Transparency in Marketing - International Association of ... · Transparency in Marketing Your Panel: ... Author Aurélie Pols ... Contact: [email protected]

Transparency in Marketing

Your Panel:

Paula Barrett, Head of Privacy & Information Law,

Eversheds LLP

Aurélie Pols, Privacy Advocate, Advisory Board

Member, MyPermissions

Yasmeen Rahman, EMEA Regional Coordinator, EU

Law, BMW Group

IAPP Europe Data Protection Intensive, London, 16 April 2015

BMW GROUP PRIVACY. TRANSPARENCY IN MARKETING: BMW GROUP, THE INSIDERS VIEW

BMW Group Privacy, IAPP European Intensive, April

2015

Section break title Verdana 32pt

Sub-heading Times New Roman italic 34pt


Drivers and impact assessments

Privacy Impact Assessments

tool for extracting facts

creates framework for

discussion

not just legal analysis -

assess against commercial risk appetite

and corporate ethos

mitigating actions to be

taken

PIA requirement

can be attached to

specific project gateways e.g. digital platform

changes

the outcome - business

enabler and greater

transparency

Conducting Impact Assessment

Understanding jurisdiction(s) and

applicable law

Identifying the players - data controllers and data

processors

Recognizing what personal data/private

information is processed

Work through application of principles, lawful reasons, fairness,

transfers, filings, etc

other relevant issues

•Other legislation/laws/torts!

•Culture and expectations

•Political/regulatory stance

PIA Report

• Consider actual and potential breaches

– Legal and practical consequences

– Likelihood of action and impact

• Business case justifying privacy intrusion/implications

– alternatives considered and rationale for decisions made

• Mitigation steps/design features

• Bear in mind legal privilege - this may become published/disclosable

• Consider separate annexes for sensitive elements.

Other Transparency Drivers

Consumer Rights Legislation

Tort – Misuse of Private

Information?

Privacy and Electronic

Communications Directive

General Data Protection Regulation

Consumer Protection • Unfair Commercial Practices Directive

• Local activity, UK Consumer Bill of Rights, Germany class action amendments

• Prohibits misleading acts/omissions and aggressive commercial practices

– false product information or deceptive presentation

– providing material information which is unclear, ambiguous or untimely

– failure to abide by commitments in a code of conduct

• Remedies

– not the same jurisdictional constraint on establishment of controller

– sanctions can include imprisonment

– burden of proof on trader

– policy non-compliance actionable as breach of contract?

• Could be applied to privacy practices - increasingly a significant factor in consumer entering into contract?

Misuse of Private Information

• UK Court of Appeal Judgement 27/03/2105 – Google Inc v Vidal-Hall, Hann and Bradshaw

• misuse of private information determined as a tort – distinct from breach of confidence

• consent required for use of “private information”

– other lawful reasons/exemptions not specified

PECD

• Stricter rules than DPD alone

• Consent – freely given, specific and informed AND:

– notified to the sender (not a third party?)

– that he consents for the time being (Ongoing?)

– to such communications (what type?)

– being sent by or at the instigation of the sender (third parties?)

• Inferring consent more difficult

• Driving greater transparency on consent obtained by or for third parties

GDPR Consent?

• Expansive definition of personal data

• Profiling

• Consent

– Data controller to bear the burden of proof

– right to withdraw his consent at any time

– purpose-limited - will lose its validity when purpose ceases to exist or as soon as processing is no longer necessary for carrying out the purpose for which they were originally collected.

– no bundling

Questions

Paula Barrett Eversheds Tel: +44 (0)207 919 4634

Email:[email protected]

mailto:[email protected]

@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols Europe Data Protection Intensive – London 2015


T

o

o

l

s

A

n

a

l

y

t

i

c

s

P

e

r

m

i

s

s

i

o

n

s

@aureliepols Europe Data Protection Intensive – London 2015 @aureliepols

Customer relationship evolution

Slide borrowed from

Benjamin Mercier Senior Digital Analytics Manager

Barclays Personal & Corporate Banking eMetrics Summit London

Big Data for Marketing September 2014


Marketing’s shiny new toys

Source: https://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1

https://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1














Source: http://cdn.chiefmartec.com/wp-content/uploads/2015/01/marketing_technology_jan2015.png

http://cdn.chiefmartec.com/wp-content/uploads/2015/01/marketing_technology_jan2015.png








Source: http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp

http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp







Where each tool can

Collect data

Aggregate data

Share data

Calculate new data

Push data towards other systems

…


• Adhere to the Terms of Service, Terms of Use, … or not

• Align the use of these tools with your own policies… or not

• Find yourself in trouble due to some data use down the road.. or not

And your company could


1. When did Google last change it’s Privacy Policy?

2. Is your company using for eg. Google Analytics?

3. Bonus: who owns the data?

So let me ask you 2 simple questions


A EU perspective of marketing

Source: Amicus brief for the Digital Analytics Assocation (DAA), Should you measure when a user logs out? Author Aurélie Pols http://www.slideshare.net/AurliePols/privacy-ethics

http://www.slideshare.net/AurliePols/privacy-ethics






Technology is advancing Digital professionals look at vendors for Privacy answers

The power of tool vendors


And set-up terms to protect their (own) liability

within the data flows

You need to grasp and make marketing understand your shared liabilities!

Source: http://dynamical.biz/blog/technical-analytics/ collecting-ga-userid-into-ga-can-violate-google-analytics- tos-75.html

Vendors who get confused

http://dynamical.biz/blog/technical-analytics/collecting-ga-userid-into-ga-can-violate-google-analytics-tos-75.html



























Who is liable here?


Remember those cookies?

How those Privacy Policies need to be kept up to date?

How about receiving an alert when they aren’t anymore?

It would trigger internal processes for follow-up

How? Tools to follow up on digital


How many mobile and cloud based apps is your company responsible for?

Which permissions on mobile are accessed?

BYOD: are company contacts accessed? What are the risks?

How? Tools to follow up on mobile


NIST’s Privacy Triad

Predictability: Enabling reliable assumptions about the rationale

for the collection of personal information and the data actions to

be taken with personal data

Confidentiality: Preserving authorized restrictions on

information access and disclosure, including means for protecting

personal Privacy and proprietary information

Manageability: Providing the capability for authorized modification of personal

information, including alteration, deletion, or selective disclosure

of personal information.


• Collaboration & Responsibility (not only legal)

– Privacy training & escalation procedures

• Data lineage & consent management

– Data origins & life cycle

– Manage individual choices & consent

We’re not even close!


• Change to the data value exchange

– Maintaining data quality (collected, processed & used)

• Commercial advantages

– Increased Trust; reduced Brand Erosion due to unsystematic Privacy management

– Better data governance, optimized use of Data Science

Sell this to Marketing!


Data tension due to data leeching

Analytics capabilities

Customer feelings of creepiness

Harm?

Data quality?


Get down to the details. Else it’s just small talk!

Source: http://csrc.nist.gov/projects/privacy_engineering/nist_privacy_engr_objectives_risk_model_discussion_deck.pd

f

http://csrc.nist.gov/projects/privacy_engineering/nist_privacy_engr_objectives_risk_model_discussion_deck.pdf





INTERESTED IN SCANNING THOSE MOBILE APPS? HTTP://WWW.MYPERMISSIONS.COM

Questions? Comments? Agree? Disagree?

Contact: [email protected]

LON_LIB1-#12304998

http://www.mypermissions.com

mailto:[email protected]

Our Top 5 Questions for Marketing

Rasmeen

• What is the background and business objectives of what you are doing?

• How will it impact the customer and customer relationship?

• Where are we getting the customer data from and what are going to do with it?

• In BMW and outside BMW, who is involved?

• What technologies, IT systems, and platforms are involved?

Paula

•What are you seeking to achieve?

•What data are you collecting?

•Are you working with a vendor or partner organisation to achieve this?

•What tools will be used to do this?

•Where is this data collection and analysis happening?

Aurélie

•What tools do you use?

•Which data do you collect, store & use in which tool?

•How does the data flow?

•Who has access?

•Which data do you create?

Documents

Transparency in Marketing - International Association of ... · Transparency in Marketing Your Panel: ... Author Aurélie Pols ... Contact: [email protected]