Whether or not businesses are ready, the General Data Protection Regulation (GDPR) will be implemented on 25 May 2018; and once in effect, the mandates will impact any company doing business with consumers in the European Union.
Ravelin's Chief Marketing Officer Gerry Carr spoke with UK-based commercial lawyer Vanessa Barnett with the aim to help companies prepare for GDPR. The discussion focused on practical information and tips regarding compliance, personal data use, fraud, and supplier compliance.
As we get closer to the GDPR deadline, what changes in behaviour are you seeing from businesses compared to six months ago?
I would say that over the last six months there’s been a significant transition in the marketplace. I usually start my sessions where I speak to groups of people, and I say put your hands up if you’ve been to a GDPR session. Six months ago, I would’ve had a handful of people. Now, almost everybody has been to one or more sessions on GDPR.
And over the course of the past nine months or so it’s a bit like going through the six stages of grief; getting used to GDPR is the best way to describe it.
You start with shock, which makes you realise you actually have a lot to do. Then your business goes into denial, where everyone tries to make it somebody else’s problem. Then you get a bit angry because you realize as a business, you’ve actually got to do it - we’ve all got tasks to do.
And then the bargaining begins. Businesses have conversations with their advisors, essentially claiming they understand GDPR, but want to figure out what they need to do about it. They’re trying to get around advisors by doing the bare minimum.
I’d call the next phase ‘general grumpiness’, where they don’t go to work in the morning to do GDPR compliance.
And then finally, we enter the acceptance phase where everyone finally puts their hands up and says yes, we understand, we need to do something, so let’s just get on with it.
What does the bare minimum compliance look like?
If we take a step back from the text in GDPR, it’s essentially a regulation that lays out what you’re doing and ensures its obliging with the law. You can’t really start doing any of your compliance unless you start with data mapping.
You’ve got to understand the data flow in your business, what you’re doing with it inside your business, how you’re spitting out data at the other end, who’s using it and why.
It’s best to start with data mapping. If you started 18 months ago, you would’ve had an amazing data map now. There are some examples where I’ve seen people do some exceptional work, but these are people with very deep pockets, very large legal budgets and IT teams, so they have the resources to do so.
Are there templates available that can make the compliance path less difficult and expensive?
That’s an interesting question. There should be somewhere you can go such as a website, pay some money and download a basic template. There are several well-known places that I’ve seen where you pay a fee and download all the templates, and do a bit of due diligence on them. But all of them are very generic.
The most important concept about GDPR compliance is that you can’t use something that’s generic because you have to say what you’re doing with the data and why you’re doing it on a lawful basis.
It’s very much not a matter of taking a template, changing it and slapping it on your website or rolling it out to your business. It has to be a lot more fine-tuned and transparent. So essentially yes, there are some useful templates, but you need to customise them.
What type of advice should a business take?
It’s a really difficult question because at the end of the day, lawyers exist in society to charge people money. We’ve all watched Suits - we all know that’s the job of the lawyer. But equally, you should only spend money on lawyers if it’s absolutely necessary.
If you feel confident enough to go through the GDPR and work it out yourself, write your own policies, answer your own questions and decide your own lawful basis for processing, then you won’t have to come knocking on a lawyer’s door.
However, it’s always worth having your business’ material sense-checked by lawyers as we’ve effectively figured out easy ways of doing certain things. We’re all sharing precedents and knowledge amongst us. What I wouldn’t recommend is going to a law firm and asking them to do the entire GDPR compliance program because the skill sets that you need are only some legal and mostly operational and technology. A lawyer can help and advise you interpret the words in the GDPR.
If we go back one step and just look at GDPR at the top level, the point of the regulation is to essentially put rules in place that say you must have a lawful basis for processing personal data. You get the unlawful basis effectively by choosing between six listed justifications, and in the business world there’s three of those which are the most relevant.
That means I can process your data because you’ve given me your consent, and I can’t perform my service to you unless I do so. And there’s a useful jurisdiction out of those six which effectively says I’m allowed to process your data because it’s in my legitimate interest as a business to do so, and you as a human being don’t have an overriding legitimate interest of your own that effectively beats my business legitimate interest.
Fraud detection falls into this category for instance. It is specifically called out in the legislation as a legitimate use to share and retain data for the purposes of protecting a business and its customers from fraud - read more about this here. So there is clearly a very strong legitimate use case for companies like Ravelin and their clients.
How should a business record documents and report on how they’re using personal data?
At the end of the day, we’ve got an obligation to record the data and document it. The reason is if the Information Commissioner comes calling we need to show them what we do and reasoning behind why it’s perfectly correct.
There’s no prescriptive form in the GDPR that says you must record data in a certain way. There are certainly some rules in the GDPR about what you have to record, but in terms of how you do it, it’s very much up to what works for your business.
I’ve got a few clients who are licensing third party technologies which enable them to record everything and document it and develop a risk register. Some of my other clients are writing their own pieces of software to do this. Some are just using spreadsheets because that’s what makes them happy, and some clients are using Word documents and just printing them out, putting them in files and putting them on a shelf in a very old-school kind of way.
Many businesses will overlook supplier compliance - what are the obligations on both sides of that relationship?
One of the key tasks that are part of your data mapping is effectively getting a list of all the suppliers you have and which ones you exchange personal data with. In particular, the ones who you give data to process on your behalf.
Under the GDPR you are required to record certain things in that contract. As we’re currently pre-GDPR, we’ve got all these commercial contracts in place between businesses and their suppliers, and they have the pre-GDPR data protection clauses in them.
Everyone right now is rolling outside letters to their contracts with an attachment to them. As a lawyer, we’re effectively calling this the Data Protection Addendum or the GDPR Addendum. It’s essentially sending out new compliant clauses to all of your suppliers to make sure that they agree to process the personal data that they hold compliant with the GDPR.
And what will happen is once they’re sent out, about 50% of them will sign them, 25% of them will say that they’d rather that you sign a version that they like best. And then 25% of your suppliers will ignore it or become slightly irritated - and that’s a slight red flag.
You should then think about the data that this supplier is processing for you. If the company is not prepared to agree with the new GDPR clauses, then moving forward maybe it’s best not to be doing business with that supplier, because on the business side you have complied with imposing those clauses. That’s where the friction begins, and you’ll need to make a decision about whether to continue using that supplier or not.
Is there a difference between sending data out to a non-EU company? Do they need to be compliant if you’re in an EU based company and vice versa if you’re a non-EU company selling to an EU company? Where’s the compliance obligation there?
Essentially the GDPR pretty much mirrors the scenario that we now have under the Data Protection Act. The directive that it originally came from is where the EU is effectively a bubble of safety from a data-processing perspective.
If you’re sending data to be processed outside of the EU you need to ensure that the person and jurisdiction that you’re sending to is adequate. Adequacy is a technical term from a GDPR and a data-protection perspective but what it means is that country has similar rights to us. We think that’s okay - the data will be safe there.
If it’s not an adequate country and there isn’t a ruling to say that it’s an adequate country then you need to choose a different method to make sure that you can send the data. You can get consent as an individual to send it there, or you can do some standard contractual clauses or you can effectively rely on the EU predecisional arrangements; for example UX from Switzerland.
Finally, what should everyone be aware of in their business, and more generally about GDPR legislation?
I would say that the Information Commissioner is already running around and reinstating that everyone has had two years to get ready. There’s no excuse to say you didn’t know. We know in advance that it won’t to attempt pleading with the ICA. If they come calling and you say you didn’t have enough time, we know in advance that that’s also not going to work.
Having said that, no one can get from zero to perfect between now and May next year - they’d be extremely lucky to do or have an extremely simple business. I have to name-check one of my colleagues, Sarah Needham at Keystone because she’s posted a pre-GDPR checklist on our website this week in which she calls it picking the low-hanging GDPR fruit which I think is a nice way of looking at it. There are various things on that list but there’s a few that I’d just like to highlight to this audience in terms of what you really need to get done now.
The first one I would say is please start some data mapping! If you haven’t started, could you just start tomorrow? That would be great. Just don’t procrastinate any longer because it won’t help you.
The second one is before Christmas, print-out that list of contracts where data is given to, to process on your behalf or you process other people’s data. Let’s make sure those contract clauses are in there because actually, that’s a very easy administrative fix once you get the right document to send out.
As part of your initial mapping be very careful about identifying overseas transfers because if you mix those up you’re essentially messing up the law as it is today already, so there’s no excuse to say this is a new obligation.
Your house should already be in order on those. Then there’s also the slightly more nuanced aspect, which is: GDPR compliance isn’t specifically in the legal, compliance or the risk department - it’s actually to do with all of them, and the best thing that everyone can do is make sure that people are talking to each other. Make sure there’s awareness and make sure that things aren’t happening in silos.
If you have no time to do anything on your own; just massive, massive desperate straits, I would always look at it like this. If the Information Commissioner came calling, what bits of paper do you have ready to show them? You need to have some data mapping and a new data protection policy.