EU: A fit-for-all DPIA for online marketing campaigns
Online marketing tools (e.g. personalised advertisements, promotional offers, coupons) make companies' lives easier when it comes to interacting with their customers and sending them personalised advertisements. This type of marketing requires profiling, which provides a deeper insight into the customer's life (e.g. scope of interest, shopping history, patterns and frequency), so a Data Protection Impact Assessment ('DPIA') is inevitable under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Online marketing campaigns are usually of a cross-border nature, and the GDPR (together with the Guidelines of the Article 29 Working Party on DPIAs1 ('the WP29 DPIA Guidelines')) provides for a uniform data protection framework to assess the impact. However, each national data protection authority may have specific requirements on certain details of the DPIA. Dr. Márton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe, advocates for and sketches the parameters of a fit-for-all approach for DPIAs throughout the EU to ensure that the risk assessment will come to the same conclusion in all countries, and that companies can introduce the same mitigation measures to protect their customers' data.
Description of the data security measures
The most important part of a DPIA is the description of the data security measures.
In practice, such measures include, among others:
- physical protection of equipment and systems storing customer data;
- layered access rights to customer databases (e.g. only a restricted number of admins may modify or delete the customer data);
- enhanced security in case of remote access (e.g. through use of VPNs) to the customer databases; and
- up-to-date and market leading firewalls, anti-virus software, encryption techniques, and back-up processes.
It would be practical for the advertisers to have a detailed and uniform list from the data protection authorities on the security measures that advertisers should choose from in all countries where they launch an online marketing campaign. Currently, authorities' practices vary on the assessment of the various security measures. For example, the Hungarian National Authority for Data Protection and Freedom of Information ('NAIH') has stated that the MD5 algorithm is an inadequate technology to combat malicious decryption techniques, while other authorities are silent on this.
Description of the risks
In the DPIA, companies should detail the nature and the potential consequences of data protection risks, together with the available mitigation measures.
The risks may include:
- unauthorised and/or malicious people may access or misuse the customer database, identify the individuals personally, learn about their shopping patterns and preferences, steal their identity, sell their data or send unwanted marketing messages to them;
- cyberattacks, ransomware attacks, system errors, software malfunctions and viruses, which may lead to data theft, data loss, or data deletion, and may also prevent individuals from exercising their data protection rights and using their data as evidence in a potential dispute; and
- human error (e.g. unintentional deletion of customer data).
Again, a uniform EU-level list from the authorities with the potential risks in all countries may help companies when considering all aspects of potential breaches of customer data. Such a uniform guidance should also contain recommendations on how to categorise the risks (immaterial, restricted, significant and material) in the DPIA.
How to 'recycle' lawfully
It is a reasonable expectation on the advertiser's side to use the experience gained during the online marketing campaign for the purpose of improving its own services and products, and for follow-up and long-term analyses as well. They must record this in the DPIA. For example, if customers are showing an increased interest in a certain scope of products or services in a given period, the advertiser will focus on expanding the variety of such products or services in the future. If this decision is not based on the consideration of statistical or similarly anonymised data, the advertiser may want to rely on the same legal basis in all countries to process customer data for this purpose. However, there is no uniform practice on the side of data protection authorities – some may require an additional consent from the customer whilst others may find a proper legitimate interest balancing test satisfactory.
When and how to update customer profiles?
Advertisers need to regularly monitor shopping patterns and preferences and update the customer profiles accordingly in order to send more accurate marketing messages. It is also an obligation under the GDPR to ensure that personal data is accurate and kept up to date. The DPIA should set out uniform and well-established updating intervals in all countries. When it comes to the data protection rights of the customers, it must also be established whether they are entitled – as part of their access and rectification right – to revise their profile, particularly their shopping patterns and preferences, to evade the recommendation of any marketing content in which they are no longer interested. This may interfere with the advertiser's interest in using its own decision-making logic based on the customer profile, so the DPIA must contain 'playbooks' to address such a scenario.
Seeking the views of customers
The GDPR provides that companies must seek the views of individuals in the DPIA on the intended data processing. In practice, it is difficult for a company to formally seek the views of individuals before commencing an online marketing campaign. This is mainly because of the high number of individuals and the fact that a prior consultation may spoil the surprise element of a marketing campaign. Therefore, uniform guidance is needed from data protection authorities on the cases where companies can set the consultation obligation aside.
Involving other parties in the DPIA
Conducting the DPIA is the responsibility of the data controller. According to the WP29 DPIA Guideliness, various 'independent' experts may be involved in the DPIA, such as lawyers, IT experts, sociologists, etc. Data protection authorities should provide uniform recommendations on what to regulate in the cooperation agreement with the above people beyond their scope of work, the kind of information they need, and their liability. For example, it may also be advisable to regulate the independent nature of their advice, and that they are not to be sanctioned (e.g. by withholding their service fee or terminating their mandate) in case of conflicting opinions (also to be recorded in the DPIA).
Consulting with the supervisory authority
The GDPR provides that the data controller must consult with the supervisory authority where a DPIA indicates that the processing will result in a high risk in the absence of measures taken by the controller to mitigate the risk. The fulfilment of these obligations may be problematic in practice. If the data controller concludes during the DPIA that the risks cannot be appropriately mitigated, it may not want to approach the authority with this conclusion because it is highly unlikely that the authority will give a green light to the processing if the controller came to a negative conclusion.
Other important elements of a DPIA
A fit-for-all approach may also be necessary in connection with the following elements of the DPIA:
- the documentation of the underlying decisions, opinions and other communications (e.g. email chains) in the DPIA;
- the respective duties and liabilities of the people involved in the DPIA;
- deciding who in the company is entitled to decide whether the proposed risk-mitigation measures are appropriate; and
- when the DPIA should be revised.
Dr. Márton Domokos Senior Counsel
CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe, Budapest
1. Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711