Agnès MaquaNicolas HamblenneDietger Glorieux

GDPR – One Year Later…

CLOSE TO YOU

1. GDPR & e-Privacy: where are we now?

2. GDPR & Marketing

3. GDPR risk management for advertisers

4. How to react?

5. A practical roadmap

GDPR One year later…Data protection issues in digital marketing

3

1. GDPR & e-Privacy: where are we now?

GDPR after 10 months• First report of European Data Protection Board (“EDPB”)

• 41 500 incidents reported in 8 months in the EU

• 95 000 complaints in the EU (average 1 per day in Belgium)

• Most affected sectors in Belgium:

• Health

• Insurance

• Public services

• Telecoms

• Financial services

• 300 investigations of DPA in the EU

• First fine in Belgium issued!

Audit of ACC Members

GDPR & Agencies

• Approx. 3/10 agencies have appointed a DPO (often on EU/global level)

• Every local seat has its own Data Manager/SPOC

Survey conducted on 600 professionals in organizations across the U.S., U.K., and the rest of the EU; 2 May 2018

Effect of GDPR on companies

Survey conducted on senior figures with responsibility for the GDPR; Ireland; McCann Fitzgerald; October 2018

New Belgian Law

• Applicable since 5th September 2018

• Law is divided into titles, each title applicable to specific sector

• Reduction of the age at which consent can be given to 13 years (instead ofparents or guardian)

• Applicable only to information society services (non-physical services ata distance)

➔ incl. social media

• A private entity that processes personal data for a public authority or towhom a federal public authority has transmitted personal data must appointa DPO if the processing may cause an increased risk.

• Punitive sanctions

e-Privacy Regulation

• Proposition European Commission

• Strengthening confidence in the digital single market

• Adapt rules on cookies

• Rules for cookies: stricter, but also simpler

• Draft regulation in January 2017

• No final version yet

e-Privacy & GDPR

• Many activities fall within the scope of the two legislations

• Cookies

• Social plug-ins

• IP addresses

• Traffic data and location data

• lex generalis-lex specialis➔ e-Privacy prevails GDPR

• Ex: placing or reading of cookies is ruled by article 5(3) of the ePrivacy

Directive, subsequent processing of personal data obtained through

cookies is ruled by article 6 of the GDPR

• Facebook judgement (C-210/16) of the Court of Justice of theEuropean Union (June 2018)

• Fan page operator determines the purposes and means ofprocessing visitors' personal data

• The use of a platform does not exclude the need torespect the obligations of the GDPR.

• Operating company is joint controller

• Cookie walls: Dutch DPA

What else is new?

11

2. GDPR & Marketing

• Marketing is based on consumers preference

• To evaluate consumers, more and more data are used

• Any processing of personal data in a professional context has to comply withGDPR

• Data linked to an identified or identifiable person

• Among others :

• Pixel website

• Custom Audiences

• Matched Audiences

• Google Analytics

• Direct messages

E-Privacy & Marketing

• Terminal equipment and information relating to the usage of

equipment is considered private sphere

• Monitoring the actions of end-users represents a threat to the

privacy of end-users

• Personalized marketing is monitoring actions of the end-users

through cookies and other tracking devices

• Personalized marketing has to be compliant with E-Privacy

Direct Marketing

• Sent directly to the e-mail address or by other automatedmeans (SMS, voice message, WhatsApp message)

• Prohibited without consent

• Empty box to be ticked by the data subject

• The pre-checked boxes: an abuse because positive action is required(CEL XII. 13)

Direct Marketing

• Exceptions

• Soft opt-in: authorized to send emails to the person who has already purchased a good or used the services offered

• Informative emails only

• Business address

Direct Marketing

• Examples/questions

• E-mail address collected during competition => use for future competitions?

• How long can we keep a client’s/prospect’s e-mail address?

• Can we purchase e-mail databases? What do we have to take into account?

Direct Marketing – Consultation DPA

Public consultation DPA about direct marketing

Two (open) questions:

1. What difficulties are you encountering with the application of the GDPR?

2. Which direct marketing technique/technology are you using?

Let your voice be heard!!!

https://www.autoriteprotectiondonnees.be/forms/consultation-publique-relative-au-marketing-directhttps://www.gegevensbeschermingsautoriteit.be/formulieren/openbare-raadpleging-over-direct-marketing

Targeted Marketing

• Profiling: any form of automated processing of personal data in whichcertain personal aspects of a natural person are evaluated on the basis ofpersonal data, in particular with a view to analysing or predictingprofessional performance, economic situation, health, personalpreferences, interests, reliability, behaviour, location or movements.

Targeted Marketing

• Use of cookies and profiling forcustomized advertising

• Use for your own advertising

• Use for advertising of third parties onyour website

• Right to object profiling

• Compliance with GDPR and withrules on cookies

Location Based Marketing

• Services based on localisation

• Augmented reality, personalised offers, local publicity

• No specific rules but:

• Users’ informed consent is required

• Compliance with other rules of GDPR and cookies

Cookies (current) – ePrivacy Directive

• Free, specific, informed and unambiguous consent of the data subject

Cookies

• Information before consent• Which cookies• What information is being used• What is the duration of the storage• For what purpose• How to delete/reject cookies• Do cookies come from third parties

• Information banner Clearly visible until user takes actionMust state why cookies are collected with a link to additional information

Cookies

• Exception: no consent for cookies that are necessary for theoperation of the website or cookies that are used exclusivelyfor communication via network

Cookies - CMP

• Development of Consent management platforms (CMP) (ex.:

OneTrust, TrustArc Cookie Consent Manager)

➢ France: 20% of websites have put in place CMP

Cookies

Cookies (future)

• Current situation:

➢ Overload of cookie banners/consent requests

➢ Users do not verify

• Idea:

➢ Simpler rules on cookies

➢ No consent for non-privacy intrusive cookies

➢ User-friendly browser-level settings

• Question: will it work?

Events

• To whom can we send an invitation? Consent required?

• Can we take pictures during the event? Publishing allowed?

• Can we share a list of participants?

3. GDPR Risk management for advertisers

• Loss of commercial opportunities (pitch and public tender

requiring conformity)

• Loss of existing customers (following audit)

• Loss of credit (bad reputation)

Where would the risks come from?

• Audit coming from the ecosystem

• Complaint of a client following an incident and a notification

• Potential sectoral control of the advertisement sector

• Investigation of DPA with publication of a compliance order

• Press release regarding the non-compliance

• Demonstrate compliance with GDPR

• Set up internal procedures

• Regular review and evaluation of personal data protection

measures

• Adopt or approve code of conduct

• Record of processing operations

• Central management of information

• Train your staff

How to minimize the risk?

Information of Data Subjects

• Transparancy creates trust

• Privacy policy with data subjects (clients, consumers,

staff, etc...)

• On social media => via private message?

• Specific to the target

• New data subjects => inform about processing

• Information on processing activities

• Keep up to date

Rights of Data Subjects

ACCESS

RECTIFICATION

ERASURE

Right to beforgotten

OBJECTION

PORTABILITY LIMITATION

INFORMATION

Rights of data subjects

• Several rights

• including right to object to commercialprospecting

• Cannot be ignored => mandatory answerwithin 1 month

• Have a specific procedure in place so yourstaff knows what it is and how to react

• Log requests of data subjects

Compliance of the ecosystem

• List of processors and joint-controllers

• Contract compliant with GDPR

• With a joint-controller

• Agreement defining roles and responsibilities of each entity

• Data management plan

• With a processor

• Data processing agreement (DPA)

• Make sure it provides with appropriate safeguards

• Possibility to audit the data processor

• Always verify conformity

• Draft model contract

• Perform audit! (yourself or via third party)

Agencies - Advertiser

ADVERTISER AGENCY

Controller1 / Processor1 /

Joint controller2 / 2 /

DATA PROCESSING AGREEMENT

= Agreement / Contractual clause defining the role and responsibilities of each party concerning the processing of personal data

Joint controller

Transfer of personal data

• Transfer within the EEA => GDPR

• Adequacy: white listed countries(Switzerland, Japan, etc.) including PrivacyShield (US)

• Safeguards:

• Standard clauses

• Binding Corporate Rules

• Bespoke clauses

• Certificate/code of conduct

• Derogations: e.g. consent, contract,legitimate interest, etc.

Training of staff

• Conformity also impacts staff

• Awareness of people in contact with data

• GDPR concepts in the corporate culture

• Minimize risk of human error

• Organize training

• Checking the processing of personal data by personnel

• Remove access of former employees

Security measures

• Organisational measures

• Bring your own device policy

• Laptop use policy

• Email policy

• Malware

• Antivirus and anti-malware

• Configuratie of Firewalls

• Software

• Removal of unused tools andsoftware

• Limit installation of software

• Regular updates

• Device hardening

• Source and access

• Access control (“need toknow”)

• Segmentation of sources

• Seperation and limitation ofaccess to web components

• Physical security (servers,backup, …)

Record of processing operations

• Must reflect your activities

• Basis of accountability

• Record must be provided to DPA

• Record may be provided to other third party

• Regular updates

• New activity => update

• Attitude:

• Proactive, not reactive

• Preventive, not curative

• Shortcomings in processing safety

• Infringement of personal data protection "by design / by default".

• Failure to designate a Data Protection Officer (DPO)

• Failure to notify infringement

• …

Up to 10M€ or 2% globalturnover

• Sensitive personal data

• Transfer of personal data

• Non-compliance with DPA decision

• Consent of the data subject

• ...

Up to 20M€ or 4% globalturnover

Risks of non-compliance

4. How to react? – data breach

What is a data breach?

• Loss or theft of data or equipment on which data is stored

• Inappropriate access controls allowing unauthorized use

• Equipment failure

• Human error

• Unforeseen circumstances such as a fire or flood

• Hacking attack

• « blagging » attack where information is obtained by deceivingthe organisation who holds it

Data breach

• Violation of confidentiality, integrity or availability

• Internal or external cause (65% report CNIL)

• Contact immediately the data manager

• Contacting data protection officer (DPO) and/or external advisor(lawyer)

• High risk => mandatory reporting to the outside world

How to minimise breaches

• Maintain a data privacy incident/breach response plan

• Maintain a breach notification (to affected individuals) andreporting protocol (to regulators, credit agencies, lawenforcement)

• Maintain a log to track privacy incidents/breaches

• Monitor and report data privacy incident/breach metrics (e.g.nature of breach, risk, root cause, etc.)

• Conduct periodic testing of data privacy incident/breach plan

• Engage a breach response remediation provider

• Engage a forensic investigation team

• Obtain data privacy breach insurance coverage

• Train personnel

How to react to a data breach?

• Apply the procedures in places to detect, report and investigatea personal data breach

• GDPR introduces a duty on all organisations to report certaintypes of data breach to the supervisory authority and, in somecases, to individuals

• For example: risk would result in discrimination, damage toreputation, financial loss, loss of confidentiality or any othersignificant economic or social disadvantage

• Failure to report a breach when required to do so could result ina fine, as well as a fine for the breach itself.

DPA

Data Subjects

Exception

How to notify?

• To authority (DPA) within 72h afterdetermination

• No notification to DPA if infringement is notlikely to pose a risk to the rights andfreedoms of natural persons

• No notification to data subjects if theinfringement is not likely to present a highrisk to data subjects

• Processor must report to controller, informingDPA and/or involved party

Processor

• To data subjects: 'without delay' if theinfringement is likely to present a high risk

4. How to react? - DSAR

• Data subjects exercise their rights more and more

• Use a specific form to understand the request

• Verification of identity through the form

• Never answer anything more than the form

• Log requests of data subjects

• DPA follows up when a data subject complains

4. How to react? - Audit of the DPA

• Keep calm!

• Possibility to work together with the DPA

• Sanctions are the last resort

• Request for clarification concerning processing operations and compliance with obligations

• Compliance Order

• Publication of conformity order

• Fines

4. How to react? – Audit request by a client

• Provide with the documents proving your compliance

• Documents demonstrating compliance:• Record of processing activities (not compulsory to provide it)• Information of data subjects• Staff training• Dealing with data subjects' rights• Management of data breaches• Contracts with ecosystem• Guarantees in the context of transfers outside the EU• IT data security

• This is not an ISO or cybersecurity audit!!

• Certification to anticipate the audit

4. How to react? – Non-compliant partner

• Accountability: only processors providing sufficient guarantees

• Require compliance in the contract

• Ask for proof of compliance:

• Certificate

• Code of conduct

• Technical and organizational measures?

• Record ?

• DPO?

• EU representative?

• Impact assessment (“DPIA”)?

• Audit to verify compliance

Processor audit

• Audits of processors by controllers

• More and more frequent

• Increasingly important/deepening

5. Practical roadmap

1. Have a legal basis for each processing operation

2. Respond to the rights of data subjects: access, rectification, erasure, etc.

3. Implement technical and organizational measures

4. Privacy by design and by default

5. Determine responsibilities of joint controllers

6. Designate an European representative

7. Use only processors providing guarantees

8. Maintain a record of processing activities

9. Cooperate with (Belgian) DPA 10. Secure data processing 11. Notify and communicate any

data breach 12. Carry out an impact

assessment (DPIA) 13. Prior consultation of (Belgian)

DPA 14. Appoint a Data Protection

Officer (DPO) 15. Verify data transfers outside

the EU

5. Practical roadmap

A – Register of processing activities

B – Documentation of conformity

C – Security measures

D – Participation of service providers

E – Data Subject Requests

F – Other

G – Data breach notifications

H –DPO

Survey conducted on senior figures with responsibility for the GDPR; McCann Fitzgerald; Ireland; October 2018

Greatest challenges duringcompliancy process (UK) 342 companies

264 agencies

Econsultancy’s; ‘Marketers Guide to the GDPR’; February 2018

TO CONCLUDE

• New developments

• The risks are increasing

• Compliance ASAP

55

Q&A

Terhulpsesteenweg 166

B-1170 Brussels

Belgium

All icons are designed by Good Ware, Smashicons, Freepik, Glypho on flaticon.com;

CONTACT US!

+32 2 566 90 00

www.koan.law

@KoanLaw

linkedin.com/company/koan

For all your ACC Legal Line questions:acc@koan.law