Changes to EU data protection legislation are imminent and could have potentially devastating consequences for your business. Don’t be caught by surprise! The DMA is keeping in close touch with developments as the European Parliament and Council prepare to debate this business-critical piece of legislation this autumn. Caroline Roberts, Director of Public Affairs at the DMA will provide an update on the draft EU Data Protection Regulation and the DMA's lobbying activity. Kathryn Wynn, Senior Associate at Pinsent Masons will discuss Big Data: Identifying the Opportunities and Overcoming the Legal Obstacles

1. Data protection 2013
Friday 8 February
#dmadata
Supported by
DMA Scotland legal update
Wednesday 25 September 2013
#dmascotland

2. 8.30am Registration and breakfast
9.00am Welcome from the Chair
9.10am Kathryn Wynn, Senior Associate, Pinsent Masons
09.40am Caroline Roberts, Director of Public Affairs, DMA
10.10am Q&A
10.40am End
Agenda

3. Big data: identifying the
opportunities and overcoming the
legal obstacles
Kathryn Wynn, Senior Associate, Pinsent Masons

4. Big Data: Identifying the
Opportunities and Overcoming the
Legal Obstacles
Kathryn Wynn
Wednesday 25 September 2013

5. Outline
• What is Big Data?
• What is the Big Deal?
• How is Big Data being used?
• Big Data and legal risk:
– Who owns the data?
– Data Protection, privacy policies and gaining consent
Develop your big data strategy, address legal risk early,
focus on customer expectations

6. Managing the Risk
Compliance
Privacy by design
Customers’ expectations and
control

7. What is Big Data?

8. What is Big Data?
“data sets that are too large and complex to
manipulate or interrogate with standard methods or
tools:
much IT investment is going towards managing and
maintaining big data”

9. What is the Big Deal?

10. Buying and Selling Big Data
Source - Tata Consultancy Services

11. Buying and Selling Big Data
Source: Financial Times, 13 June 2013

12. What is Your Big Data Strategy?
• Strategy 1 -
– “Why not just dump it in there and figure out what else you can
do?”
- Jill Dyché, SAS Institute Inc.
• Strategy 2 –
– What are our objectives?
• Can I use more data to drive decisions?
– What data do I have available?
• From what sources are data available to me?
– What infrastructure /platforms do I have available, can I use?
• Proprietary, open source?
• Shared infrastructure?

13. Big Data in use

14. Big Data in Insurance
Nine out of 10
say big data will
help price risk
more accurately
82% say
insurers that do
not capture the
potential of big
data will
become
uncompetitive
96% say the
digitally enabled
world will see the
emergence of new
risk rating factors
The Big Data Rush: How Data Analytics Can Yield
Underwriting Gold Survey
Ordnance Survey and the Chartered Insurance
Institute

15. Big Data and Supply Chain Synergies
“We can now store, share
and allow our vendors to
analyze data using a
common platform – ultimately
allowing us to better serve
our customers”
- Richard Angelillo
A&P Head of IT Strategy & Delivery

16. Data Sharing in mHealth?
“The next time you use your
smartphone to inquire about
migraine symptoms or to check
out how many calories were in
that cheeseburger, there is a
chance that information could
be passed on to insurance and
pharmaceuticals companies.”
- The Financial Times, 1
September 2013

17. Big Data and the question of ‘ownership’

18. Who Owns the Data?
• No-one can own facts per se.
(International law)
• Data v ‘expressions of data’
(copyright)
• Data and ‘database rights’
• Data v ‘content’
(Fairstar Heavy Transport [2012])
• Data and confidential information

19. Who Owns the Data?
Ownership &
related
restrictions
Database right
Copyright
Confidentiality
restrictions
No ownership
restrictions
Fact per se

20. Database Rights Restrictions
What is a
database?
• "... a collection of independent works, data or other materials which
are arranged in a systematic or methodical way ..."
What is
protected?
• “... substantial investments in ‘obtaining, verifying or presenting
content’ ...”
• “... not the creation of facts.”
What is
restricted?
• extraction or re-utilisation of a whole database or a substantial part of
its content
• systematic extraction or re-utilisation of insubstantial parts of a
database

21. Who Owns the Data?
Ownership &
related
restrictions
Database right
Copyright
Confidentiality
restriction
No ownership
restrictions
Fact
String of facts
devoid of copyright,
not taken from a
database, not
confidential

22. Big Data and data protection
privacy, security, accuracy, legitimacy

23. Personal Data Restrictions
What is personal
data?
• "data which relate to a living individual who can be identified from those
data, or from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller ..."
What are the
restrictions on
use?
• legitimate use business purpose?
• consent how obtained?
• other restrictions
What are the
options?
• anonymising data
• privacy policies and terms of service
• icons

24. Anonymisation Risks

25. Restrictions on Use
Ownership &
related
restrictions
Database right
Copyright
Confidentiality
obligation
Data protection
laws
No ownership
restrictions
Fact
String of facts
devoid of copyright,
not taken from a
database, not
confidential
Anonymised data
Consent, legitimate
interest, other; or
licence

26. Big Data and data protection
firming up consent and transparency

27. The Privacy Policy Problem

28. The Privacy Policy Problem
• 36,275 wordsPAYPAL
• 30,066 wordsHAMLET
• 19,972 wordsAPPLE iTUNES
• 18,110 wordsMACBETH
• 14,714 wordsWINDOWS LIVE
• 13,366 wordsAPPLE iOS 5
• 11,195 wordsFACEBOOK
• 10,640 words
GOOGLE ALL-
INCLUSIVE
Source - Which?

29. ICO Guide: Direct Marketing
• ICO Enforcement
– FOCUS: Organisations that generate highest number
of complaints
– £440,000 MPN for Tetrus Telecoms

30. Consent
• CONSENT is necessary for data sharing of buying /
selling databases
• VALID CONSENT:
– Freely given
– Specific in the context of direct marketing
– Informed
– An indication signifying consent

31. Consent for SMS/EMAIL marketing
• The recipient has notified the sender
• For the time being
• To such communications
• Being sent by the sender

32. Implied Consent
• Implied consent: Cannot rely on lengthy privacy policy
• Clear and relevant information readily available to the
customer
• Implied consent can be valid BUT
• Not a euphemism for ignoring the need for consent
• Must include:
– Positive action indicating consent
– Understood what consenting to
– Genuine choice
• Sometimes providing data indicates consent BUT not when
integral to the service

33. Indirect Third Party Consent
• Consent extends to another organisation
• Transparency requirements: clear that data would be passed on
and how used?
• Ensure that clear from outset that data will be shared for
marketing purposes
• Valid consent: Specifically name the organisation or refer to a
category of organisation
• Consent limited in time

34. Refresh and Review of Marketing
Consents
• Big Data: significantly and genuinely departs
from marketing being carried out at the time of
the opt in / opt out
• Review existing consent mechanisms and
privacy policies
• Clear, succinct and prominent
• Consider cookies consent mechanism
• Are you doing what customer expects you to
do? If so, would they still give consent?

35. Managing the Risk
Compliance
Privacy by design
Customers’ expectations and
control

36. Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by
the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word ‘partner’, used in
relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the
members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP’s registered office: 30 Crown Place,
London EC2A 4ES, United Kingdom. We use ‘Pinsent Masons’ to refer to Pinsent Masons LLP and affiliated entities that practise under the name
‘Pinsent Masons’ or a name that incorporates those words. Reference to ‘Pinsent Masons’ is to Pinsent Masons LLP and/or one or more of those
affiliated entities as the context requires. © Pinsent Masons LLP 2013
For a full list of our locations around the globe please visit our websites:
www.pinsentmasons.com www.Out-Law.com

37. The draft EU data protection
regulations
Caroline Roberts, Director of Public Affairs, DMA

38. Update on Draft EU Data
Protection Regulation
DMA Scotland
25th September 2013
Caroline Roberts
Director of Public Affairs
Direct Marketing Association (UK)

39. Context - why now?
1995 European Directive (implemented into UK by
1998 Data Protection Act) showing its age…
1) New technologies and more complex
information networks
2) Lack of common European law and differences
in national implementation
3) Consumer concern over privacy
4) Data protection now fundamental right under EU
Charter of Fundamental Rights

40. Headline proposed changes
• Expanded definitions: “personal data” and
“data subject”
• Explicit consent required
• Right to be forgotten
• Greater emphasis on accountability
• Notification of data security breaches
• More onerous sanctions for breaches
• Data processors directly covered

41. Consent
Consent: Current
Position
Consent: Proposed
Position
- Freely given,
specific, informed
indication of the
data subject’s
wishes
- Explicit consent
required for
sensitive personal
data only
-Freely given, specific, informed
and explicit indication of data
subject’s wishes
-Given either by a statement or
a clear affirmative action
- Data controller / data subject
relationship to be taken into
account
- Burden of proof on controller to
demonstrate consent

42. Introduction of opt-in/explicit
consent
• Review language used at point of data
collection to ensure that consent is explicit
/opt-in
• Do people understand what they are
agreeing to?
• Think about how legacy databases will be
updated

43. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could
cover some IP addresses and cookies as
“online identifiers”
• But IP addresses identify a device not an
individual + some IPs are general
• Huge implications for digital marketers
• Web analytics & profiling made much more
difficult, if not impossible
• Interaction with new cookie rules problematic

44. Key points in the draft Regulation
The right to be forgotten
• Right for individuals to request organisations to delete
any information held on them
• Drafted with social media in mind – but goes beyond
this
• Problem of information that has already been passed
on to third parties
• Possibility of misleading consumers by raising
unrealistic expectations
• Changes to current text likely

45. Key points in the draft Regulation
Data Breach notification
• Any data security breach to be notified to ICO and the
individuals concerned within 24 hours
• Report to cover:
• nature of breach
• number of data subjects
• categories of data
• proposed mitigation
• Not always obvious if there has been a breach or how
extensive it is
• Problem of notification fatigue
• No threshold level specified

46. Data security breach notification
Companies need to:
• Introduce breach notification detection
procedures
• Think about how to notify data protection
authorities and affected individuals within
whatever timescale is agreed
• Develop/review data breach response plans

47. Key points in the draft Regulation
Subject Access Requests
(SARs)
• Data subjects to be able to request full information on
data held on them free of any charge
• Currently can levy a £10 fee – doesn’t cover cost but
deters time-wasters, frivolous or vexatious requests
• Costs organisations £50 million p.a. now to meet SARs
• Proposal that can provide data in electronic form if data
subject agrees to this
• Particular problem for financial services with mis-selling
issues and claims management firms

48. Subject Access Rights
• New Regulation may lead to increased public
awareness of rights e.g., right to request
information (data subject access requests, right to
be forgotten)
Companies need to:
• Plan ahead for increase in queries from
clients/public
• Introduce appropriate training for client/customer
service teams

49. Key points in the draft Regulation
Compliance obligations
• Data protection obligations now shared between
agencies and clients, for example if holding
client’s database
• Privacy by Design/Privacy by Default
• Appointment of DP officer (250+ employees)
• 2 year appointment
• Independent reporting to board
• Information and training
• Maintenance of documentation
• Data protection impact reports
• International transfers of data outside EEA – law
would apply to any processing of data or EU
citizens

50. Compliance obligations
Action:
• Review amount of data being processed, erasure
policies and data retention policies
• Requirement to demonstrate compliance will
mean more documentation in respect of policies
and procedures
• Contact centres, mailing houses, email/SMS
broadcasters will also be subject to these new
obligations, especially in respect of data security
• Review staff training in data protection.
• Appointment of a data protection officer?
• Risk- based approach to compliance and data
protection impact assessments

51. Proposed enhanced sanctions
• Up to €500k or 1% annual worldwide turnover
intentional or negligent failure to respond to
subject access requests in accordance with
Regulation
• Up to €1m or 2% of annual worldwide turnover
for other compliance failures
• Depends on:-
• size of organisation involved
• nature and gravity of breach
• whether intentional or negligent
• technical and organisational measures
• previous breaches
• co-operation with ICO

52. Key Points in the draft Regulation
Delegated Acts
• Many details to be implemented through additional
delegated legislation – some 45 Delegated Acts
mentioned.
• Details will not be clear until Regulation is passed
• These areas of secondary legislation will include:
• powers to specify further procedures
• technical standards for Privacy by Design/Default
• specification of lawful processing condition
• additional responsibilities for national data
protection authorities; etc.
• European Commission taking significant powers to itself
away from the national authorities - raises serious issues
of subsidiarity and accountability
• National governments and Data Protection Authorities are
concerned

53. Scope of the Draft Regulation
• Main establishment/ one- stop shop
provisions
• Think about which country’s national data
protection authority will be lead regulator
• Possibility of changing country where head
office is located
• Review arrangements for transfers of data
outside EEA (28 Member States of EU +
Iceland, Liechtenstein, Norway)
• Global group – application to EU citizens’
personal data.

54. Impact on direct marketing
•Existing databases may not be usable: could decimate
prospect lists. Legacy data?
•No tracking data, profiling or segmentation without
explicit consent – less targeted and more generic
communication?
•List broking severely restricted
•New information requirements and rights of the data
subject, e.g Right to be Forgotten
•Increased costs - £76,000 per business to comply +
possible £47 billion of lost sales in UK

55. Draft Regulation - DMA View
• DMA welcomes the Commission’s aim to reduce red
tape and simplify bureaucracy – but proposals do not
achieve that: overly strict, bureaucratic and
unworkable
• Needs to be a fair balance between privacy and
legitimate business interests
• Current proposals will stifle innovation, add
considerably to business costs and place
unnecessary obstacles to e-commerce jobs growth
• Will be particularly harmful to SMEs – MoJ says
demonstrating compliance will cost £10m p.a.
• Hard to say how Commission’s estimate of 2.3 billion
euro saving to businesses was calculated

56. FEDERATION OF EUROPEAN DIRECT AND INTERACTIVE
MARKETING
Codecision
Proposes
Legislation
Adoption
Into National Law
The process of EU decision-making

57. Current position – European
Parliament
• Civil Liberties Committee (LIBE) taking lead –
Rapporteur: Jan Philipp Albrecht MEP
(German Green)
• His report published 9th January – in parts
even tougher than Commission proposals
• 4 other Committees gave Opinions – 3000+
amendments tabled
• Vote to be taken in LIBE postponed from April
to May to June to September to October …….
• Could run out of time – elections in June 2014

58. Current position
– Council of Ministers
• Council of Ministers Working Group (DAPIX)
meeting monthly
• Initial indications that UK Government (and
others) taking helpful and business-friendly stance
• Many object to delegated acts; find it too
prescriptive and would prefer a more principles-
based approach
• UK pushing for a directive, rather than a
regulation – as is Germany

59. EU Council latest
• Irish Presidency revised draft on 31/5 on
chapters 1-4.
• A more business-friendly approach
• Right to privacy not an absolute right but must be
balanced with other fundamental rights
• Legitimate interest specifically recognised as legal
basis for processing
• “Explicit” becomes “unambiguous”
• Appointment of DPO discretionary
• Breach notification and other obligations on risk
based approach
• Still a way to go……
• Lithuania took over Presidency on 1/7

60. Current position
- Commission
• Commissioner Viviane Reding has said that
willing to look at: :
• More risk-based approach with focus on
type of data being processed
• Less prescription – although no detail
• Some exemptions for SMEs?
• Overall principles must be same for both
public and private sectors
• Delegated and implementing acts –self-
regulation perhaps for some?

61. Timing in the EU institutions
•Commission proposal for a Regulation in
January 2012
• Parliamentary lead committee draft report:
9 Jan 2013
•Deadline for tabling amendments: 27 Feb 2013
• Vote in leading committee: October 2013
•Trilogue with Council: October- December 2013
•Expected plenary vote (1st reading): End 2013
•Takes effect: 2 years after adoption – 2016?

62. Ministry of Justice
• Disagrees with Commission’s 2.3bn Euro savings –
burdens imposed will far outweigh net benefits: in UK
cost @ £100-360 million
• Many unintended consequences, esp for SMEs
• Changes to consent, profiling & definition of personal
data particularly costly to industry
• Likely knock-on effects for growth in technological sector
and internet economy
• Regulatory Impact Assessment quotes DMA’s figures &
examples
• Impact on behavioural advertising
• Creates unrealistic expectations for consumers – R2BF
proposal is “unworkable”
• Secretary of State Chris Grayling concerned about
impact on economy and jobs

63. Information Commissioner
• Proposals are “insufficiently risk-based
and contain unrealistic time limits”
• Very costly – who pays?
• Would compromise independence of
ICO
• Role of ICO would change from giving
advice and guidance to process-driven
checks
• UK could end up being a one-stop-shop
magnet

64. Key lobbying messages
• Data is essential for economic growth
• UK has leading role in EU digital economy
• SMEs particularly affected
• Transparent and responsible use of data is a vital
business practice
• In industry’s interests to handle data with care
• Self-regulation has valid role to play
• Regulation will not stop bad players
• The proposed regulation is bad for consumers
• Would damage users’ online experience
• Danger of tick-box culture & unrealistic expectations
• Need a proportionate data regime that recognises that not
all data is the same
• Personal data, sensitive data, anonymous/pseudonymous data
• Different levels of protection required

65. Lobbying activity
• In Brussels with key individuals in Council, Commission &
Parliament, e.g. MEPs & advisers; party groups
• In UK, Ministers in MoJ, DCMS, BIS, HM Treasury +
Opposition spokesmen
• Alliance of interests – UK Data Group, FEDMA, CBI, etc. -
for collective lobbying of Council and Parliament & lobbying
directly where there is no national DMA
• Position papers on priorities for industry + draft
amendments to text
• Research on consumer attitudes to privacy and on
economic value of the dm industry

66. DMA lobbying toolkit
www.dma.org.uk

67. Any Questions?
Caroline Roberts
Director of Public Affairs
caroline.roberts@dma.org.uk
020 7291 3346
Free advice for DMA members from
DMA’s Legal Department
by email: legaladvice@dma.org.uk
or call: 020 7291 3360

68. Panel Discussion

69. Upcoming events
Wednesday 23 October - Data protection compliance workshop
London - http://dma.org.uk/civicrm/event/info?reset=1&id=251
Thursday 14 November - Content Marketing event -
http://dma.org.uk/civicrm/event/info?reset=1&id=268
Thursday 21 November - Scotland Christmas Party -
http://dma.org.uk/civicrm/event/info?id=255&reset=1