PRIVACY INSIGHT SERIES

Summer / Fall 2017 Webinar Program

Profiling, Big Data & Consent Under

the GDPR

October 11, 2017

2017 TrustArc Inc Proprietary and Confidential Information

 Thank you for joining the webinar

Profiling, Big Data & Consent Under the

GDPR

We will start 2-3 minutes after the hour

This webinar will be recorded both the recording and

slides will be sent out via email later today

Please use the GotoWebinar Control Panel on the right

hand side to submit any questions for the speakers

2 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Todays Speakers

Mark Webber
US Managing Partner, Fieldfisher

Helen Huang
Sr. Product Manager, TrustArc

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Profiling and Big Data

4 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

What is changing?

New definition of profiling

Strengthened individual rights
(e.g. automated decision-making)
Greater focus on accountability and
governance
Increased transparency requirements
Wider definition of personal data
(e.g. location data, online identifiers,
technology identifiers etc.)

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Profiling and the GDPR

Two key questions:

1) What is profiling under

the GDPR?
2) Is it restricted?

Not all profiling is legally restricted!

6 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

What is profiling?

any form of automated processing of personal data

consisting of the use of personal data to evaluate certain
personal aspects relating to a natural person, in particular to
analyse or predict aspects concerning that natural persons
performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or
movements (GDPR Article 4)

Evaluation

Analytics Targeting

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Grounds for processing
Article 6 GDPR Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) The data subject has given consent to the processing of his or her personal data for one or
more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is
subject;

(d) processing is necessary to protect the vital interests of the data subject or of another
natural person;

(e) processing is necessary for the performance of a task carried out in the public interests
or in the exercise of official authority vested in the controller
(f) Processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overrriden by the interests or
fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

8 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Grounds for processing (2)

Organisations need to ensure that they have

clear grounds for lawful processing
Under the GDPR consent is NOT
mandatory

REQUIRED

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

But consent is defined

'consent' of the data subject means any freely

given, specific, informed and unambiguous
indication of the data subject's wishes by which he
or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of
personal data relating to him or her

10 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Relying on consent
If relying on consent to collect and use an individuals personal data, the
GDPR says that consent must be:

unambiguous if the data in question is ordinary, non-sensitive

personal data (Art 6 of the GDPR says that consent is needed, and
Art 4 defines consent to be unambiguous - hence unambiguous
consent); but

explicit if the data in question is sensitive personal data (i.e. relates

to any of the categories of sensitive data listed in Art 9(1) of the
GDPR, such as physical or mental health data, racial or ethnic origin,
and so on)

I Agree

11 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Unambiguous v explicit consent
Unambiguous consent:

given by a statement or by a clear affirmative action (Article 4)

given by a clear affirmative actsuch as by a written statement, including by
electronic means, or an oral statement (Recital 32)
Silence, pre-ticked boxes or inactivity should notconstitute consent (Recital 32)
Or given through another statement or conduct which clearly indicates in this
context the data subjects acceptance of the proposed processing of his or her
personal data (Recital 32)

Explicit consent
= Explicit affirmative action, i.e. explicit consent
- its also clear (unambiguous)
I agree to my personal data being processed by X for Y purposes
Ticking an unchecked box to say I consent
Event sign-in, participants told that their details will be used for a specific type of
profiling and asked (verbally) whether they consent to this processing

12 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Automated decision-making
Individual has right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her

Profiling is not in and of itself an automated decision!

1. There must be a decision

2. There must be automated processing
(which may include profiling)
3. Decision must be based solely on
automated processing
4. Decision must produce legal effects
or otherwise significantly affect the
individual

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Automated decision-making (2)
Automated decision making IS permitted if:

1. Authorised by Union or Member State law

2. Necessary for the contract between the data subject and data controller
3. Data subject has provided explicit consent.

But dont forget!

Right to express their view

Right to obtain explanation of decision reached
Right to object / challenge the decision
Sensitive data / children

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Other obligations
Ensure data is processed fairly and transparently
Use appropriate mathematical or statistical procedures
Implement technical and organisational measures to avoid and correct errors and
minimise bias or discrimination
Provide meaningful clear information (i) about existence of automated decision
making, including profiling; and (ii) logic involved and significance and envisaged
consequences of profiling.

Comply with principles of accuracy, storage limitation and privacy by design

Data must be kept accurate and up-to-date garbage in, garbage out?
Ensure data is not kept for longer than necessary
Incorporate processes by default and by design

Honor the right to object exercised by any data subject (whether or not automated)

Carry out Data Protection Impact Assessment (DPIA) for high risk processing

Appoint Data Protection Officer (DPO) if required

15 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Profiling and ePrivacy

ePrivacy Directive
New ePrivacy Regulations, May 2018?

Cookies still require consent with browsers and similar software required to
provide cookie and tracking controls
Website owners will need to be able to demonstrate that users have consented
Website owners will be responsible for managing consent needed for third party
tracking
Cookies will be permitted for first party or third party analytics

16 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Implementing a Consent Solution

Key Features

2017 TrustArc Inc Proprietary and Confidential Information

GDPR Consent Considerations

Legal and policy

Business strategy
Technology and architecture
Implementation steps

18 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Poll Question

What types of data activities will you rely on

Consent as the legal basis for processing?
1. Digital tracking technologies (e.g. cookies)
2. Marketing activities (e.g. email marketing)
3. Other

19 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

GDPR Consent Requirements

Capturing a robust-enough audit trail to show that a

person has consented to processing his/her data

Ability to configure the notice as default opted out

(checkbox unchecked) to get affirmative consent from the
user

20 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

GDPR Consent Requirements

Ability to ensure that no tracking happens until user

consents, unless its strictly necessary
Ensure you can request consent again when processing
purpose or scope of transfer changes

Ability to handle consent for other marketing activities,

such as email or SMS marketing

21 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

Poll Question

How do you plan to comply with GDPR consent

requirements?
1. Build in-house solution
2. Reuse an existing software
3. License a privacy technology solution
4. Other

22 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

GDPR Consent Compliance Steps

1. Discovery of consumer touch points

1. Data flow inventory and mapping
2. Cookies and marketing activities
2. Figure out where Consent is used as legal basis for
processing
3. Make a build or buy decision for GDPR consent solution
1. Developer resources near-term and long-term
2. Internal software systems to reuse
3. Compliance timeline or risk appetite
4. De-risk by working with partner with privacy as core competency

23 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Questions?

2017 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Contacts

Helen Huang hhuang@trustarc.om

Mark Webber Mark.Webber@fieldfisher.com

2017 TrustArc Inc Proprietary and Confidential Information

Privacy Insight Series 2017 Calendar

To register for Summer/Fall webinars and/or past webinar recordings

visit: www.trustarc.com/insightseries

26 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Thank You!
Please take a quick minute and complete our post-webinar survey that will
appear as you exit the platform.

Register for the next webinar in our Series November 15th

6 Months to Go: How will the GDPR be Enforced?

2017 TrustArc Inc Proprietary and Confidential Information