On the 25th of May 2018, the General Data Protection Regulation (GDPR) came into force. A regulation that is changing not only how big digital players are processing data but the entire private sector, and forces organisations to get their registered information on individuals in check.
With the challenges of implementing such regulation in organisations in mind, the Lawyers’ Alumni Group hosted a round-table Q& A and discussion of the newly introduced law and its impact.
Led by Steven Taylor (LLM 2012), a specialist in privacy law and data protection, the session brought together a small group of select alumni who have an interest and experience of the practical application of the new regulation.
Below, Steve Taylor, a specialist in privacy law, working for a US Private Equity group.
Notable contributions were also made by Anita Bapat, Data Protection & Privacy Partner at Kemp Little LLP, who gained a first in Law at the LSE in 2005.
Since I've purchased annual subscriptions with several large data/Business intelligence companies like ZoomInfo and Rainking over the years, I wanted to see what the Law was on this and also, if there is some issue, whether it is the data company, my company, or both who are liable.
It's significant since the EEC has the right under GDPR to fine a company up to either 4% of annual revenue or 20 Million Euros. There is a two-tier system of administrative fines, the first being up to 10 million Euros or 2% of annual global turnover.
Steve said that the responsibility lies with the data company (the data processor), not your company (the data controller). This confirmed what I had thought. However, he said that you must also check the contract to ensure the data company does not have some type of exclusion clause.
Steve told me earlier that he'd met and talked to Elizabeth Denham, the ICO commissioner, who is overseeing GDPR in the UK. Elizabeth said that rather like doing your homework at school, as long as you are seen to be trying your best to comply, the ICO will not generally expect perfection.
We had a long discussion on this subject, and the conclusion was that barely a single company that does extensive marketing could be considered 100% compliant right now.
Elizabeth Denham has, however, put her position across somewhat stronger: “If your organisation can’t demonstrate that good data protection is a cornerstone of your business practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”
In terms of data use, there are two ways to establish if you can use a person's data; Consent and Legitimate Interest. The first is self-explanatory; the second is a little trickier to define. Legitimate interest can be a basis to contact business customers.
The protection levels are lowered for business customers since they are typically seen as a less vulnerable group than some business to consumer contacts. For the ICO definition of legitimate interest, click here. Most agree that it means that you have a good reason to hold and use that person's data.
To fall within 'legitimate interest', you must be able to apply three rules to your data use:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
We had an outstanding discussion on Brexit, and how that will impact this European legislation. Here, Anita really came into her own, She knew all the details. I had thought that data companies could lobby, have this legislation removed in the UK (when all EU legislation is enacted into UK law).
But Anita told us that GDPR had already been enacted into UK Law on May 24th, one day before the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act, as well as implementing the same regulations as European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post... However, some points that Steve made, to remember;
Requires a company to have a representative in Europe
Requires the company to have a Data Protection Officer. This person must have an understanding of the Law and GDPR and also must be an expert on handling data.
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO, within 72 hours.
My main takeaway from this discussion was how uncertain, even highly trained legal experts on the subject, are as to how these laws will actually be applied.
Steven said that if ICO digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give them a right to do so just to generate more revenue? How are they going to determine the extent of their dig and who they dig for breaches with?
For example, 281 billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
Thanks to Sharon Park, LLM graduate in Information Technology Law at the LSE, and Technology, Resilience and Cyber Associate at The Financial Conduct Authority for editing this post for me to ensure Legal accuracy.
My conclusion: If a room full of lawyers and experts on GDPR is still unclear of all the implications of this legislation, then yes it's a minefield for us Marketers.
I aim to continuously revise and update my position on this and keep in touch with legal experts every step of the way. As more case law is created around GDPR, then we will have more clarity as to what rules to follow.