Re: GDPR lessons learnt

- Harm is considered to be anything that could cause a person physical/emotional stress.

This is not true. EU courts do not grant damages for things that are neither expressly in the laws or a violation of human rights. Harm in the GDPR is clearly defined as the possibility for any individual to control where is there private data and is done with it.

That only underlines that all the GDPR stuff is so pathetic

You do not care about what people do with your private data? info about your preferences in any matter ? you probably should think about it a second time.

-Greg

...in the scenario that someone complained for example about addressing them with their previous name/surname.

Eh, this sounds like something that would be explained better on Snopes. Did the trainer cite the actual cases?

Surely the lawsuit wouldn't be about calling someone by an obsolete name on its own, it would be about the fact that you revealed that you had broken a data retention law by calling someone by a name you shouldn't know, which is very different.  Most such "crazy case" examples don't include how a lawsuit was tossed and/or the argument was unsuccessful in real life, or they misstate what the real case was.

Guess if you had been harvesting data you shouldn't have and then targeting vulnerable people based specifically on the difference between old and new data, and there was a smoking gun (leaked business plans referring to the emotional state of recently divorced people, for example) I could see how that might work. Like to see the real cases, though.

Speaking of whether or not something would hold up in court (if it ever went that far), some of the members of our Marketing team attended an IDC conference in San Francisco last week - where there was a lot of talk around GDPR.  One of the presenters was mentioning that although you may think that you're covering all bases when capturing the appropriate consent (by including additional attributes like opt-in date, the form or program where consent was given, IP address, etc., that even this may not be up for question since there's no actual proof that it was a certain individual that provided that consent (could be a co-worker, a fraudulent user, etc.).  Pretty scary when you start hearing this - even though many of us are going above and beyond to practice best-practice marketing under this new legislation.

Also mentioned at this conference last week by one of the well-respected presenters: he stated flat-out that if any data vendor/supplier tells you they are GDPR-compliant right now, that's a complete lie.  In fact, many companies now are targeting a "GDPR-ready" state by May 25, not "GDPR-compliant" (which many large/global companies are saying it's almost impossible).

And just today, one of the "well known" B2B vendors that we use, replied back with this when we asked for them to confirm if they were GDPR compliant - here's a sub-section of their reply:

When reviewing GDPR compliance, it is important to note that there are six very distinct and separate ways in Article 6 to lawfully process personal data: Consent, Contractual Obligation, Legal Obligation, to Protect Vital Interests, Public Interest, and Legitimate Interest. Two of these apply to B2B communications: Consent, and separately Legitimate Interest - so written consent is not required to lawfully process personal data under the GDPR. Here's a post by the Information Commissioner who actually drafted the GDPR explaining the difference: https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/. Our processing of personal data XXX processes personal data of the data subject in the legitimate interest of direct marketing (Recital 70 of the GDPR is a good reference here as well), therefore is compliant. The data subject has the right to object to such processing for marketing purposes, so we send a notice of inclusion in our database to all EU contacts with all information required in such a notice, and most importantly clear instructions on how to object to processing, and as a result be removed from our database. Notices of this nature must be sent, at the very latest, at the time of first communication with the data subject. We send ours right after gathering the data regardless of when in the future the first communication may take place.

Another example of the many ways GDPR is being interpreted!

Reading further on down in this specific vendor's response - you'll all get a kick out of this one:

We think the GDPR, based on its plain language, does not apply to B2B marketing under this test because the offer is to the employer, not the employee. (See Id. Art. 3(2)(a) (“The Regulation applies . . . where the processing activities are related to . . . the offering of goods or services . . . to such data subjects in the Union[.]”) (emphasis added).) In layman's terms B2B companies are offering goods and services to companies, not the data subjects AT those companies - their products and services are for the benefit of the company, not the consumer (data subject) - think of this as the difference between selling a vacation cruise to a person over the phone or email vs. selling a sophisticated firewall or backup solution to a company. But it is a gray area that wants additional guidance

In a sense you could file this under "Marketers who don't understand their own business model," ugh.

Interesting attempt at spin, though. Since corporate personhood isn't recognized in the EU the way it is in the US, and a "data subject" is defined in GDPR as a natural person (not merely legal person) if you could establish that somehow no natural person's data was involved in processing, maybe you'd have something. But it would be impossible to make that guarantee since someone's work address is still "an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Hi Sanford & Dan,

This is on this ground that it is possible to make a distinction between generic email addresses (contact@mycompany.com) and personal ones (first.last@company.com) and being allowed to treat the first with much cooler rules.

But there it stops. As you duly point out, the GPDR is about personal identification, not data from the private sphere only.

-Greg

Yeah, I doubt that this is what this vendor is referring to.  They are attempting to interpret the law (and find whatever loopholes are possible (good luck with that)) that allows them to continue to operate business as usual - and therefore communicate to their customers that "yes, we are GDPR-compliant".  Knowing who this vendor is, the data that they have (along with the email addresses) are of individuals, not company/generic.

HI Dan,

I fully understand this. Yet 2 remarks:

• One of the major telemarketing firm in France has announced a layoff plan recently. They have not published much about the reasons behind it, but I found the coincidence troubling...
• As a customer of these telemarketing companies, if they email in our name, we are co-responsible in case someone complains. So I would urge brands that sub contracts to these companies to very carefully consider having their own interpretation of the GPDR and not trust some who in fact has everything to loose in interpreting the GDPR strictly. Some things (buying database and importing them in our systems) will clearly be off-limit. Some might be tolerated, under the conditions that take detailed reviewed : how the emails send are worded? Is the responsibility for sending these emails clearly stated? How serious is their opt-out process? Their opt-in process?

-Greg

Hi Greg - what's your take on contact subscription/enrichment services like ZoomInfo, ReachForce, Hoovers, DiscoverOrg, Data.com, D&B, InsideView, RainKing, Lead411, etc.?  These are the ones that, IMO, are greatly going to be impacted (along with the typical telemarketing agency) and will need to change their business model to survive.

Hi Dan,

Salesforce has started to retire data.com in the EU. No reason given, but that tells a lot, IMHO

Data Enrichement can be OK (how to complete a person's information after she has entered your database through a form). You will have to get into details about what data you are appending, since it has to be relevant to your business.

Lead appending (adding new leads to your database after an anonymous visitors with an IP that is linked to a specific company visited your web site) is clearly off limit.

-Greg

Hi Dan,

I also observe that many people, especially in the data and marketing services supplier world, will try to use the legitimate interest clause to continue their work unchanged.... I personally think that this is a very dangerous course. I advise my customers to take to very carefully and make sure that these suppliers will 1/ send the emails themselves, 2/ send the emails in their own names with a clear mention that if they do promote offerings from someone else, they still do it in their own name. anything else is clearly off the mark.

-Greg

Yeah, that seems the norm these days when asking our vendors/suppliers for their stance on how their company is compliant with GDPR.  I expect our GDPR/Legal team to shut this down real quick if they don't change their interpretation of the law - and thus how they operate as a data processor/controller. 

Hi Macarena,

The legitimate interest is quite vague, but it is NOT an open bar that can justify everything. Michelle Miles wrote a very good post on this here: Is Legitimate Interest a Legitimate Loophole for GDPR Consent?

-Greg

The problem is that I do care. I just think that nothing would change in terms of their vulnerability. With dozens of hacks happening every day, in the future world we'll have to get used to complete openness. And that's sad, in my view.

The only tangible effect of GDPR IMHO would be to make us add more checkboxes. Have you ever read a privacy policy of a website you visit? I doubt it.

I just think that nothing would change in terms of their vulnerability.

It's not about the vulnerability of stored data to hacks, it's about what you are allowed to store, and thus what would/will be compromised  in the event of a hack.

There is a very substantial improvement, for example, in requiring financial institutions to store only password hashes and partial CC information. It doesn't make the underlying database less "hackable" in any way -- it's going to be just as attractive to hackers because they'll work on the assumption that you haven't followed regulations and will try to get at the data anyway. But what they see when they get there can differ greatly.

Have you ever read a privacy policy of a website you visit? I doubt it

If fact, I have but because it's part of my job as a consultant...

The GDPR will be of little effect on the hackers, you are right on this. But it will have some effects on the large vendors trading information they get for free into business. You name them

-Greg