Data Bytes November 22

Data Protection Fines – A cautionary tale of data profiling

Within the UK there was only one financial penalty levied from the ICO in Q3 2022 – a fine of £30,000 to Halfords for sending half a million unsolicited marketing emails.

However, things start heating up in October with a further 7 fines issued, including fines totalling £1.58 million to Easylife Limited and a fine of £4.4 million to Interserve Group Limited.  We may cover the latter in our next Data Bytes publication, but for now let’s take a look at Easylife…

Easylife has had 2 fines issued, the larger of which related to profiling and the use of special category data. Easylife were found by the Commissioner, to be using information about customer buying patterns, to infer whether they had health conditions and then target them for direct marketing of health products that could alleviate those conditions. The ICO ruled that using data to make decisions and trigger targeted marketing constitutes profiling and capturing inferred health conditions constitutes special category data.

Easylife have defended that legitimate interest assessments had been applied in relation to the marketing processes, and there is a privacy notice in place which clearly states that they analyse customer purchases in order to market other products that may be of interest. But the ICOs position is that data subjects had not been adequately informed about any profiling or the capture of special category data in relation to their purchases.

So, what does that means for the rest of us… Are you profiling any data subjects? If the answer if ‘no’ – how sure are you?

Guidance from the ICO about what constitutes profiling:

“‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

This is quite a broad definition and may potentially cover things like productivity statistics within factories, GPS tracking of fleet vehicles and social media behaviour.  It is advisable to include the definition of this, and of automated decision making, as part of your Legitimate Interest Assessment and Data Protection Impact Assessment processes to ensure that profiling activities are proactively identified as part of your compliance due diligence.

Where profiling is identified, you may need to cease this type of processing or adequately and transparently cover it off in your privacy notices.  You may also need to secure consent from data subjects if legitimate interests are not a strong enough lawful basis upon which to justify the processing.

Get in touch if you have any concerns and want advice on pragmatic ways to comply with GDPR.

Data Governance – Common Questions and Answers

Since the pandemic, Leading Resolutions have seen a significant uptick in the number of data governance implementation projects that we are delivering. Having been involved with many of these, I thought it may be useful to share a handful of the recurring questions and challenges I get from our clients and the pragmatic ways in which we respond.

How can I own the data throughout its lifecycle, if I do not have full visibility or control?

Often, when we try to establish data ownership within a business for the first time, there is pushback about an individual’s ability to take accountability for data that is stored on a system they do not have full control over or is processed by a team that sits outside of their line management chain.

The selling point is that those areas of concern, are what constitute the biggest opportunity for improvement. It is how we identify where the risks are and make changes to increase assurance.  For example, if a Data Owner needs better visibility over the systems, its use, or data quality reporting, we can put that in place for them.  If they need an operational level agreement with other teams about how they will process the data and maintain standards – we can help to define such agreements.

These activities may not be a quick thing to tackle, but effective data governance necessitates enabling the Data Owner to have the assurance, visibility and controls they feel they need, to confidently govern that data throughout its lifecycle.

What tangible results will we get from good data governance and how do we prove it?

In our experience, applying good data governance and resulting high quality authoritative sources of data that it enables, will result in benefits such as: faster product development cycles, improved customer service, increased revenue, process efficiencies and improved insight for strategic and operational decision making.

But proving this can be tricky. It would typically take significant up-front effort in benefits capture and building in the right data points, to be able to track and measure all known benefits.  You would likely only be scratching the surface but being thorough will risk analysis paralysis.

It is better to pick a couple of top-line KPIs that are the most important to track, to justify initiating the Data Governance programme. Then, as part of the Data Governance implementation and operation, continually articulate and log beneficial outcomes against all activities, to garner support for its continuation. For example:

• Making improvements to data assets that are revenue-critical
• Mitigating risks that may result in penalties or inefficiency
• Addressing data quality issues that are causing process failures or poor insight

Publicising the resolution of these issues and the positive outcomes delivered, will embed Data Governance as a proactive and results-driven initiative.

Why do we need a Data Glossary?

While there are many uses and benefits to having a data glossary with well-formed and widely debated definitions, the most powerful way to answer this is to apply it to known issues being felt which can vary from business to business.

Examples of common symptoms I have heard from clients, which would be alleviated with a high-quality data glossary are:

‘I dread when monthly reporting comes around because it takes a lot of time and effort to compile the information and then we spend 70% of the time arguing over what the numbers mean rather than using that time and energy to formulate action plans based on the data’

‘There are a few people in this organisation who hold an awful lot of information about our systems and data – we would be in trouble if they all decided to retire tomorrow’

‘Everyone seems to have a different view of what a customer is’

‘Our product categories are not consistent from region to region, so we can’t compare like for like performance across the globe.’

A Data Glossary can help with all these issues, by providing a place for measures and metrics to be unambiguously defined, by documenting the meaning and business rules associated with data items, and to start driving consistency of terminology and data hierarchies across the organisational silos.

Essentially, it demystifies the meaning of data and publishes that knowledge to everyone in the business who needs it.

That is all for now, but if you have any Data Governance questions or topics you would like explored, please let us know and we will look to include them in upcoming publications.