Profiling, Big Data & Consent Under the GDPR by TrustArc

PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program

Profiling, Big Data & Consent Under the GDPR October 11, 2017

Thank you for joining the webinar “Profiling, Big Data & Consent Under the GDPR”

• We will start 2-3 minutes after the hour • This webinar will be recorded – both the recording and slides will be sent out via email later today • Please use the GotoWebinar Control Panel on the right hand side to submit any questions for the speakers 2

Privacy Insight Series - trustarc.com/insightseries

Todayâ&#x20AC;&#x2122;s Speakers

Mark Webber US Managing Partner, Fieldfisher

Helen Huang Sr. Product Manager, TrustArc

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

Profiling and Big Data

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

What is changing? • New definition of profiling • Strengthened individual rights (e.g. automated decision-making) • Greater focus on accountability and governance • Increased transparency requirements • Wider definition of personal data (e.g. location data, online identifiers, technology identifiers etc.)

Privacy Insight Series - trustarc.com/insightseries

Profiling and the GDPR Two key questions: 1) What is profiling under the GDPR? 2) Is it restricted?

Not all profiling is legally restricted!

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

What is profiling? “…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (GDPR Article 4) …Evaluation…

Analytics…

Privacy Insight Series - trustarc.com/insightseries

…Targeting

Grounds for processing Article 6 GDPR â&#x20AC;&#x201C; Lawfulness of processing Processing shall be lawful only if and to the extent that at least one of the following applies: (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller (f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overrriden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

Grounds for processing (2) • Organisations need to ensure that they have clear “grounds” for lawful processing • Under the GDPR – consent is NOT mandatory……

REQUIRED

Privacy Insight Series - trustarc.com/insightseries

But “consent” is defined… 'consent' of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Privacy Insight Series - trustarc.com/insightseries

Relying on consent If relying on consent to collect and use an individual’s personal data, the GDPR says that consent must be:

“unambiguous” if the data in question is ordinary, non-sensitive personal data (Art 6 of the GDPR says that “consent” is needed, and Art 4 defines consent to be “unambiguous” - hence “unambiguous” consent); but “explicit” if the data in question is sensitive personal data (i.e. relates to any of the categories of sensitive data listed in Art 9(1) of the GDPR, such as physical or mental health data, racial or ethnic origin, and so on)

 I Agree 11

Privacy Insight Series - trustarc.com/insightseries

Unambiguous v explicit consent •

Unambiguous consent: • • • •

•

Explicit consent

• • •

given “by a statement or by a clear affirmative action” (Article 4) given “by a clear affirmative act…such as by a written statement, including by electronic means, or an oral statement” (Recital 32) “Silence, pre-ticked boxes or inactivity should not…constitute consent” (Recital 32) Or given through “another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data” (Recital 32)

= Explicit affirmative action, i.e. explicit consent - it’s also clear (unambiguous) “I agree to my personal data being processed by X for Y purposes” Ticking an unchecked box to say “I consent” Event sign-in, participants told that their details will be used for a specific type of profiling and asked (verbally) whether they consent to this processing

Privacy Insight Series - trustarc.com/insightseries

Automated decision-making Individual has right not to be subject to “…a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”

…Profiling is not in and of itself an automated decision!

1. There must be a decision 2. There must be automated processing (which may include profiling) 3. Decision must be based solely on automated processing 4. Decision must produce “legal effects” or otherwise “significantly affect” the individual

Privacy Insight Series - trustarc.com/insightseries

Automated decision-making (2) Automated decision making IS permitted if: 1. Authorised by Union or Member State law 2. Necessary for the contract between the data subject and data controller 3. Data subject has provided explicit consent.

…But don’t forget!  Right to express their view  Right to obtain explanation of decision reached  Right to object / challenge the decision  Sensitive data / children

Privacy Insight Series - trustarc.com/insightseries

Other obligations ► Ensure data is processed fairly and transparently  Use appropriate mathematical or statistical procedures  Implement technical and organisational measures to avoid and correct errors and minimise bias or discrimination  Provide meaningful clear information (i) about existence of automated decision making, including profiling; and (ii) logic involved and significance and envisaged consequences of profiling. ► Comply with principles of accuracy, storage limitation and privacy by design  Data must be kept accurate and up-to-date – garbage in, garbage out?  Ensure data is not kept for longer than necessary  Incorporate processes by default and by design ► Honor the “right to object” exercised by any data subject (whether or not automated) ► Carry out Data Protection Impact Assessment (DPIA) for high risk processing

► Appoint Data Protection Officer (DPO) if required 15

Privacy Insight Series - trustarc.com/insightseries

Profiling and ePrivacy

 ePrivacy Directive  New ePrivacy Regulations, May 2018?

• • • •

Cookies still require consent – with browsers and similar software required to provide cookie and tracking controls Website owners will need to be able to demonstrate that users have consented Website owners will be responsible for managing consent needed for third party tracking Cookies will be permitted for first party or third party analytics

Privacy Insight Series - trustarc.com/insightseries

PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program

Implementing a Consent Solution Key Features

GDPR Consent Considerations • • • •

Legal and policy Business strategy Technology and architecture Implementation steps

Privacy Insight Series - trustarc.com/insightseries

Poll Question What types of data activities will you rely on Consent as the legal basis for processing? 1. Digital tracking technologies (e.g. cookies) 2. Marketing activities (e.g. email marketing) 3. Other

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

GDPR Consent Requirements • Capturing a robust-enough audit trail to show that a person has consented to processing his/her data

• Ability to configure the notice as default opted out (checkbox unchecked) to get affirmative consent from the user

Privacy Insight Series - trustarc.com/insightseries

GDPR Consent Requirements • Ability to ensure that no tracking happens until user consents, unless it’s strictly necessary • Ensure you can request consent again when processing purpose or scope of transfer changes

• Ability to handle consent for other marketing activities, such as email or SMS marketing

Privacy Insight Series - trustarc.com/insightseries

Poll Question How do you plan to comply with GDPR consent requirements? 1. 2. 3. 4.

Build in-house solution Reuse an existing software License a privacy technology solution Other

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

GDPR Consent Compliance Steps 1. Discovery of consumer touch points 1. Data flow inventory and mapping 2. Cookies and marketing activities

2. Figure out where Consent is used as legal basis for processing 3. Make a build or buy decision for GDPR consent solution 1. 2. 3. 4.

Developer resources near-term and long-term Internal software systems to reuse Compliance timeline or “risk appetite” De-risk by working with partner with privacy as core competency

Privacy Insight Series - trustarc.com/insightseries

PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program

Questions?

PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program

Contacts

Helen Huang Mark Webber

hhuang@trustarc.om Mark.Webber@fieldfisher.com

Privacy Insight Series â&#x20AC;&#x201C; 2017 Calendar

To register for Summer/Fall webinars and/or past webinar recordings visit: www.trustarc.com/insightseries

Privacy Insight Series - trustarc.com/insightseries

ÂŠ 2017 TrustArc Inc

PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program

Thank You! Please take a quick minute and complete our post-webinar survey that will appear as you exit the platform. Register for the next webinar in our Series – November 15th “6 Months to Go: How will the GDPR be Enforced?”