The Data Protection Audit How to prepare What to expect The end results Dublin Chamber of Commerce, March 24 th

ENGAGE AND COOPERATE Letter confirming the audit Average six week’s notice Triggered as random or subject to complaints Watch list in Ireland

Prepare! Key Considerations: Are you a Data Controller or Data Processor? Both? Do you need external help and advice? All focus is around the eight pillars of Data Protection Paper work and process Your knowledge/Employee knowledge DP Handbook

Consent: Should be Clear and Transparent Unambiguous consent (ODPC will endorse a consent process) Opt in for , sms and mobile Opt out for postal and landline? Pre-ticked box is not sufficient Referring to a Privacy Policy or T&C’s is not sufficient Eventual data usage is relevant to original consent

Consent Statement endorsed by ODPC: ‘’ By ticking this box you understand and agree to all the terms and conditions and our privacy policy.terms and conditionsprivacy policy By registering with XYZ, you agree to be contacted by XYZ and by carefully selected third parties for marketing purposes and understand you can be contacted by telephone, mobile, and postal. You can unsubscribe from such communications at any time.

UK Example - Fair Processing and Legitimate Consent Example in preparation for EU GDPR By ticking this box you agree to our terms and conditions and privacy policy and to receive information from [Brand Name] *terms and conditionsprivacy policy I agree that other companies in the retail, personal finance, insurance, travel or lifestyle sectors may contact me by post, , telephone or SMS. I agree that they may contact me by: Post Phone SMS You can opt-out of these messages at any time. For more details please see our Privacy Policy which also explains the types of companies who may contact you and the way they will use the information you have provided today as well as in the past. Be assured that any such parties will use your data in accordance with the UK Data Protection Act 1998 and other applicable law relating to privacy.Privacy Policy

Results - Learnings 1 ODPC are there to help, not act as a threat to the business Getting your organisation ready for ‘GDPR’ A Data Processor agreement is very important Self-assessment regularly to adapt and update your compliance process is now vital Train and educate your team to be compliant aware

Learnings - 2 Compliance is not difficult – Review your legacy data Data subject access requests currently 40 days to be reduced to 30 Don’t be afraid to ask ODPC the questions Experts are available in the ODPC to answer any question Over 120 staff - so call them! The 12 month rule Get ready now for the EU wide GDPR - two years to implement

Final Thoughts: Data Compliance in Ireland is one of the biggest barriers for Marketers to Direct Marketing It doesn’t have to be like this! We asked the ODPC: if a person is not on the NDD, could we include them in marketing ODPC said: ‘’ Yes. If a consumer is not on the NDD, a brand can call them. (There is also a requirement to ensure the consumer is not on the brand’s own DNC list).’’ We asked the ODPC: can we use SMS as a channel for marketing ODPC said: ‘’ Yes. SMS campaigns using mobile data are possible, providing the sender has the unambiguous consent of the phone owner for the sending of the marketing messages and that the consent is up to date (within the 12 month rule)’’

Creation Of National Suppression File - MPS - Objective Central file - consumers can register for free not to receive Direct Mail - Currently 11k records grows by circa 20 to 30 per month - Rebuilt In late 2015 to allow consumers to register online and eircode will be the data match key - MPS Only available to IDMA members - Access through a secure log in process and can download data by date to screen against in house files - Seeking ODPC endorsement Plan to extend to include deceased register and third party data feeds. for key data providers in Ireland Est scale: 100k to 300k records – It will become a National Screening File

Focus On