Outsourcing / offshoring

• Telematics/vehicle tracking

• Smart meters, grid, devices, home…..

• Global HR systems

osborneclarke.com

(1) Assign responsibility

Bite the bullet and appoint a DPO

1. Assign ownership (and budget)

Time to appoint a DPO (law may oblige you to soon)

2. Who should it be: IT, Legal, Compliance, HR?

Benefits of legal privilege

3. Visible reporting lines

To existing risk committees

And to board

4. Risk registers

Failure to address known issues increases penalties

Whether your issues or a 3rd party's

10

osborneclarke.com

(2) Get serious about training

ICO's #1 pet hate

1. 72% of ICO enforcement action last year cited lack of suitable

training as a reason action taken

2. So who to train?

− Start with DPO and leaders of teams who process your most

sensitive data

− Viral training – train the trainer

3. Desk top or in person?

4. The message can be spread in other ways too

− Videos, notices, pop up reminders, pay slip inserts…..

5. Ensure it's not a 1 off event

11

osborneclarke.com

12

(3) Time to review your policies

Are your current policies fit for purpose?

1. Technology/business developments have rendered many policies

out of date

− Privacy

− Cookies

− Social media

− BYOD

− Security

− Data retention

3. Beware need for Works Council approval if changing policies in EU

osborneclarke.com

(4) Review your approach to hiring marketing service suppliers What have you agreed, what will you agree?

Key DPA principles:

"Appropriate technical and organisational measures must be taken

against unauthorised or unlawful processing of personal data and

against accidental loss, destruction or damage"

– Written contracts required with suppliers

– Staff reliability measures

– Supplier selection linked to security guarantees

– Steps to ensure ongoing supplier compliance

Data only kept as long as it is needed

• Check which suppliers process valuable data

• Check existing contracts, precedents and RFP language

13

osborneclarke.com

(5) Registrations In place and up to date?

1. Classic error is to be under-registered

2. N.B. each group company must notify – as must company pension

trusts

3. Separate registrations required in each EU country for each Data

Controller

4. In the UK 2 tier fees – payable annually:

• £35; or

• £500 if > £25.9M turnover and > 249 staff

14

osborneclarke.com

(6) Intra-group data transfers Assess your compliance with the fiddliest aspect of DP laws

1. Even if you don't have global operations your

suppliers may do

2. Europe's law makers and regulators are fixated by

data transfer issues

• Check your data transfer solutions – model

contracts, safe harbor, BCRs

• Beware model contract registration

requirement in many EU countries

3. Remember that

• viewing personal data on a UK server from a

terminal in the US= a data transfer

• EU data laws apply to personal data of all living

individuals, not just EU citizens

15

osborneclarke.com

16

(7) Security breach notification

Plan your approach to reacting to cyber attack or data loss

1. Design your team – Legal, IT, PR, HR?

2. Pre-plan for the issues which it will need to consider:

i. Location – breach, affected individuals

ii. Seriousness of breach (timing, potential for harm, numbers affected,

Sensitivity of data involved)

iii. Measures taken to limit harm

iv. Evidence preservation

v. Legal privilege

vi. Who will need to be notified?

vii. Insurance position

osborneclarke.com

(8) Marketing compliance Do your sales and marketing teams know their responsibilities?

1. Ensure that relevant teams understand opt in / out

2. Consider partners

• Do you have control of all notices

3. Review approach to marketing list purchase

• The DMA's list purchase warranties

4. Time for a marketing audit?

17

osborneclarke.com

18

Useful Materials

General:

• ICO's introductory DP guide

– https://www.ico.gov.uk/Global/~/media/documents/library/Data_Protection/Practical_application/THE_GUIDE_TO_DATA_PROTECTION.ashx

• ICO's direct marketing guidance

– http://ico.org.uk/enforcement/action/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf

• ICO's data breach guidance note

– http://www.ico.gov.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Practical_application/breach_reporting.ashx

• EC's review of Data Protection laws and link to draft regulation

– http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf

Osborne Clarke:

• OC's White Paper - "Prepare now and avoid the risks" – Contact us for a copy

• OC's Data report (The Data Gold Rush) and DP blog:

– http://www.osborneclarke.com/connected-insights/campaigns/data-gold-rush/

osborneclarke.com

19

Any questions?

Stephen Groom

Co-chair-Advertising & Marketing Law Group

Deputy Chair-Privacy and Data Law Group

T +44 (0) 207 105 7078

M +44 (0) 7788 584 295

stephen.groom@osborneclarke.com

www.marketinglaw.co.uk

[insert photo here]

Height = 5.39cm

Width = 5.81cm