On the 25th of May 2018, the General Data Protection Regulation (GDPR) came into force. This regulation changes how big digital players are processing data; It forces all organizations to get their registered information on individuals in check.
With the challenges of implementing such regulation in organizations in mind, the Lawyers’ Alumni Group hosted a round-table Q& A discussion of the newly introduced law and its impact.
Led by Steven Taylor (LLM 2012), a specialist in privacy law and data protection, the session brought together a small group of select alumni with an interest and experience in the practical application of the new regulation.
Below is Steve Taylor, who heads the legal team at a major US Private Equity group.
Anita Bapat, who gained a first in Law at the LSE in 2005, also made notable contributions. Anita is the Head of Privacy at Deloitte.
Since I've purchased annual subscriptions with several large data/Business intelligence companies like ZoomInfo/ Discoverorg over the years, I wanted to see what the Law said about this relationship. Specifically, I tried to understand whether the data company, my company, or both are liable if there is some issue.
It's significant since the EEC has the right under GDPR to fine a company up to 4% of annual revenue or 20 Million Euros. There is a two-tier system of administrative fines, the first being up to 10 million Euros or 2% of annual global turnover.
Steve said the responsibility lies with the data company (the data processor), not your company (the data controller). However, he said you must also check your contract to ensure that the data company does not have special exclusion clauses that would pass that responsibility to you.
Steve told me earlier that he'd met and talked to Elizabeth Denham, the ICO commissioner overseeing GDPR in the UK. Elizabeth said, ' rather like doing your homework at school, as long as you are seen to be trying your best to comply, the ICO will not generally expect perfection.'
We had a long discussion on this subject, and the conclusion was that barely a single company that does extensive marketing could be considered 100% compliant right now.
Confusingly (like many aspects of this legislation), Elizabeth Denham has also put her position across somewhat more strongly: “If your organization can’t demonstrate that good data protection is a cornerstone of your business practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance.”
There are two ways to establish if you can use a person's data; Consent and Legitimate Interest. The first is self-explanatory; 'Consent' means that your contact has expressly asked you to contact them. Typically, this is facilitated by an 'opt-in' (or 'double opt-in') button on your email, advertisement, article, or social media post.
The second is trickier to define. 'Legitimate interest' is often a basis for contacting business customers. Many companies are happy to go this route. Other companies avoid it and insist on only contacting prospects that have 'opted in' to receive communications.
The GDPR protection levels are lowered for business customers since they are typically seen as less vulnerable than business-to-consumer contacts (especially in specific highly sensitive categories like financial services).
For the ICO definition of legitimate interest, click here. Most agree that it means that you have a good reason to hold and use that person's data.
To fall within 'legitimate interest,' you must be able to apply three rules to your data use:
Steve also reassured us that if you are a start-up, you might be fined 4% of annual revenue, which could be a reasonably small amount, rather than 25 Million Euros. After all, most startups wouldn't recover from a twenty-five million euro fine.
We had an outstanding discussion on Brexit and its impact on European legislation. Here, Anita came into her own; she knew all the details.
To fall within 'legitimate interest,' you must be able to apply three rules to your data use:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?
We had an outstanding discussion on Brexit and its impact on European legislation. Here, Anita came into her own; she knew all the details.
I thought that data companies could lobby and have this legislation removed in the UK. Although EU legislation was enacted into UK law after we left the EU, the UK now has full legal sovereignty. Thus, the UK can abandon GDPR if parliament votes for it.
But Anita told us that GDPR had already been enacted into UK Law on May 24th, one day before the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act and implementing the same regulations as the European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post... However, some key points that Steve made, included;
Article 27
Requires a company to have a representative in Europe
Article 37
It requires the company to have a data protection officer. This person must have an understanding of the Law and GDPR and must also be an expert in handling data.
Article 33.2
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO within 72 hours.
My main takeaway from this discussion was how uncertain, even highly trained legal privacy experts are, regarding how these laws will be applied.
Steven said that if ICO digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give the ICO the right to do so just to generate more revenue via fines? How will the ICO determine the extent of their dig and who they dig for breaches with?
For example, 281 billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
Thanks to Sharon Park, LLM graduate in Information Technology Law at the LSE, and Technology, Resilience, and Cyber Associate at The Financial Conduct Authority, and now at The Competition and Markets Authority (where my father, retired High Court Judge, Sir Kenneth Parker, works - and who also kindly checked through this article for me) for editing this post for me to ensure Legal accuracy.
I aim to continuously revise and update my position on this and keep in touch with legal experts every step of the way. As more case law is created around GDPR, we will have more clarity on how to follow GDPR to stay within the legal requirements in (and now outside of) Europe.
But Anita told us that GDPR had already been enacted into UK Law on May 24th, one day before the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act and implementing the same regulations as the European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post... However, some key points that Steve made, included;
Article 27
Requires a company to have a representative in Europe
Article 37
It requires the company to have a data protection officer. This person must have an understanding of the Law and GDPR and must also be an expert in handling data.
Article 33.2
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO within 72 hours.
My main takeaway from this discussion was how uncertain, even highly trained legal privacy experts are, regarding how these laws will be applied.
Steven said that if ICO digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give the ICO the right to do so just to generate more revenue via fines? How will the ICO determine the extent of their dig and who they dig for breaches with?
For example, 281 billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
Thanks to Sharon Park, LLM graduate in Information Technology Law at the LSE, and Technology, Resilience, and Cyber Associate at The Financial Conduct Authority, and now at The Competition and Markets Authority (where my father, retired High Court Judge, Sir Kenneth Parker, works - and who also kindly checked through this article for me) for editing this post for me to ensure Legal accuracy.
My conclusion: If a room full of lawyers and experts on GDPR is still unclear regarding this legislation's implications, then yes, GDPR can be a minefield for us marketers. But it doesn't have to be.
I aim to continuously revise and update my position on this and keep in touch with legal experts every step of the way. As more case law is created around GDPR, we will have more clarity on how to follow GDPR to stay within the legal requirements in (and now outside of) Europe.
Update June 2021: As I had already suspected in 2018, GDPR is now vulnerable in post-Brexit Britain. The current government has been discussing dismantling and replacing it with a UK common law data privacy system.
Update December 2024:
Summary of GDPR Fines (Top 8):
- Meta: €1.2B for transferring EU user data to the US without adequate protection (2023).
- Amazon: €746M for unlawful ad targeting without proper consent (2021).
- Meta: €405M for mishandling teenagers’ data on Instagram (2022).
- Meta: €390M for “forced” consent via updated Terms of Service (2023).
- TikTok: €345M for GDPR breaches in child account handling (2023).
- LinkedIn: €310M for misusing user data for targeted ads (2024).
- Uber: €290M for improperly storing EU driver data in the US (2024).
- Meta: €265M for leaking Facebook user data online (2022).
The ethics of data privacy is another question covered well in The Age of Surveillance Capitalism by Shoshana Zuboff.
