Introduction to Data Protection & Privacy

GDPR

What and Why

The General Data Protection Regulation (GDPR) regulates data protection law across all 28 EU countries and levies strict rules on monitoring and processing personally identifiable information (PII). GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location.
The massive digital disruption, especially the internet is the reason why GDPR came into existence. Users demanded more control when it came to their data storage and usage, eventually resulting in the adoption of strict measures to tackle data breach.

How Deck 7 Complies with GDPR

As per the Article 7 of The General Data Protection Regulation (GDPR) Conditions for consent, Deck 7 follows all the requisites as required by its process. The checklist of consent mechanism which ensures that Deck 7 abides by the GDPR Laws:

• Tick Box: - Opt-in is taken with pre-un-ticked box from Email and Publishing Sites which requires positive action from the user.
• Specific: - Separate consent is taken for each type of process and there are no preconditions of signing up to receive a service. Purpose is specified in simple language.
• Informative: - Consent is received only after the individual is made aware of the purpose, controller, Opt-out option, terms and policies.
• Proof: - Timestamps are taken to ensure the process of taking consent is followed according to the regulations every time.
• Data is used for marketing purposes and the tools used for processing are of ISO27001 standard.
• A dedicated group of professionals, including our Data Protection Officer, data specialists, security personnel, and technology teams work to ensure privacy and data compliance is maintained in our data process.
• An internal data governance framework to review how our opt-in data is being used and protected while in our custody and documentation of all data handling processes and incidents.
• Data security policies and controls in place globally, which are continually tested and evolved to keep pace with new regulations and governance requirements.

CAN-SPAM

What and Why

Canada’s Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) is a law that establishes rules for commercial messages and commercial email, gives recipients the right to stop a business from emailing them, and outlines the penalties incurred for those who violate the law.

CAN-SPAM doesn't just apply to bulk email. "It covers all commercial messages, which the law defines as 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,' including email that promotes content on commercial websites. The law makes no exception for business-to-business email." It does, however, exempt transactional and relationship messages.

How Deck 7 Complies with CAN-SPAM

Deck 7 is aware of Canada’s Anti-Spam Law legislation’s requirements of obtaining express consent from the Canadian audience. To abide by this law, Deck 7 has implemented the following steps:

• Publication Sites Opt-in: Deck 7 takes opt-in from the data subject through it 31 publication sites.
• Email Opt-out: All the emails created to target Canadian residents have opt-out option. Data subject choosing to Opt-out is put in master suppression list.

For complying with CAN-SPAM, Deck 7 has ensured that the entire process for Opt-in and Opt-out is clear to all employees.

CASL

What and Why

Canada’s Anti-Spam Law (CASL) is a new anti-spam law that applies to any "Commercial Electronic Message" (CEM) sent from or to Canadian computers and devices in Canada. Messages routed through Canadian computer systems are not subject to this law.

A CEM is any message that:

is in an electronic format, including emails, instant messages, text messages, and some social media communications;

is sent to an electronic address, including email addresses, instant message accounts, phone accounts, and social media accounts; and

contains a message encouraging recipients to take part in some type of commercial activity, including the promotion of products, services, people/personas, companies, or organizations.

How Deck 7 Complies with CASL

We are committed to reducing the harmful effects of spam and related threats. Our goal is to help create a safer and more secure online marketplace.

In partnership with Canada’s Competition Bureau and the Office of the Privacy Commissioner, we work together to enforce this legislation.

We have the primary enforcement responsibility, including powers to investigate and take action against violators, and set administrative monetary penalties. We target those who send commercial electronic messages without the recipient’s consent or install programs on computers or networks without express consent. This includes malware, spyware and viruses in computer programs, in spam messages, or downloaded through infected Web links.

We also work to promote compliance among organizations and individuals, ensuring that businesses have the information they need to compete in the global marketplace.

CCPA

What and Why

The California Consumer Privacy Act (CCPA) is designed to give Californians more control over their own data, and is targeted at companies that collect and/or sell personal information. Passed in June 2018, the Act will go into effect on January 1, 2020. It defines personal information as name, alias, postal address; unique personal identifier, online identifier internet protocol address; email address, account name, social security number; driver’s license number or passport number.

Right to access information, right to deletion and right to opt-out are among the major new data protections introduced by CCPA. CCPA compliance will help companies strengthen their commitments to honoring consumer choices as well demonstrating transparency and trust.

How Deck 7 Complies with CCPA

As a B2B company, Deck 7 has made the following changes to comply with the CCPA:

• Audit data-collection practices to identify the personal data collected and where it is stored.
• Update privacy policies
• Conduct an info security audit and ensure that personal data is either encrypted or redacted.
• Thoroughly study CCPA to understand its specific requirements and new obligations.
• Review (or define) policies, roles, and responsibilities for data management.
• Consider whether and where explicit opt-in requests make sense for the organization
• Decide whether to proactively communicate our position on CCPA to clients.

PECR

What and Why

PECR stands for Privacy and Electronic Communications Regulation, and forms part of the European Union ePrivacy Directive — the law that is currently being updated to become the much-dreaded ePrivacy Regulation which will focus more acutely on curbing cookie use for tracking purposes. PECR covers:

• marketing calls, emails, texts and faxes;
• cookies (and similar technologies);
• keeping communications services secure; and
• customer privacy as regards traffic and location data, itemized billing, line identification, and directory listings.

If a business provides these kinds of services — in particular email marketing and use cookies — they need to comply with both PECR and GDPR. Once the ePrivacy Regulation finally arrives, it will replace PECR.

How Deck 7 Complies with PECR

Deck 7 conducts an audit to look at whether we have effective policies and procedures in place, and whether we are following them. It includes recommendations on how we could improve. We believe that audits play a key role in helping organizations understand and meet their obligations.

We select service providers for audit based on the level of risk. We then carry out both an off-site check of your security policies and procedures, and an on-site review of your procedures in practice.

ePR

What and Why

The ePrivacy Regulation (ePR) is a proposal for a Regulation on Privacy and Electronic Communications. The scope of the ePrivacy Regulation would apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing. The ePR is an attempt to streamline and improve EU laws regarding privacy of communications through users' electronic devices. The ePR will change cookies and other tracking technologies, metadata from electronic communications, direct marketing, and unsolicited communications / calls.

The European Commission’s intention in bringing forward the Regulation is to ‘reinforce trust and security in the digital single market’ by updating the legal framework on ePrivacy. This step is part of the European Commission’s project to modernize the EU’s data protection framework. It will also make the ePrivacy legislation consistent with the provisions of the General Data Protection Regulation (GDPR).

How Deck 7 Complies with ePR

We have aligned our strategies to comply with the ePrivacy Regulation by taking the following steps:

• Taking prior permission before sending any communication.
• Looking for legitimate data partners who can offer B2B data that suits our business needs, and is demonstrably lawful.
• Building out our inbound marketing capabilities by developing content assets, building social capabilities, and ensuring that we’re gathering consent for ongoing contact.
• Considering our other outbound marketing options – direct mail, telemarketing, even marketing using non-personal data.
• Telemarketing rules may stay the same, i.e. before embarking on any calls, we check our phone lists against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers and do not contact any numbers which are registered on either.

CDR

What and Why

The Consumer Data Right (CDR) is a scheme where businesses and individuals are able to access their data, or direct if their data is shared with other entities. The CDR will initially apply to entities in the banking sector, but will soon apply to businesses in the telecommunication and energy sectors with other sectors in line.

The Consumer Data Right (CDR) is a significant scheme as it imposes additional privacy and data sharing obligations on regulated entities of the Australian economy.

How Deck 7 complies with CDR

Deck 7 ensures that the Consumer Data Right scheme is met through the following mechanisms:

• Consumer data rules –The rules may relate to the disclosure, use, accuracy, storage, security and deletion of CDR data, accreditation of data recipients, reporting and record keeping, and any other matter incidental to the CDR system.
• Data standards – a Data Standards Body will be established under the scheme tasked with creating data standards relating to how data should be shared.
• Privacy safeguards – the CDR scheme introduces certain privacy safeguards which apply irrespective of whether data belongs to an individual or a business (unlike the Australian Privacy Principles which apply to 'personal information').

PIPEDA

What and Why

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity.

All organizations have privacy policies, but it is only through PIPEDA that organizations ensure that these privacy policies work. Without PIPEDA, organizations will just have privacy policies to ensure they get the personal information they need for business.

How Deck 7 Complies with PIPEDA

At Deck 7, we take the following steps to comply with PIPEDA::

• We do not collect personal information which would be covered by PIPEDA.
• Have a privacy policy and are upfront about our collection and use of personal information.
• Collect only business information about an individual.
• Limit and monitor access to personal information and take appropriate action when an employee accesses information without authorization.
• Protect personal information on laptops, USB keys and portable hard drives through technological safeguards such as encryption and password protection.
• Customers should know who to speak to if they have questions about privacy.
• A sample privacy brochure for our clients.

PoPI

What and Why

South Africa’s data privacy issues are regulated under the Protection of Personal Information (PoPI) Act 2013, along with various sector-specific laws and the common law. The PoPI Act is based on eight principles which discuss:

• Rules for collecting, using and processing data.
• Ensuring the quality of the information.
• Upholding standards of transparency and openness.
• Efforts to safeguard against loss, damage or destruction of data.

The aim of the PoPI Act is to protect consumers from harm by protecting their personal information. The Act aims to protect consumers from having their money and identity stolen as well as keep their private information private.

How Deck 7 complies with PoPI

Marketers who rely on direct marketing — especially through SMS and email channels are set to be impacted most by this Act. Until now, most of this marketing has been ‘opt-out’, where consumers receive promotional messaging and can choose to no longer receive these messages.

However, once PoPI is in place, direct marketing will have to become ‘opt-in’, where consumers will have to actively agree to receive promotional messaging. Essentially, this means that unsolicited direct marketing via electronic channels will become opt-in only.

Deck 7 has taken the following measures to comply with the PoPI Act:

• Respect the consumer’s choice to opt-in OR out.
• Request consent for a specific purpose.
• Give consumers a clear way to express their choice by giving them the option to click a button or mark a checkbox.
• Keep records of when and how consent was obtained and what it covers.

APP

What and Why

Australia’s Privacy Act 1988 is based on 13 APPs (Australian Privacy Principles) that cover transparency and anonymity; the collection, use and disclosure of data; maintaining the quality of data; and the data subject’s rights. The Act is the key privacy law that governs both the public and private sectors.

The Australian Privacy Principles give individuals the right to know why their personal information is being collected, how their personal information will be used, and to whom their personal information will be disclosed and to have the ability to ask for access to, or correction of, their personal information.

How Deck 7 complies with APP

• We undergo several audits on a regular basis to verify the security, privacy and compliance controls of our operations.
• Meet stringent privacy and security standards based on industry best practices.
• Conduct a comprehensive audit into the sources of personal information, how this comes to the business and is then stored.
• Update the privacy policy to reflect the results of the review.

Is Your Privacy Policy in Place?

Although you may be just collecting names and / or email addresses for your monthly newsletter, but in the digital age, it’s important to respect the importance of personal data and the privacy rights of your website users. Being transparent about how you collect and protect data will not only keep you out of trouble with the law, but will also help to establish trust with your audience.

In order to be compliant with almost any privacy law is to have an informative and transparent Privacy Policy posted on your website or mobile app and keep it easy to read and up to date.