Digital Banking and Data ProtectionAchieving balance of compliance with customer experience and opportunity

30 September 2015

Paula Barrett

Partner

Data protection compliance

Recognizing what personal data/private

information is processed

Identifying the players - data controllers and

data processors

Work through application of

principles, lawful reasons, fairness,

transfers, filings, etc

Give fair notice

Gather permissions where needed

Other relevant issues• Other

legislation/laws/torts

• Culture and expectations

• Political/regulatory stance

Personal data – can you spot it?

“Personal Data” means data which relate to a living individual who can be identified:

(a) from those data and other information which is in the possession of or is likely to come into the possession of, the data controller

(b) includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

• Not just names – other identifiers too

• Think about ability to combine with other data within business

• Can include twitter names, Mac address, Fixed IP address

Current DPA Definition:

The players?

−Spot the data controller(s)!• Often more than one in digital platforms• Within group?• Third parties?• Relevant for determining

• Applicable law• Who carries DPA responsibility?• Lawfulness requirement in transfers from

DC to BC • Limited exemptions

−Who are the data processor?• Contractual requirements under

DPA to be met• Under UK DPA no direct

obligations• Position may change under GDPR• Geographic restrictions on

transfers

Eversheds LLP |

−Timing:• When does data collection really commence?• Bear in mind varying sources and channels – app, social media, other accounts, etc.• Do you need a third party to provide notice/expand notices to specifically include us

and our processing?

−Scope – transparency is essential and becoming more so

−Consistency across platforms (on and offline)• Expanding digital processing may mean we have to expand the non digital notices and

notices on other platforms e.g. facebook etc.

−Technical constaints and customer experience• Screen and text limitations• Layering• Links to website and other locations for further detail

Fair Processing Notice must be given prior to or within a reasonable time of data being collected.

When & how to deliver

Notices and privacy policies

Eversheds LLP |

−Start with working out what processing you are doing• Need to understand the totality of processing including any sharing with other group

companies and third parties−Treat consent as a last resort – not the first one

• It can be withdrawn at any time−Other lawful reasons:

• Consider statutory obligation• Legitimate interest• At request of individual • Fulfilment of contract• Anti-fraud• Remember all qualified by “necessary for” test and proportionality

−Transparency on consent obtained by or for third parties−How will marketing preference be exercised? tools within the digital product?−Operationally/technically need to be able to respond to consent changes from

range of sources

For each category of personal data you need a lawful reason for processing it

When, what and how

Collection of permissions

Questions?

eversheds.com©2015 Eversheds LLPEversheds LLP is a limited liability partnership

Partner

Paula Barrett

Company Commercial+44 777 575 7958paulabarrett@eversheds.com

EvershedsOne Wood StreetLondonEC2V 7WS