Digital Banking and Data Protection Achieving balance of compliance with customer experience and opportunity 30 September 2015 Paula Barrett Partner Data protection compliance Recognizing what personal data/private information is processed Other relevant issues Identifying the players data controllers and data processors •Other legislation/laws/torts •Culture and expectations •Political/regulatory stance Work through application of principles, lawful reasons, fairness, transfers, filings, etc Gather permissions where needed Give fair notice Personal data – can you spot it? Current DPA Definition: “Personal Data” means data which relate to a living individual who can be identified: (a) from those data and other information which is in the possession of or is likely to come into the possession of, the data controller (b) includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual • Not just names – other identifiers too • Think about ability to combine with other data within business • Can include twitter names, Mac address, Fixed IP address The players? −Spot the data controller(s)! • Often more than one in digital platforms • Within group? • Third parties? • Relevant for determining • • • Applicable law Who carries DPA responsibility? Lawfulness requirement in transfers from DC to BC • Limited exemptions −Who are the data processor? • Contractual requirements under DPA to be met • Under UK DPA no direct obligations • Position may change under GDPR • Geographic restrictions on transfers Notices and privacy policies When & how to deliver Fair Processing Notice must be given prior to or within a reasonable time of data being collected. −Timing: • When does data collection really commence? • Bear in mind varying sources and channels – app, social media, other accounts, etc. • Do you need a third party to provide notice/expand notices to specifically include us and our processing? −Scope – transparency is essential and becoming more so −Consistency across platforms (on and offline) • Expanding digital processing may mean we have to expand the non digital notices and notices on other platforms e.g. facebook etc. −Technical constaints and customer experience • Screen and text limitations • Layering • Links to website and other locations for further detail Eversheds LLP | Collection of permissions When, what and how For each category of personal data you need a lawful reason for processing it −Start with working out what processing you are doing • Need to understand the totality of processing including any sharing with other group companies and third parties −Treat consent as a last resort – not the first one • It can be withdrawn at any time −Other lawful reasons: • • • • • • Consider statutory obligation Legitimate interest At request of individual Fulfilment of contract Anti-fraud Remember all qualified by “necessary for” test and proportionality −Transparency on consent obtained by or for third parties −How will marketing preference be exercised? tools within the digital product? −Operationally/technically need to be able to respond to consent changes from range of sources Eversheds LLP | Questions? Partner Paula Barrett Company Commercial +44 777 575 7958 paulabarrett@eversheds.com Eversheds One Wood Street London EC2V 7WS eversheds.com ©2015 Eversheds LLP Eversheds LLP is a limited liability partnership