Privacy notices

2017

Guide 7The General Data Protection Reform

www.communicatorcorp.com 2

Share this guide

www.communicatorcorp.com 2

The GDPR (General Data Protection Regulation) is

a new data protection regulation, bringing greater

protection for consumers and giving them more

control over how their personal information is

collected, stored, shared and used.

To ensure organisations comply with the regulations,

the reforms will bring an easier complaints

process and huge fines, backed by stronger ICO

enforcement.

There are a number of elements which form the

changes and there is a lot for Marketers to take on

board. With that in mind, we’ve aimed to summarise

the information you need to know in a series of

specific guides & blog posts.

As part of their GDPR - readiness campaign, the

ICO have just released a new code of practice on

communicating privacy information to individuals.

The code is more than a list of what organisations

need to do; it also gives advice and guidelines. We’d

advise you read it from cover to cover! But for now,

here is an easy introduction…

What is privacy information?

Privacy information isn’t just that document

mentioned at the bottom of a web page, or the

information behind the T&Cs links that most of us

never read. Privacy information is whatever sets

the expectations and explains how personal data is

used, protected and controlled. So this includes the

information on screen or visible before and during

data collection, as well as the more detailed privacy

notices you’ll have.

Why are things changing?

By now we know a lot about the value of using data

and the full potential of data insights to power our

marketing campaigns. You’ll have read up on big

data and other data-centric topics to support this

view, so you want to gather as much data as you can,

right? Because t he more data you have, the more

you can get out of your campaigns.

But what many companies fail to realise is that

collecting this valuable information is a privilege,

and it’s easier than you may think for this privilege

to be abused. Data breaches in the news are almost

a weekly event. The forthcoming GDPR has been

designed to reduce the risk to consumers; the

people who provide you with their valuable data,

enabling you to send your marketing.

In briefWhat’s happening?

Privacy Information

www.communicatorcorp.com 3

Share this guide

Privacy information 3What is privacy information?Why are things changing?

Fairness 4What the law says Fairness: key points Layered Privacy Information What should your privacy information show?

Transparency and Consent 7What the law saysTransparency and consent: key points

Reasonable Expectations 8What does it mean?

Sharing and Buying 10 information

Your Privacy Notice 11 Checklist

In this guide

www.communicatorcorp.com 4

Share this guide

FairnessWhat the law says

Fairness: key points

The law says that personal information should be processed fairly, where processing means obtaining,

using or disclosing information.

Personal information is not classed as being fairly processed unless the organisation processing the data

provides the individual with, or makes readily available, the following;

• The identity of the controller

• The purpose for which the data is intended to be processed

• The intention to transfer personal data

• The existence or absence of (where appropriate)…

3 An adequacy decision

3 Appropriate safeguards; or

3 Controllers compelling legitimate interests.

There are two main elements of fairness:

1. Information is being used in a way that people would reasonably expect

2. Ensuring people know how their information will be used

These two elements work hand in hand with each other. At the point of data collection you need ensure you

provide the following;

• The information necessary to set the correct expectations around the data collection, storage,

usage, sharing and destruction

• Con text and established convention, used to determine what is already expected

• Attention must be drawn to processing which wouldn’t be expected

www.communicatorcorp.com 5

Share this guide

• Clarification and detail concerning what is already understood and expected

• If there is any unexpected data use, the less likely something is to be

expected, the less likely that a linked privacy notice can be relied upon

to inform individuals

Layered Privacy Information

Your privacy notice should then be used to expand on that information, ensuring people know how their

information is used.

Okay, so what does this mean for you?

You need to be realistic about how interested people

are in the way you handle their personal data. Many

people will only be interested in what they’re signing

up to or purchasing and so on – they’re unlikely to

read a detailed privacy notice.

But you still need to provide the information!

That’s why a ‘layered notice’ is useful. The layered

approach allows you to provide the basic privacy

information up front, then have a more detailed

privacy notice elsewhere for those who want to know

more.

A simple notice with a “Learn More” link is an

example of a layered notice. It provides information

in a simple way initially, setting expectations, with a

link to find out more. Like this one…

Layered Privacy Notice

www.communicatorcorp.com 6

Share this guide

The ICO ha s just released new code of practice on

communicating privacy information. Their example

on a layered approach is a just-in-time notice, which

is a little more advanced but should be regarded as

the new best practice.

A just-in-time notice works by displaying relevant

information but just when it’s relevant. This prevents

information overload and helps achieve that balance

of information and simplicity.

What should your privacy information show?When you’re writing your privacy information it’s good practice to think like a consumer.

Start by asking yourself these questions;

Remember that the visible privacy information should

set the expectations and provide the consumer

with simple information. Your larger, more detailed

privacy notice should provide clarification and detail

concerning what’s already understood and expected

from the point of collection.

So it needs to be clear, accessible and informative.

Here’s an example…

1. Would the consumer know who is collecting information?

2. Would they understand why you are collecting their information?

3. Would they understand what it means to allow you to collect their information?

4. Would they be likely to object or complain?

www.communicatorcorp.com 7

Share this guide

If you are to carry out transparent processing, then…

In order to be fair to the consumer, you need to be transparent and allow an individual to consent to the

processing of their data.

Where an individual has a choice over how their data is processed, it’s important to allow them to exercise that

choice. This means that it must be freely given, specific and fully informed, and consent must also be revocable.

The layered approach allows you to be truly

transparent, which in turn will allow you to gain well -

informed valid consent from individuals.

If you’re relying on consent for processing, your

method of obtaining it should be clear and displayed

to the individuals at the point of data collection.

If you’re attempting to gain consent but are failing to

provide supporting information, then consumers are

unlikely to be fully informed and the consent cannot

be considered valid.

If you’ re processing information for numerous

purposes then you need to explain this. You need

to provide a clear and simple way for individuals to

agree to each type of processing.

Transparency and ConsentWhat the law says

Transparency and consent: key points

“It should be transparent what data is collected and used, for what

specific purposes, the existence and consequences of profiling, who

is doing this processing, for what time periods and who will receive

the data. The individual should be informed about Individuals should

be made aware of risks, rules and safeguards.”

• Consent should be given by a clear affirmative action establishing a freely given,

specific, informed and unambiguous indication of the individual’s agreement to

personal data relating to him or her being processed

• Consent should cover all processing activities carried out for the same purpose(s)

• When the processing has multiple purposes, consent should be granted for each

of those purposes

www.communicatorcorp.com 8

Share this guide

www.communicatorcorp.com 8

People may want to consent to their information

being used for one purpose but not for the other(s).

The best way to do this is to provide a list of how you

process information and allow people to say yes or

no to each method.

This may sound complicated, but clever design can

help give the required information in a simple format

as well as recording consent per level.

Compare the Market has a form with very few words

and no tick boxes in sight, and they still manage to

balance the information, expectations and simplicity

requirements with a simple design and mobile-

friendly icons. Take a look…

Compare The Market example

You can only use collected information in a way that

people would reasonably expect.

Because that rule is vague it’s up to you to identify

what isn’t clear about your data use and how you

explain what you do. The layered approach allows

us to show simple information snippets to set those

expectations correctly.

But first , you have to put yourself in the shoes of

someone using your website or sign - up process in

order to identify what may or may not be expected

, so that you can choose how much information to

display, where, when and how.

To put this in to context , here are two examples…

Reasonable Expectations What does it mean?

www.communicatorcorp.com 9

Share this guide

If you do use information in a way that is not expected, then you’ll need to inform the individual about what

you’re planning to do with their data. A common sense approach is a good starting point.

It’s not difficult to differentiate between what’s expected and what’s unexpected. The easiest way for you to

decide is by thinking as a consumer; what expectations are set during your data collection process?

Use a layered approach, making sure expectations are set up front, with any more detailed information easily

available in a linked, easy to navigate privacy notice.

• A person purchases

a pair of shoes from

an online store. Their

personal information is

only used to despatch

the goods, take payment

and for the company’s

own record keeping.

• The collection and

processing of this

information is expected

and fair, even if the

person has not been

given explicit and

detailed information

about it.

• Any reasonable

person requesting

such a service would

understand that they

cannot receive their

purchase unless this

level of processing

happens.

• A person purchases a pair of shoes from an online store.

• Their personal information is used to despatch the goods,

take payment and for the company’s own record keeping.

On top of this the company creates a profile, using contact,

browsing and purchase details to curate web and email

content. They also share this data with another company,

who provides online advertising services. The collection

and processing of this information to fulfil the sale is

expected and fair.

• The creation of the personal loyalty profile to tailor web

content and target emails may be expected. However,

passing the information on is, almost certainly, not expected.

Even if the intention to pass details on in this way was

mentioned in a privacy notice, because it’s not expected

it breaches ‘fair processing’ principles and wouldn’t

be allowed.

• Instead, the online store should have a notice advertising

the benefits of the loyalty program and curated content,

with the option to sign-up.

• They should also advertise their intention to share

information with another company, again, selling the benefits

and giving the purchaser the option to sign-up.

• With expectations set, links to the privacy notice which

explain in more detail how this works, can be made.

Expected Unexpected

www.communicatorcorp.com 10

Share this guide

There can sometimes be strong pressures to share

personal information with other organisations.

If you’re going to share the personal data you

collected with third parties then you need to ensure

you’re treating your consumers fairly.

It’s good practice to not only tell people you’re

going to share information with third parties but

also to gain their consent to do so. The consent

should be informed, so you need to ensure you’re

telling people;

• What the third party is going to do with

their information

• What effect this has on the individual

• How it will benefit the individual

Without giving this information the consumer can ’t

make an informed decision on whether they want

their information to be used in such a way. There

is also a lot of pressure within the email marketing

industry to send more emails. To do this, some

Marketers rely on buying or renting data lists.

When buying or renting a new list you must take

the following steps;

1. Due diligence – you must research the list!

You need;

• proof that the people on that list have

given consent to have their data passed

on within the last 6 months

• to see what expectations were set when

that data was collected

2. Unsubscribe processes – when a consumer

wants to opt-out, if the marketing list came

from a third-party vendor, all of the companies

in the ‘data chain’ must be informed.

So you need 3 processes in place ;

• A standard mailing list unsubscribe

• A Data Vendor to Marketer unsubscribe

• A Marketer to Data Vendor unsubscribe

3. Inform the individual – in your first

communication you should inform them why

they’re receiving the email. This can be a s

simple as saying “we have your information

because you said yes to company X giving

it to us”. This will avoid any complaints by

people who may have forgotten.

Buying or renting lists can get you into a lot of trouble

if you don’t do it right, so following these 3 steps is a

good way to help avoid any issues arising.

Sharing and buying information

www.communicatorcorp.com 11

Share this guide

To ensure your detailed privacy notice is up to scratch, here’s a check list to follow;

Your privacy notice checklist

Ideal components of a Privacy Notice Questions to ask yourself Included or needed?

Introductions

Clearly states who you are Does the notice give information

about your organisation?

Consider the language used - clear and

unambiguous language is needed

Does the language suit the people

who the notice is aimed at?

Data Collection

Describe what type of personal data your

organisation collects

Describe why you collect personal data

Describe what methods your organisation

uses to collect personal information

Do you collect and/or keep

information on forms in hard copy, on

computers, and/or on your website?

Indicate that the information is necessary

for the activities it’s used for (in your

marketing)

Can you assure consumers that

their data is collected only for the

purposes you’ve stated?

Use of Data

Generally describe how the organisation

will use the personal information collected

Will the data be used for anything

more than personal contact with the

individuals in question?

Disclosure

Describe under what circumstances the

information might be disclosed (if any)

Will the lists be used by third parties?

If so, how do you propose to

obtain consent and what additional

measures are needed to protect the

security of the information?

Provide examples or instances of where

the information provided will be used

Do third party services need access

to the information to perform their

duties? Could sharing the information

provide the opportunity for third

parties to promote products or

services to the people whose

information you are providing?

www.communicatorcorp.com 12

Share this guide

www.communicatorcorp.com 12

Ideal components of a Privacy Notice Questions to ask yourself Included or needed?

Use of Data in Marketing

Include an explanation of how data will be

used if you carry out direct marketing

How many hands will the information

pass through?

Have options for individuals to opt-in or

opt-out of your marketing campaigns

If applicable, explain how the organisation

deals with information in third party

contracts, and state whether names

are shared

Can you assure individuals that the

third parties referenced will maintain

comparable levels of protection?

Accuracy (integrity of the data)

Describe the steps taken to ensure in

formation is accurate, complete and

up to date

How often will you check with the

people in your database to be sure

the information is accurate?

Describe how an individual can correct

their personal information

Security

Show that reasonable steps have been

taken by the organisation to safeguard

personal information in the event of

misuse, loss, unauthorised access,

or disclosure

What security measures are in place

for both print and digital records?

Are any archived records, that

must be kept to comply with legal

requirements, separated from the

current database?

Access to information

Explain an individual’s right to his or her

own personal information

Indicate who has access to the information

given

Do only those with a legitimate need

for the information have access to it?

Describe when access might not be

granted (if any)

Organisation Contact

Identify who to contact (and how)

regarding the policy

In addition to who and how, what is

your timeline for replies to inquiries?

Explain how complaints can be made and

to whom

www.communicatorcorp.com 13

Share this guide

What’s coming and what it means for you

2017

Guide 1The General Data Protection Reform

Can I have your number?Data collection & consent

2017

Guide 2The General Data Protection Reform

Ticking all the boxes?Processing & storing data

2017

Guide 3The General Data Protection Reform

Getting your ducks in a rowWhat campaigns can you send?

2017

Guide 4The General Data Protection Reform

Say what?!

2017

Guide 5

Translating the changes to your customers

2017

Is it me you’re looking for?

Guide 6The General Data Protection Reform

The right to be forgotten

Privacy notices

2017

Guide 7The General Data Protection Reform

Legitimate Interests

2017

Guide 8The General Data Protection Reform

Third Party Data in Email Marketing

2017

Guide 9The General Data Protection Reform

Our Privacy & Compliance series

Any questions?For more help and advice like this and to access our library of free resources,

visit the Communicator blog and resources sections at www.communicatorcorp.com

@CommCorp

+44 (0) 345 300 2337

info@communicatorcorp.com

Experts in Email Performance