GDPR Archives - Digital Marketing Solutions Summit

10 ways to make privacy your competitive advantage in 2022

27th January 2022

New year, new start. Nigel Jones, Co-Founder of the Privacy Compliance Hub discusses why and how organisations must put privacy compliance at the heart of their strategy for 2022…

Apple has allowed iPhone users to choose whether they’re tracked by apps, DuckDuckGo is trying the same thing for Android, and even WhatsApp has updated its policy after a multi-million-pound fine. These are sure signs that ‘Big Tech’ is waking up to growing consumer concerns about data protection and recognising that privacy is fast becoming a competitive advantage.

According to Statista research, 54% of UK consumers say they’re now more concerned about their online privacy than a year ago. That backs up a previous study that revealed almost two thirds (61%) of UK consumers worry about how their personal data is being used by companies and 55% prefer to be anonymous when browsing online.

This is serious for businesses. Add increased security threats because of remote working and a new information commissioner who may be more ready to issue fines, and there are plenty of reasons to adjust approach and attitude towards privacy.

Here are my 10 top tips for putting privacy compliance front and centre in 2022.

1. Take stock of where you are

Start with an assessment of your current compliance – there are free online tools that can help you with this. This is also a good opportunity for some light housekeeping, such as checking that you’ve paid your annual data protection fee, whether you need to appoint a Data Protection Officer (and/or register that person with the Information Commissioner’s Office), and if your Record of Processing Activities (also known as an Article 30 Record), Record of Vendors and Partners and Data Retention Policy are up to date.

2. Map your data flows

It’s vital to have a clear view of the personal data that’s under your control. You need to know what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it when you no longer need it. Data maps should cover all data processing activities and is a job for all departments. Gather representatives from all functions in one room (or on one video call) and talk it out.

3. Review existing privacy policies

Privacy notices are often copy and pasted from other sites with the names changed or drafted by legal professionals who have little idea about how the business they’re writing them for operates. Once you’ve mapped your data flows, take a look at your existing policies. Do they need to change or be updated? Don’t be afraid to start again. The objective is to be transparent about what you are doing with the readers’ personal data.

4. Consider the impact of hybrid working

Staff privacy and remote work policies may also have to be updated, in light of the shift towards hybrid working. Cybercrime has spiked in the past year, with experts pointing to weaker security due to home working. Are your employees using personal devices, saving files locally or using unsecure Wi-Fi? They could be putting your business at risk of attack.

5. Empower staff through regular training

When 90% of data breaches in the UK are down to human error, having a well-trained team is essential in the fight for privacy. This isn’t just an IT project – everyone helps protect personal information. Focus on what staff really need to know about privacy in their day-to-day work and tailor each session accordingly. Customer data can often be an organisation’s most valuable asset. By making compliance familiar to employees, they’ll feel empowered to make the most of it safely.

6. Tighten up your marketing communications

The ICO handed out £1.7m in fines for marketing breaches in 2021. It’s easy for members of the public to complain if they’re not unsubscribed when they ask to be, if their data is used for something they didn’t sign up for, or if they’re contacted without giving prior permission. If you are cold emailing individuals in a business context, you must have a lawful reason for doing so, such as ‘legitimate interest’. And of course, if anyone requests to be removed from a contact list, you must remove them immediately and add them to a marketing suppression list so they’re not contacted again.

7. Be careful who you’re sharing data with

You’ve put the work in to make sure you’re taking privacy seriously. But do the partners and vendors you’re sharing customer data with take it seriously too? Make sure you only work with safe organisations that have policies in place to protect personal information, that will only act in accordance with your instructions when they process that data, and that can respond quickly to subject access requests from individuals. Ask partners to complete a risk assessment questionnaire or do due diligence on their privacy practises before working with them.

8. Encourage leaders to be proactive about privacy

Culture starts from the top and leaders need to set the tone. Be clear with the team that you care about privacy, that it’s a priority, and that good behaviour will be rewarded. Give privacy a place in the boardroom, assign responsibilities for regular updates and set targets around it. This isn’t the responsibility of lawyers, it’s the collective responsibility of the entire organisation.

9. Appoint privacy champions throughout the business

Whoever holds responsibility for privacy needs to appoint privacy champions in each department because they will need a lot of help. Luckily this is a topic that people are genuinely interested in, particularly those younger employees that have grown up with technology facilitating every part of their lives. They want to work for ethical companies that take privacy seriously. Ask for their help; you may be surprised by who puts their hand up.

10. Create a culture of privacy by design and by default

Privacy compliance isn’t a one-off project that can be ticked off, or a new year’s resolution that will be dropped by March. Organisations looking to turn privacy into a competitive advantage need to create a culture of ongoing privacy by design and default. One where every time a new product or service or process is introduced, the question is asked – what does that mean for privacy?

Nigel Jones is the co-founder of the Privacy Compliance Hub, a former Google executive and head of its legal team for Europe, the Middle East and Africa. Nigel has more than 30 years of legal experience advising companies on technology, data protection, privacy and the pragmatic steps available to cut risk, meet regulatory requirements and manage data breaches. Take your free GDPR health check today.

OPINION: Don’t rip up the UK’s data privacy rules

By: Guest Author

22nd September 2021

A major announcement earlier this month of a consultation on overhauling current data legislation made by the former Digital Secretary Oliver Dowden, has been questioned by a leading expert in data privacy regulation. Privacy expert Nigel Jones (pictured), Co-Founder of the Privacy Compliance Hub and ex-head of legal for Google in EMEA, urges against ripping up the UK’s privacy rules…

The stated aim of the consultation is to drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats. However, there are a number of issues with the announcement. While I broadly welcome some aspects of the consultation, there is actually little by way of explanation in the announcement as to why the UK’s current data rules and regulations are insufficient to enable all these things to be addressed without the planned reforms.

The stated aims of the proposed reforms – to boost international trade; reduce burdens on business; deliver better public services; drive economic growth; boost innovation including reducing barriers to responsible innovation; protect the public; and strengthen public trust in use of data are ones that most organisations – as well as the general public – would agree with.

However, my view is that there is little, if anything, in the current legal framework that is stopping the UK from executing the aims of this consultation now, and there is insufficient detail in last week’s announcement to explain why such a consultation is necessary. Changes to the current agreement may threaten the very important adequacy decision that the UK has with the EU.

The announcement last week contains many references to science, healthcare and research and how the use of data in these areas needs to be simplified. It is unclear what the Government feels is wrong with the current rules as they apply to science, healthcare and research. It refers to advances made by Moorfield’s Eye Hospital and University College London in identifying eye disease by making use of AI, but those advances were successfully made under the current data framework using the power of Google Deepmind. What exactly do they think is wrong with the status quo?”

The announcement also claims that there are plans to impose tougher penalties and fines for nuisance calls and text messages. My view is that there is nothing in the announcement that explains why this is necessary as current penalties are already very stringent. Under the UK GDPR, the current maximum fine is already up to £17.5 million or 4% of worldwide turnover – that this is sufficient deterrent.

The announcement refers to disproportionate burdens for compliance on many organisations. While it is logical for the announcement to claim that a hairdresser shouldn’t have the same data protection processes as a multimillion pound tech firm, this ignores the fact that the current regime doesn’t require a hairdresser to have the same processes as Facebook. Also, how many hairdressers do we hear complaining about the burdens that the current UK data framework places on their business?

The consultation states that a shakeup of the Information Commissioner’s Office (ICO) is proposed, to include an independent board and chief executive.

The tenure of Elizabeth Denham, the current Information Commissioner, comes to an end this year. She has come in for criticism during her time in charge from those that feel that, as a heavily funded regulator, the ICO should be able to achieve much more, especially in the area of enforcement. Perhaps the government feels that by taking power away from the Commissioner and putting it in the hands of an independent board which it can appoint, it will be able to ‘take back control’ of data regulation.

However, I’m very much in favour of the statement in last week’s press release that the government plans to “replace box ticking with common sense.”

We couldn’t agree more. Data protection has never been about box ticking and it never should be. It is about creating a culture of continuous compliance and we take great heart from the government’s apparent enthusiasm for what it calls ‘Privacy Management Programmes’. All companies that process data should build a culture using such a Privacy Management Programme which makes all its staff understand privacy, care about it and do their bit to use data wisely and securely.”

I also agree with the aim outlined in the plan to mitigate the risk of bias in algorithmic systems. This is a hugely important objective but it will be interesting to see how the government proposes to improve the current framework which exists under the UK GDPR.

It is intriguing that the government feels that the UK’s current data legislation is in some way holding the country back in areas such as international trade, public services, innovation, research, healthcare and hairdressing. While of course any improvements in these areas are to be welcomed, we should bear in mind that the current rules are based upon a framework that has been in place for a very long time and that those rules already allow for much flexibility.

The government should make changes at its peril, and be careful to make sure that any planned amendments don’t threaten the very important adequacy decision that we have in place with the EU, our largest trading partner. In our view, it would be better to make use of the existing flexibility we have than to suggest ripping up existing rules and starting again.

GDPR fines hit nearly 300m euros in three years

By: Stuart O'Brien

2nd June 2021

The General Data Protection Regulation (GDPR) was implemented in the EU three years ago on May 25th. This legislation aimed to give the residents of the EU more control over their data and privacy.

According to the recent Atlas VPN team findings, the cumulative sum of the GDPR fines imposed on the EU countries over the past three years has reached €283,673,083 due to a total of 648 penalties against organizations violating the data protection law.

The biggest GDPR fine so far was issued in January 2019. The French regulator CNIL fined Google €50 million for failing to provide transparent information on its consent policies and the way it handles ad personalization.

After that, another massive increase in penalties happened between October 2019 and January 2020. Thus, since the start of GDPR, organizations have been fined a total of €100,711,612 due to 167 violations.

In 2020, from July to October, there was a significant increase in the sum of fines. It was because 3 out of 5 most enormous penalties of all time were issued in October.

Cybersecurity writer and researcher at Atlas VPN William Sword, said: “GDPR has empowered EU citizens to be more actively involved in what is happening with their data and understand their privacy rights. As for organizations, complying with data protection rules will create a more trustworthy environment between them and consumers. ”

GDPR violations in specific countries

Privacy regulators in each country were closely monitoring companies to make sure that people’s data is dealt with responsibly.

Italy has assessed the most significant sum of fines over three years — €76,271,601. So far, Italy has been penalized a total of 77 times.

France takes second place with €54,661,300 in fines. The largest part of the amount was made off of the previously mentioned Google fine.

In third place sits Germany, where GDPR violations have cost companies €49,186,833.

Even though Spain has slightly less in the total sum of fines — €29,521,410, they have had the most violations. More than one-third of all GDPR penalties (230) were imposed upon Spain.

Is GDPR a casualty of Covid-19?

By: Guest Author

7th April 2021

Since the introduction of the General Data Protection Regulations, businesses have had to adapt to new ways of storing personally identifiable information to become compliant, or else face hefty fines and penalties, as well as reputational harm. However, with the chaos and confusion of Covid-19, businesses had to rapidly introduce new ways of capturing personal data, such as ‘track and trace’ processes to protect their employees, visitors and customers.

In many cases, this led to scribbled down personal information that could be accessed and shared by any passers-by – easily misplaced or used for marketing purposes without authorisation. Despite the same threat of fines for non-compliance, GDPR has slipped far down the list of business priorities, often reverting back to old and outdated methods.

With the great return to the workplace on the cards and hospitality opening back up, Dan Harding, CEO, Sign In App discusses how businesses need to tighten their security and champion GDPR while ultimately ensuring safety and wellbeing remain a priority...

The Evolution of GDPR

‘Let me just get a pen and paper’ was data collection terminology thrown into everyday conversations a few years ago. Information – be that personal and sensitive – could be written down and quickly left abandoned. As technology evolved, businesses were encouraged to phase out these bad habits that were not secure, safe or efficient – but as time went by, they slowly crept back in.

Do you remember when you visited an office and were asked to sign in via the meeting book and leave details such as your name, time of entry – and possibly your car registration plate? You could see that Joe Blogs entered the day before but didn’t sign out? These methods don’t stand up to the compliance requirements of today.

In recent years, data privacy has transitioned to the forefront of consumers’ minds as the prevalence of data breaches and misuse of data has become more widespread within the media. Consumers want reassurance that their data is kept protected and secured – with companies held accountable if not compliant. The introduction of the GDPR was enforced on May 25th 2018. Collectively, this is recognised as the most far-reaching compliance regulation in existence, with the common goals of giving individuals within the European Union more control over how their personal information is being used. Despite having now left the EU, the rules still apply and as a nation, a UK GDPR adaptation has been established.

With so much upheaval in order to become compliant with record-keeping requirements, responsibility has been placed on businesses to tackle it head on – with the threat of significant penalties potentially having long term effects on a business’ reputation. With fines and penalties seeing double-digit growth year after year, what do businesses – large and small – have to contend with as GDPR approaches its third anniversary, especially when Covid-19 has been thrown into the mix?

Adjusting to a new norm

In 2020, businesses were under pressure to rapidly roll out track and trace systems – with some verticals having a greater demand to capture data than others. The hospitality industry saw the biggest hurdles due to the high turnover of customers and this meant that individual information had to be quickly logged and kept on record. But how effective and compliant were their methods of data capture?

The Eat Out to Help Out Scheme meant that large volumes of individuals were mixing together and there was great upheaval for restaurant staff to ensure they could collect as much information as possible without impacting their dining experience. With the power of technology at everyone’s fingertips, some businesses collected data via apps, spreadsheets or Google Forms, so that in the event of an outbreak they had all the data at hand within the cloud. However, this raises concerns about whether people were putting in reliable data, was it secure, and was the data being destroyed after an appropriate time frame?

However, in other industries, people returning to their place of work who couldn’t work from home were regularly asked health screening questionnaires to keep everyone safe – something that was only possible with a visitor management system in place. Effortlessly, an individual’s results could be flagged if there were any concerns in the answers shared and action taken immediately – such as preventing their entry to the workplace beyond the sign-in point. With an outdated pen and paper method, this would have been more time consuming to notice with insufficient protocols in place – and a high likelihood of missed events.

Despite the challenges, businesses adjusted to life with the GDPR but over the past year, there has been a series of disruption as Covid-19 has become the biggest distraction with many businesses fighting for survival. In their efforts to stay afloat, businesses had to protect their workforce community and implement track and trace measures – putting GDPR on the backburner momentarily. However, the focus needs to resume and to be put back on the agenda. With the help of simple apps, and a fluid sign-in experience, technology can play a key role in this strategy by building confidence that personal and sensitive data is being collected, used and destroyed in an ethical and compliant nature.

The future is bright

No one has a crystal ball about what the future holds but being prepared will be a fundamental stepping stone to staying in control. Businesses must protect their reputation and their workforce community. By collecting and disposing of data in accordance with compliance requirements and with the support of simple but innovative technology, they will ensure that fines and penalties don’t present any unexpected surprises.

By stripping back to basics, businesses can learn from the key takeaways from the current pandemic and ensure that GDPR doesn’t become the casualty of a future global event – should another arise. By ensuring that appropriate measures are in place, such as a health screening when entering the office or prior to dining in a restaurant, businesses can play their part in keeping the virus at bay.

Seeking to implement an efficient and straightforward visitor management system will be pivotal to business survival post pandemic. It’s important to keep in mind that one size doesn’t fit all and it’s about making the right data-driven choices and collecting the information that is required in a way that works for each individual business. Focusing on offering a seamless hassle-free experience from beginning to end will add credibility and ensure compliance is at the heart of the business, once again.

Two-thirds of consumers ‘Don’t understand how their data is used’

By: Stuart O'Brien

21st November 2019

Over half (58%) of consumers want long term relationships with brands, but 33% saw irrelevant retail offers as the biggest marketing mistakes, indicating a personalisation disconnect.

That’s according to the latest APEX report from Valitor, which reveals the key marketing challenges brands will face in using customer data to build relationships.

The study also found that almost half (48%) of consumers think that when it comes to relationship ‘building’, all they see after-sale are spam emails.

In fact, it seems personalisation across the board does not meet expectations. 68% do not know how their data is being used by brands. Valitor says this knowledge gap, combined with the implementation of GDPR and the ongoing discussions of data being used in political discussions, has spiked consumer interest in data use and privacy.

However, while interest has increased, the actual use of data by brands is creating uncertainty, confusion and setting unachievable expectations about the sort of interactions customers should expect.

Halldór Lúðvígsson, Managing Director, Omni-channel solutions at Valitor, said: “The latest APEX report reveals that consumers want a long term relationship with brands, which is clearly an opportunity that needs to be pursued. To succeed in establishing relationships, brands need to show customers that by having their data, they are able to create the long term value they crave. Currently, though many consumers feel brands’ efforts are missing the mark, which is risking weakening customer retention.”

The good news for brands, however, is that consumers are still happy to provide them with personal data, as long as it is used in the right way. In fact, 75% of consumers are comfortable with the concept of a brand holding personal information in order to improve the services and relationship. Consumers also revealed that they are most willing to share email addresses (42%), followed by clothing size (29%). But in order to keep consumers happy, brands need to ensure that they use this data wisely if they are to encourage the sharing of more types of information.

Meanwhile, the outdated practice of getting data and then taking a “spray and pray approach” has clearly had negative effects on consumers. For example, over a third (34%) of consumers say that they have been made to feel like a brand no longer wants to impress them once they have parted with their money. Another third (33%) aren’t convinced brands still care about them after the sale is done. While a quarter (25%) highlight the fact that occasional offers are not the same as a proper customer service relationship.

Other key report findings:-

The 18-35 age group is far more confident in their understanding of how brands use their data (18-25 were 40%; 26-35 were 43%) compared to the 66+ age group (19%).
44% of consumers take notice of marketing communications from a brand:
- 56% take notice of emails
- 46% notice free samples/trials
52% of 18-25 years – the highest proportion of all age groups (and the emerging customer base for many brands) – are receptive to messaging from brands.
The oldest consumers, 56-65 and 66+ are the least likely to pay attention to brand marketing.

Download the full report here.

A how-to guide to Legitimate Interest Assessments

By: Guest Author

10th September 2019

As a business, you need to market your services beyond your own walls. However you’re also aware that you need to comply with GDPR… and PECR!

So how can you balance getting the word out, while also meeting personal data obligations?

There are six lawful basis set out in the GDPR to justify the processing of personal data – Legitimate Interest being one of them. But many businesses are unsure how to apply it for business to business (b2b) marketing communications.

So what exactly is Legitimate Interest, when can you use it, and how can you actually do it?

Download the guide to read:

When you can use Legitimate Interest
Examples of Legitimate Interest
The 3 stages of Legitimate Interest Assessments (LIAs)
Tips to remember
Bonus: Free Legitimate Interest Assessment Template

Legitimate Interest can be a great option for some businesses, but you need to follow the proper steps to protect yourself, your business, and the rights of your data subjects. You will need to demonstratethat your interests are not overridden by the interests of the individuals in question. And you do that by carrying out a Legitimate Interest Assessment.

If you would like to discuss LIAs – or the GDPR at large – in more detail, and how the Regulations relate to your campaigns, please contact Nigel Copp at KPM Group.

Build trust with direct mail

By: Stuart O'Brien

29th August 2019

By KPM Group

The introduction of GDPR has undeniably made life a little more difficult from a marketing (and particularly a digital marketing) perspective. And while most organisations are taking steps towards compliance, many still have a long way to go.

It’s not a consistent story; on average“UK marketers consider their organisations to be just over 82% compliant with GDPR” – with a fifth even claiming 100% compliance.

However on the retail side, GDPR is being met with some resistance due to the cost of compliance, and a fear of losing essential data. Meanwhile charities (who hold sensitive information and cannot risk public distrust) are faring better, but a lack of confidence is still evident across the board.

Get GDPR confident

The birth of GDPR gave rise to a greater understanding of the value of personal data, and how it can be misused. The greatest challenge for companies post-GDPR is the rebuilding of consumer trust, and the relationships that go with it.

“GDPR has exposed many unwitting individuals to the scope and nature of the data held about them, so looking forward organisations must demonstrate that they can be trusted to operate ethically and fairly with the information they process, and keep subjects informed.”

Within the parameters of GDPR, marketers must reconsider the most effective marketing and communication channels. So how about revisiting the old, as new?

Using direct mail to build trust

Direct mail marketing isn’t impeded by as many restrictions as email (you don’t always need consent for postal marketing), and therefore offers a legitimate way to contact customers and prospects who are otherwise unreachable.

From a trust and relationship perspective, you can use post to direct customers online and encourage opt-in consent – placing the power literally in their hands, and reinforcing their position as a valued customer.

Furthermore, mail achieves higher rates of engagement and conversion than emails, with 87% of direct mail recipients influenced to buy something online. And that’s not to the exclusion of digital marketing: a MarketReach study proved that mail primes other channels, meaning that emails and social media promotions may be better received – and remembered – if the recipient has received mail beforehand.

There is still a long way to go for companies and their handling of personal data, but looking to the future, GDPR could potentially teach businesses a great deal more about their customer base. Digital still has its place, but we’re seeing a very clear reason that postal marketing is still alive and kicking.

Find out more
Need a bit more guidance? Talk to us, make the most of mail, and get GDPR confident.

This article is abridged from KPM Group’s report, GDPR: Build Trust With Direct Mail. Read the full version here.

DMA and OneTrust offer marketers GDPR compliance tools

By: Stuart O'Brien

14th August 2019

OneTrust and the Data & Marketing Association (DMA) have entered a strategic partnership to equip marketers with the tools, training and resources needed to successfully build, implement and scale responsible marketing programmes that comply with global privacy laws including the GDPR and CCPA.

As the DMA’s Responsible Marketing Partner, OneTrust will work with the organisation to provide software tools, training, resources and thought leadership to help marketing departments to responsibly manage, protect and administer customer data.

The GDPR and CCPA created new compliance challenges for marketers to maintain compliance while delivering customised user experiences. The partnership includes supporting the “Data Privacy: An industry perspective 2019” research. This latest survey is currently open to anyone working in the data & marketing industry to share their latest views.

The partnership includes:

Resources & Research: OneTrust and the DMA will produce joint surveys and webinars focused on the topics most relevant to marketers, including how to comply with the GDPR and the latest regulatory amendment to the CCPA.
Free In-Person Workshops: OneTrust and the DMA will partner at select PrivacyConnect and MarketingConnect workshops, free, local events that equip privacy and marketing professionals to connect, share experiences, and learn the latest regulatory requirements and implementation best practices.
The DMA’s Data Summit: OneTrust will also headline the DMA’s Data Protection Summit, taking place on 28 February in London.

“As the industry association representing the data and marketing industry, acting responsibly while also creating engaging experiences that put customers first is a core tenet of our Code. In OneTrust we have found a partner that shares these key values and the belief in a customer-centric approach to data and privacy,” said Rachel Aldighieri, MD of the Data & Marketing Association (DMA). “The partnership will also offer added benefit to our members, offering them access to a range of additional tools, training and resources to not just comply with privacy laws, but truly put the customer at the heart of their business. Giving them a competitive advantage by developing trust through their approach to data and privacy.”

“Becoming the DMA’s Responsible Marketing Partner was a natural fit; we share a mission to equip marketers for success while maintaining compliance with the evolving regulatory environment,” said Kabir Barday, CEO and Fellow of Information Privacy (FIP), OneTrust. “We’re excited to build upon our existing partnership and launch new research and resources for marketers. Together we’re able to provide members access to the OneTrust PreferenceChoice suite of marketing compliance tools, resources, research and best practices to responsibly manage and protect customer data.”

GDPR

10 ways to make privacy your competitive advantage in 2022

OPINION: Don’t rip up the UK’s data privacy rules

GDPR fines hit nearly 300m euros in three years

Is GDPR a casualty of Covid-19?

Two-thirds of consumers ‘Don’t understand how their data is used’

A how-to guide to Legitimate Interest Assessments

A how-to guide to Legitimate Interest Assessments

Build trust with direct mail

DMA and OneTrust offer marketers GDPR compliance tools

How to ensure multichannel campaigns comply with GDPR