Digital Banking and Data Protection
Achieving balance of compliance with customer
experience and opportunity
30 September 2015
Paula Barrett
Partner
Data protection compliance
Recognizing what
personal data/private
information is
processed
Other relevant issues
Identifying the players data controllers and
data processors
•Other
legislation/laws/torts
•Culture and
expectations
•Political/regulatory
stance
Work through
application of
principles, lawful
reasons, fairness,
transfers, filings, etc
Gather permissions
where needed
Give fair notice
Personal data – can you spot it?
Current DPA Definition:
“Personal Data” means data
which relate to a living individual
who can be identified:
(a) from those data and other
information which is in the
possession of or is likely to come
into the possession of, the data
controller
(b) includes any expression of
opinion about the individual and
any indication of the intentions of
the data controller or any other
person in respect of the
individual
• Not just names – other
identifiers too
• Think about ability to combine
with other data within
business
• Can include twitter names,
Mac address, Fixed IP address
The players?
−Spot the data controller(s)!
• Often more than one in digital platforms
• Within group?
• Third parties?
• Relevant for determining
•
•
•
Applicable law
Who carries DPA responsibility?
Lawfulness requirement in transfers from
DC to BC
•
Limited exemptions
−Who are the data processor?
• Contractual requirements under
DPA to be met
• Under UK DPA no direct
obligations
• Position may change under GDPR
• Geographic restrictions on
transfers
Notices and privacy policies
When & how to deliver
Fair Processing Notice must be given prior to or within a
reasonable time of data being collected.
−Timing:
• When does data collection really commence?
• Bear in mind varying sources and channels – app, social media, other accounts, etc.
• Do you need a third party to provide notice/expand notices to specifically include us
and our processing?
−Scope – transparency is essential and becoming more so
−Consistency across platforms (on and offline)
• Expanding digital processing may mean we have to expand the non digital notices
and notices on other platforms e.g. facebook etc.
−Technical constaints and customer experience
• Screen and text limitations
• Layering
• Links to website and other locations for further detail
Eversheds LLP |
Collection of permissions
When, what and how
For each category of personal data you need a lawful
reason for processing it
−Start with working out what processing you are doing
• Need to understand the totality of processing including any sharing with other group
companies and third parties
−Treat consent as a last resort – not the first one
• It can be withdrawn at any time
−Other lawful reasons:
•
•
•
•
•
•
Consider statutory obligation
Legitimate interest
At request of individual
Fulfilment of contract
Anti-fraud
Remember all qualified by “necessary for” test and proportionality
−Transparency on consent obtained by or for third parties
−How will marketing preference be exercised? tools within the digital product?
−Operationally/technically need to be able to respond to consent changes from
range of sources
Eversheds LLP |
Questions?
Partner
Paula Barrett
Company Commercial
+44 777 575 7958
paulabarrett@eversheds.com
Eversheds
One Wood Street
London
EC2V 7WS
eversheds.com
©2015 Eversheds LLP
Eversheds LLP is a limited liability partnership