On the 25th of May 2018, the General Data Protection Regulation (GDPR) came into force. This regulation changes how big digital players are processing data; It forces all organizations to get their registered information on individuals in check.
With the challenges of implementing such regulation in organizations in mind, the Lawyers’ Alumni Group hosted a round-table Q& A discussion of the newly introduced law and its impact.
Led by Steven Taylor (LLM 2012), a specialist in privacy law and data protection, the session brought together a small group of select alumni who have an interest and experience in the practical application of the new regulation.
Below, Steve Taylor, who heads the legal team at a major US Private Equity group.
Anita Bapat, who gained a first in Law at the LSE in 2005, also made notable contributions. Anita is the Head of Privacy at Deloitte.
Since I've purchased annual subscriptions with several large data/Business intelligence companies like ZoomInfo/ Discoverorg over the years, I wanted to see what the Law said about this relationship. Specifically, I wanted to understand whether, if there is some issue, it is the data company, my company, or both who are liable.
It's significant since the EEC has the right under GDPR to fine a company up to 4% of annual revenue or 20 Million Euros. There is a two-tier system of administrative fines, the first being up to 10 million Euros or 2% of annual global turnover.
Steve said that the responsibility lies with the data company (the data processor), not your company (the data controller). However, he said that you must also check your contract to ensure that the data company does not have special exclusion clauses that would pass that responsibility to you.
Steve told me earlier that he'd met and talked to Elizabeth Denham, the ICO commissioner overseeing GDPR in the UK. Elizabeth said that 'rather like doing your homework at school, as long as you are seen to be trying your best to comply, the ICO will not generally expect perfection'.
We had a long discussion on this subject, and the conclusion was that barely a single company that does extensive marketing could be considered 100% compliant right now.
Confusingly (like many aspects of this legislation) Elizabeth Denham has also, however, put her position across somewhat more strongly: “If your organization can’t demonstrate that good data protection is a cornerstone of your business practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance.”
There are two ways to establish if you can use a person's data; Consent and Legitimate Interest. The first is self-explanatory; 'Consent' means that your contact has expressly asked you to contact them. Typically this is facilitated with an 'opt-in' (or 'double opt-in) button on your email, advertisement, article, or social media post.
The second is trickier to define. 'Legitimate interest' is often a basis to contact business customers. Many companies are happy to go this route. Other companies steer away from it and insist on only contacting prospects that have 'opted in' to receive communications.
The GDPR protection levels are lowered for business customers since they are typically seen as less vulnerable than business-to-consumer contacts (especially in certain highly sensitive categories like financial services).
For the ICO definition of legitimate interest, click here. Most agree that it means that you have a good reason to hold and use that person's data.
To fall within 'legitimate interest,' you must be able to apply three rules to your data use:
Steve also reassured us that if you are a start-up, you might be fined 4% of annual revenue, which could actually be a reasonably small amount, rather than 25 Million Euros; Most startups wouldn't recover from a twenty-five million euro fine, after all.
We had an outstanding discussion on Brexit and how that will impact this European legislation. Here, Anita really came into her own, She knew all the details.
To fall within 'legitimate interest,' you must be able to apply three rules to your data use:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?
We had an outstanding discussion on Brexit and how that will impact this European legislation. Here, Anita really came into her own, She knew all the details.
I thought that data companies could lobby and have this legislation removed in the UK. Although EU legislation was enacted into UK law after we left the EU, the UK now has full legal sovereignty. Thus the UK can choose to abandon GDPR if parliament votes for that.
But Anita told us that GDPR had already been enacted into UK Law on May 24th, one day before the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act and implementing the same regulations as European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post... However, some points that Steve made, to remember;
Article 27
Requires a company to have a representative in Europe
Article 37
Requires the company to have a Data Protection Officer. This person must have an understanding of the Law and GDPR and also must be an expert on handling data.
Article 33.2
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO within 72 hours.
My main takeaway from this discussion was how uncertain, even highly trained legal privacy experts are, regarding how these laws will actually be applied.
Steven said that if ICO digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give the ICO the right to do so just to generate more revenue via fines? How will the ICO determine the extent of their dig and who they dig for breaches with?
For example, 281 billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
Thanks to Sharon Park, LLM graduate in Information Technology Law at the LSE, and Technology, Resilience and Cyber Associate at The Financial Conduct Authority, for editing this post for me to ensure Legal accuracy.
I aim to continuously revise and update my position on this and keep in touch with legal experts every step of the way. As more case law is created around GDPR, then we will have more clarity as to how to follow GDPR to stay within the legal requirements in Europe.
But Anita told us that GDPR had already been enacted into UK Law on May 24th, one day before the European GDPR date. The Data Protection Act 2018 is thus both an extension of the 1998 UK Data Protection Act and implementing the same regulations as European GDPR.
Our conversations were too detailed and wide-ranging to include all of them in this blog post... However, some points that Steve made, to remember;
Article 27
Requires a company to have a representative in Europe
Article 37
Requires the company to have a Data Protection Officer. This person must have an understanding of the Law and GDPR and also must be an expert on handling data.
Article 33.2
This covers breach notifications. As soon as you are aware of a data breach, no matter how insignificant, you must notify the ICO within 72 hours.
My main takeaway from this discussion was how uncertain, even highly trained legal privacy experts are, regarding how these laws will actually be applied.
Steven said that if ICO digs deep enough, it will be able to uncover breaches of the GDPR rules anywhere, even at tech giants like Facebook or Google.
Does that give the ICO the right to do so just to generate more revenue via fines? How will the ICO determine the extent of their dig and who they dig for breaches with?
For example, 281 billion emails are sent every day. How can the EEC monitor all of these? Will they concentrate on large companies? Or flagrant breaches of the legislation? Steve said that the latter is the most likely.
Thanks to Sharon Park, LLM graduate in Information Technology Law at the LSE, and Technology, Resilience and Cyber Associate at The Financial Conduct Authority, for editing this post for me to ensure Legal accuracy.
My conclusion: If a room full of lawyers and experts on GDPR is still unclear of all the implications of this legislation, then yes, GDPR can be a minefield for us Marketers. But it doesn't have to be.
I aim to continuously revise and update my position on this and keep in touch with legal experts every step of the way. As more case law is created around GDPR, then we will have more clarity as to how to follow GDPR to stay within the legal requirements in Europe.
Update 18th June 2021: As I had already suspected back in 2018, GDPR is now vulnerable in Post-Brexit Britain. The current government has been talking about dismantling it and replacing it with a UK common law system of privacy.
The ethics of data privacy is another question, which is covered well in The Age of Surveillance Capitalism by Shoshana Zuboff.
Thanks Raja, you can also visit my website www.rudylearningaboutstartups.com
ReplyDelete