Big Data for Mutuals Marc Dautlich 25 November 2013
Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
Big Data What is it?
What is Big Data? data sets that are too large and complex to manipulate or interrogate with standard methods or tools: much IT investment is going towards managing and maintaining big data
What is Big Data? Commercial "aggregation, mining, and analysis" of very large, complex and unstructured datasets
Buying and selling Big Data Source: Tata Consultancy Services
Buying and selling Big Data Source: Financial Times, 13 June 2013
Opportunities What are they?
Regulatory Change RDR will push 43 million into advice gap Auto-enrolment: A new generation
Profiling Geolocation / daily routine Television viewing Current health data Leisure habits Age and lifestyle of dependents Employment prospects Credit rating Shopping habits Gender Marital status Age Wealth Health Risk appetite Google searches Website browsing
Big Data Opportunities for Mutuals Big Data-driven marketing? Big Data-driven product development? Big Data-driven risk management?
Legal Challenges How do we overcome them?
Legal Challenges Data protection restrictions attaching to personal data Ownership rights: who owns arrangements of data alteration or license of rights by contract
Data Protection and Privacy Using Big Data Back to basics Transparency requirements Marketing rules Storing big data Security requirements The cloud
KEY CONCEPTS
Profiling: Processing Personal Data? Data Protection Act 1998 controls the way in which the personal data of data subjects is used by data controllers or processed on their behalf by data processors Personal Data is personal information is information which: is about a living person and affects that person s privacy in the sense that the information has the person at its focus and is biographical in nature identifies a person whether by itself, or together with other information in the organisation s possession (or likely to come into its possession) structured files
Key Themes Fairness Transparency Choice Individual rights and redress Data quality Security Processing must be fair and lawful No unwarranted prejudice Purpose limitation Fair processing / data protection notices and privacy Consent: specific, fully informed and freely given Right to object to certain types of processing Access to personal data Right to compensation Accurate and up-to-date Relevant and not excessive Not kept for longer than is necessary Appropriate security measures Adequate protection for extra EEA transfers
MARKETING RULES
Profiling for Direct Marketing Purposes Transparency requirements What marketing is being carried out By what means (eg Telephone, fax, SMS, e-mail) By which organisations (intragroup, carefully selected third parties) Direct marketing rules (PECR) Notify that consents for the time being (email/sms/mms) soft opt-in (email/sms/mms) opt-out (telephone)
Marketing Consents: Where there is No Valid Consent Not all communications are marketing communications Customers can be contacted with service communications Must be factual rather than promotional Avoid prize incentives and text suggesting that the customer is missing out because they have opted out of marketing Virgin
Refresh of Marketing Consents New marketing significantly and genuinely departs from marketing being carried out at the time of the opt out Overriding customer service justification (targeted and specific) Customers are not required to do anything to retain existing marketing preferences
Managing the Risk Compliance Privacy by design Customers expectations and control
DATA SECURITY
The 7th Principle Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Safe Storage of Data State of technology Cost appropriate technical and organisational measures Nature of the data Reliability of employees Harm 31
Appointing a Data Processor Due diligence Data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the process to be carried out Monitoring Take reasonable steps to ensure compliance with those measures Written contract Data processor is required only to act on the instructions of data controller Impose the seventh principle obligations upon the data processors
Cases of Data Protection Breach by Principle 35 30 25 20 15 10 5 0 3. Proportionality 4. Data Quality 5. Data Retention 7. Data Security
Breach of Principle 7 Data Security 10 9 8 7 6 5 4 3 2 1 0 4 8 6 2 2 9 1
Vendors and associated legal issues
Data and the Cloud Data security International transfers Standard terms US PATRIOT Act and other local laws Plan for exit
Cloud: Managing the Risks Weak negotiating positions / standard terms Identify security focussed suppliers Data security a deal breaker Location of storage Extra EEA transfers Health data? Audit obligations?
LEGAL REFORM What can we do now to minimise impact?
EU Data Protection Regulation One Regulation to Rule Them All
Regulation Objectives Consistency Harmonisation of data protection laws and enforcement across member states Setting up a one-stop shop in each member state for the resolution of data protection issues Cost savings?
Consent Big Data constraints Consent/Other legal basis for processing: legitimate interest now more or less back in the current position relating to legitimate interests under the EU Data Protection Directive 95/46/EC Amendment to the definition of consent to include a purpose limitation: consent is no longer valid when the purpose for the processing ceases or as soon as the processing is no longer necessary to carry out the purpose for which the personal data was originally collected
MARKETING
Changes that Impact on Marketing Rules Expanded definition of personal data Focuses solely on the identifiability or the potential identifiability of the data subject Other data now included: location data and online identifiers, biometric data etc Requirement for explicit consent Either by a statement or by a clear affirmative action Burden of proof on data controller Profiling Consent required or suitable safeguards where profiling concerns or significantly affects the data subject
Managing the Risk Privacy policies / data protection notices Consent mechanism Compliance Keep marketing preferences under review Privacy by design Customers expectations and control
DATA SECURITY
Data Security: Contracts with Data Processors Data processors also have statutory obligations Immediately to notify the data controller of a security breach Support the data controller to comply with its obligations Contracts with data processors Expanded mandatory provisions International Transfers: Can no longer rely on selfassessment
Impact on negotiations with cloud providers Processors now very motivated to specify exactly the limits of their remit Blurring responsibilities of the controller and processor Preserving liability status quo Who will drive market practice?
Data Security: Breach Notification Mandatory notification All breaches to be notified Without undue delay and, where feasible, within 24 hours (latest proposal: breaches that severely affect...within 72 hours) Notify individuals affected where breach likely adversely to affect them Fines: up to 2% of global turnover (including for failure to notify)
Prevention or Cure? Many current security incidents uncover OTHER data protection breaches (eg of the retention principle) Meeting the 72 hour deadline for notification where feasible will be a triumph of planning and rehearsal Rehearse now, while the regime is still voluntary
Questions? Marc Dautlich E: marc.dautlich@pinsentmasons.com DDI: 020 7490 6533
Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority, and by the appropriate regulatory body in the other jurisdictions in which it operates. The word partner, used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm of equivalent standing. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP s registered office: 30 Crown Place, London EC2A 4ES, United Kingdom. We use 'Pinsent Masons' to refer to Pinsent Masons LLP, its subsidiaries and any affiliates which it or its partners operate as separate businesses for regulatory or other reasons. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those subsidiaries or affiliates as the context requires. Pinsent Masons LLP 2013 For a full list of our locations around the globe please visit our websites: www.pinsentmasons.com www.out-law.com