Category Archives: Data

Preparing for GDPR: Documentation of consent

In the latest in our series on GDPR, we look at one of the key aspects of the regulation: the documentation of consent.

In order to comply with the EU General Protection Regulation, companies will be required to keep a wide range of documentation. According to the ICO, the following bad and good examples provide an indication of the level of documentation of consent you will be required to maintain:

BAD: “You keep the time and date of consent linked to an IP address with a web link to your current data-capture form and privacy policy”

GOOD: “You keep records that include an ID and the data submitted online together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use at that date”

On a recent webinar, The DMA said that ‘relevant documents in use’ could, for example, refer to a telephone call script. As a lead generation company that manually qualifies leads via telephone calls, this is highly applicable to the way we work. Plus, as we introduce a more omni-channel approach to consumer communication, this would then extend to transcripts of online communications using channels such as Facebook Messenger, WhatsApp etc.

Consent documentation in lead generation

For some companies, this documentation of consent is potentially a high bar to meet. Depending on their technical infrastructure, they may be relying on a third party hosting/website company to implement the means to capture the correct timestamps, etc. at the point of data collection for example.

As a mature player in the industry, this is a low bar for TLA. All of our website assets are built and managed in-house, and enquiries are recorded in secure databases. This means that we fully in control of how we record this information, including text and policies that were seen, and the user’s choices. Where consent is gained in a telephone call, we use robust call recording technology, and our QA team are constantly checking for quality and compliance.

We are currently building a compliance portal where partners will be able to access complete and transparent audit trail information, showing the entire customer journey through our processes as well as providing access to call recordings.

Other documentation solutions

For a straightforward web-based data capture form, simple software solutions have entered the market, but these are not without limitations: for example, something that takes a screenshot of the enquiry form at the point of submission creates technical and storage overheads, and ultimately leads to non-database storage of data, which in itself creates risk. This approach also only covers a small part of the consent process in a more complex user journey.

With the progression of technology and changes in consumer habits, we are embracing new ways to communicate with our consumers. Many prefer an interactive enquiry rather than fixed, form-based approach and we are currently trialling our latest chatbot technology that engages with consumers through conversation in order to generate enquiries. Again, because these are built in-house, and feed directly into our own systems, we can obtain and record consent in these systems in a way which third-party software solutions could not.

Keep an eye out for more details of some of our latest tech innovations, as well as GDPR-related articles, via the News & Views.

Bill Lawrenson, business intelligence manager, The Lead Agency

TLA secures FCA authorisation

We believe doing right by our clients and consumers, which is why we took the decision to pursue and have since achieved our FCA authorisation.

Traditionally as a business, we have focused our conversations with customers on the product. For example, in automotive, we talk about their vehicle of interest. But increasingly often, a customer’s starting point is what they can afford, and how they are going to purchase.

Although our role is often that of lead generator on these campaigns, being FCA (Financial Conduct Authority) authorised gives us more flexibility on what we can speak to customers about, and allows us to gather more relevant information. Gathering more information in turn allows us to better qualify the customer, and ultimately means we create higher quality opportunities for our clients find their next customers.

In addition, we can broaden the types of campaigns we can take on. The QA framework we have in place means that we are set up well to ensure compliance with the regulatory framework of the FCA.

Highly professional

To assist us with the process of seeking FCA authorisation, we engaged Peak Consultants, a specialist in helping companies seek FCA authorisation.

“It was a pleasure working with The Lead Agency during the application process,” commented Peak director Mark Tumblety. “Their approach was highly professional and the senior management team demonstrated an eagerness to get things right and clearly wanted to enhance their customer proposition.”

Many companies see the process and ongoing regulation of FCA status as a ‘tick-box’ exercise, but we are working to embed principles such as Treating Customers Fairly into the very fabric of our business.

Preparing for GDPR: What can companies learn from the Equifax data breach?

Following our recent post about GDPR and the UK’s Data Protection Bill and in a continued effort to help companies prepare for the new legislation, we’ve turned our attention to a major data story from the US.

Following on from Yahoo’s one-billion record loss, and the hacking of 200m US voter records, data company Equifax has now acknowledged the loss of 143m consumer records.

The loss included data that could be very valuable to criminals who want to steal people’s identities, such as addresses, dates of birth, and social security numbers. And to add insult to injury, Equifax is a data company that offers an identity theft product as part of its portfolio.

So, other than improving and testing data security, what lessons can companies learn from the breach?

Lessons to be learned

The first point is one of basic PR. The full details are not known yet, but it appears that the breach was discovered on 29 July. Six weeks before it was announced it to the public.

Once the public was made aware, consumers were told to call a hotline number or directed to a website for information. People who tried the hotline complained that they waited a long time to get through, and were then told to visit the website. The website presented an offer of free signup to a year’s identity theft protection.

This offer could seemingly mitigate some of the risks of the data breach itself. But legal experts sounded a note of caution when it was discovered that the T&Cs of the sign-up prevent the consumer from suing Equifax. This has been seen as by some as a cynical manoeuvre to mitigate Equifax’s own losses. By Friday, Equifax stock had lost 14% if its value.

GDPR and data breaches

One of the biggest impacts of GDPR is the reporting of data breaches. We don’t know when Equifax reported this breach to US authorities. But, under GDPR, a breach that is ‘likely to result in a risk to the rights and freedoms of individuals’ – including financial loss or loss of confidentiality – must be reported to the ICO within 72 hours. If the data breach poses a ‘high risk’ to the rights of individuals, those concerned must be informed directly.

Failure to notify a breach can result in a fine of 10 million Euros, or 2% of turnover.

How to prepare

Once companies have taken steps to protect their data, what can they do to prepare for a data breach?

The first thing is to identify breaches: ensure that staff know what a breach is, and create a culture where people aren’t afraid to report something that looks like one.

Once the breach is identified, having a plan to deal with it is as imperative as any other part of a disaster recovery plan. Ideally, the procedures to be put in place should be brief, easily accessible, and include templates for statements to the media.

In summary: take all steps to prevent breaches; identify them as soon as possible if they do occur; and have a plan in place to deal with them.

Bill Lawrenson, business intelligence manager, The Lead Agency

Preparing for GDPR: Understanding the UK’s new Data Protection Bill

Yesterday, the Department for Digital, Culture, Media and Sport (DCMS) published a statement of intent for a forthcoming Data Protection Bill. The purpose, it claims, is to bring the UK’s data protection laws up to date, support innovation and ensure “our data is safe as we move into a future digital world”.

Missing from the statement was mention of the General Data Protection Regulations (GDPR) – the heavily publicised European-wide regulation that comes into force in May next year.

The DCMS announcement, which you can read about more here, has caused confusion amongst companies working towards GDPR compliance. How do the two relate? Does one replace the other? Will the UK’s law come into force sooner than the GDPR?

GDPR in lead generation

The Lead Agency is at the forefront of the lead generation industry with our approach to GDPR, having implemented a programme in 2016 to ensure we are fully compliant. Quality has always been a key foundation, which has given us a competitive edge, and compliance is one of the pillars upon which it is built.

As well as internal education about GDPR, we have liaised with motor manufacturers and agencies to inform, and to understand their perspective, and we have attended events and conferences outside of our own industry to learn from others, to provide support, and to help spread the message about GDPR. In some cases, this can be as simple as relaying the simple fact that Brexit won’t affect implementation of the GDPR, as it is a regulation, not a directive, therefore will immediately become law on 25 May 2018.

GDPR will have many benefits: as consumers ourselves, it is important that we have control of our data, and as a company that serves consumers, we believe it is right that are consumers are aware of what their data is being used for.

We perceive that enforcement of GDPR will lead to companies who fail to recognise the significance of protecting consumers’ data, and of informing and allowing consumers choices in what happens to their data, ultimately exiting the market. At TLA, GDPR is not simply seen as an ‘IT/Compliance’ issue – it affects all areas of the business.

Ultimately, many of the principles of GDPR are equivalent to the Data Protection Act, which has been in place since 1998: it is evolution, not revolution, so the businesses destined to fail are likely to be those that are already lacking a compliance framework. For businesses who operate good practices under current legislation, it is essential to ensure that entry and exit points of data into the business meet the new standards, and that the relationships between all parties in the data supply chain are correctly defined and documented.

GDPR and the UK’s Data Protection Bill

The decision to avoid mention of GDPR or Europe in the DCMS press release will be seen as a political move by some commentators. GDPR is an example of an EU law that will definitely benefit consumers, which doesn’t particularly fit the narrative of ‘Leave’ campaigners; ministers who supported ‘Remain’ will be happy to market an EU-crafted law as their own if they think it will sit well with voters.

Fundamentally, the GDPR will be implemented on 25 May 2018 regardless of the UK’s new bill. At its simplest, this cements it into UK law to Brexit and beyond. As well as taking GDPR and embedding it in UK law, the government will use derogations in certain areas, and augmentations in others to supplement the law. For example, the government’s manifesto promise to allow a person to request their social media data from before they turned 18 is deleted; exceptions for journalists in certain circumstances to allow a balance between privacy and freedom of expression. This new law will also repeal the 1998 Data Protection Act.

The law itself is likely to be published after the summer recess, at which point it will be clearer whether the government intends to align this law with the current GDPR timetable. Obviously, the government’s perilous majority will affect the speed at which they can progress Bills; however, given the more controversial aspects of Brexit law-making that are likely to be pushed through in the coming year, it seems unlikely that opposition parties will expend much energy hindering the progress of this one, unless there are as-yet unmentioned efforts to use this to allow the government to access our data more freely, with the civil liberty implications that would raise.

Are the new UK data protection laws a good thing?

As expressed previously, for consumers, having greater control over their data is important in a data-driven world. But, from a business perspective, this is the first, and essential, step to ensuring that EU partners will trust the UK to process the data of EU citizens, post-Brexit. Without this ‘adequacy status’, the bureaucracy required to transfer data into the EU will be a potential hindrance to UK business.

We look forward to seeing the final law when it’s published, and will be carefully noting the responses of industry and government bodies.

Bill Lawrenson, business intelligence manager