20 Replies Latest reply on Mar 22, 2018 1:01 AM by Grégoire Michel

    GDPR lessons learnt

    Macarena Mazzeo

      Hi All,

       

      I've attended an IDM GDPR training session and I leant a couple of things I thought it would be useful to share. One thing I can say after it is that there are no black or white situations, there are a lot of grey areas (at least now, before ePrivacy comes into place). You should, on top of everything, use a person's data to their benefit and without causing any potential harm/stress, in a lawful, fair and transparent way.

       

      • Affected

      - Every data controller managing personal data in the EU must comply with GDPR, even if they are targeting someone outside of the EU.

      - Every data controller managing personal data outside of the EU must comply with GDPR if they are targeting someone IN the EU, even if the person is not from EU.

      - GDPR applies only to identifiable natural people, that is, someone that can be identified, directly or indirectly.

       

      Notes:

      - IP address is considered to be an identifiable variable.

      - If an IP address is an identifiable variable, a Marketo Anonymous lead is not a GDPR anonymous lead.

      - Having identifiable information does not depend on its visibility in a platform, but rather based on possession.

      - In order to know if a person is influences by GDPR is not enough to look at their 'Country' field data, as is a matter of they are at the time you are targeting rather than where they are based.

       

      • Consent

      - Under GDPR, there are a number of different options that allow a company to target a natural person. This can be consent, but it can also be legitimate interest. Here is a link to an article highlighting what can and cannot be considered legitimate interest: DPN Legitimate Interests Guidance - Using LI under the GDPR

       

      Note:

      - Current customers that have not opted-in can still be considered as opted-in due to contractual needs.

       

      • Consent requirements

      - Opt-in is only required with identifiable natural people.

       

      ceo@CompanyName.com - requires both consent opt-in and opt-put

      sales@CompanyName.com - requires only consent opt-out

       

      ceo@CompanyName.com is considered an identifiable natural person, even if it doesn't specify the name/surname of the individual. This is because it can be indirectly identified (i.e. check who is the CEO of the specified company).

       

      HOWEVER, after ePrivacy goes live, both examples will need both consent opt-in and opt-out.

       

      • Privacy policy

      - Under GDPR you must show your organisation's privacy policies in every form. However, the fact that you have a link displaying them or even you have a consent checkbox for them, does not mean is GDPR friendly. You must make sure that they are understandable, easy and quick to process. If you have privacy policies that are too long or with details that could cause harm to the individual. Best practice is to put any details that could cause harm/stress to the person outside of the privacy policies link, in the actual form.

      Also, you must give people the option of submitting a form without having to consent to privacy policies.

       

      Note:

      - Harm is considered to be anything that could cause a person physical/emotional stress.

       

       

      It would be great to know your thoughts on the above and I hope you can find these points helpful.

        • Re: GDPR lessons learnt
          Stepan Egorov

          - Harm is considered to be anything that could cause a person physical/emotional stress.

           

          LOL. Basically, that could be anything in your life - even a kitten image, if you had bad experience with kittens. That only underlines that all the GDPR stuff is so pathetic. They're indicating that they sort of care about people, but in fact imposing more checkboxes that no one cares about. "I have read and accept these and those terms". Nonsense! To say the least.

            • Re: GDPR lessons learnt
              Grégoire Michel

              - Harm is considered to be anything that could cause a person physical/emotional stress.

              This is not true. EU courts do not grant damages for things that are neither expressly in the laws or a violation of human rights. Harm in the GDPR is clearly defined as the possibility for any individual to control where is there private data and is done with it.

               

              That only underlines that all the GDPR stuff is so pathetic

              You do not care about what people do with your private data? info about your preferences in any matter ? you probably should think about it a second time.

               

              -Greg

                • Re: GDPR lessons learnt
                  Stepan Egorov

                  The problem is that I do care. I just think that nothing would change in terms of their vulnerability. With dozens of hacks happening every day, in the future world we'll have to get used to complete openness. And that's sad, in my view.

                  The only tangible effect of GDPR IMHO would be to make us add more checkboxes. Have you ever read a privacy policy of a website you visit? I doubt it.

                    • Re: GDPR lessons learnt
                      Grégoire Michel

                      Have you ever read a privacy policy of a website you visit? I doubt it

                       

                      If fact, I have but because it's part of my job as a consultant...

                       

                      The GDPR will be of little effect on the hackers, you are right on this. But it will have some effects on the large vendors trading information they get for free into business. You name them

                       

                      -Greg

                      • Re: GDPR lessons learnt
                        Sanford Whiteman

                        I just think that nothing would change in terms of their vulnerability.

                        It's not about the vulnerability of stored data to hacks, it's about what you are allowed to store, and thus what would/will be compromised  in the event of a hack.

                         

                        There is a very substantial improvement, for example, in requiring financial institutions to store only password hashes and partial CC information. It doesn't make the underlying database less "hackable" in any way -- it's going to be just as attractive to hackers because they'll work on the assumption that you haven't followed regulations and will try to get at the data anyway. But what they see when they get there can differ greatly.

                      • Re: GDPR lessons learnt
                        Macarena Mazzeo

                        Hi Gregoire,

                         

                        Although I completely agree with your conception of harm, our legal trainer mentioned a couple of cases were harm was actually due to emotional distress.

                        Now, I know and agree that that is too vague as anything can potentially cause emotional distress, but I believe what he was trying to say is to always have a strong case in the scenario that someone complained for example about addressing them with their previous name/surname.

                         

                        Thanks.

                          • Re: GDPR lessons learnt
                            Dan Stevens

                            Speaking of whether or not something would hold up in court (if it ever went that far), some of the members of our Marketing team attended an IDC conference in San Francisco last week - where there was a lot of talk around GDPR.  One of the presenters was mentioning that although you may think that you're covering all bases when capturing the appropriate consent (by including additional attributes like opt-in date, the form or program where consent was given, IP address, etc., that even this may not be up for question since there's no actual proof that it was a certain individual that provided that consent (could be a co-worker, a fraudulent user, etc.).  Pretty scary when you start hearing this - even though many of us are going above and beyond to practice best-practice marketing under this new legislation.

                             

                            Also mentioned at this conference last week by one of the well-respected presenters: he stated flat-out that if any data vendor/supplier tells you they are GDPR-compliant right now, that's a complete lie.  In fact, many companies now are targeting a "GDPR-ready" state by May 25, not "GDPR-compliant" (which many large/global companies are saying it's almost impossible).

                              • Re: GDPR lessons learnt
                                Dan Stevens

                                And just today, one of the "well known" B2B vendors that we use, replied back with this when we asked for them to confirm if they were GDPR compliant - here's a sub-section of their reply:

                                 

                                When reviewing GDPR compliance, it is important to note that there are six very distinct and separate ways in Article 6 to lawfully process personal data: Consent, Contractual Obligation, Legal Obligation, to Protect Vital Interests, Public Interest, and Legitimate Interest. Two of these apply to B2B communications: Consent, and separately Legitimate Interest - so written consent is not required to lawfully process personal data under the GDPR. Here's a post by the Information Commissioner who actually drafted the GDPR explaining the difference: https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/.

                                 

                                Our processing of personal data

                                 

                                XXX processes personal data of the data subject in the legitimate interest of direct marketing (Recital 70 of the GDPR is a good reference here as well), therefore is compliant. The data subject has the right to object to such processing for marketing purposes, so we send a notice of inclusion in our database to all EU contacts with all information required in such a notice, and most importantly clear instructions on how to object to processing, and as a result be removed from our database. Notices of this nature must be sent, at the very latest, at the time of first communication with the data subject. We send ours right after gathering the data regardless of when in the future the first communication may take place.

                                 

                                Another example of the many ways GDPR is being interpreted!

                                  • Re: GDPR lessons learnt
                                    Macarena Mazzeo

                                    Hi Dan,

                                     

                                    Yep. We covered the same topic in our training. There are 6 Lawful Basis under which a data controller can contact a natural person. However, I read today that the data controller will have evaluate, decide and document the Lawful Basis for contacting each individual.

                                    There are also a lot of people relying on Legitimate Interest as one of these 6 Lawful Basis, but again, it is important to be very specific to which of the types of Legitimate Interest the data controller is actually referring to, for which it will have to perform what is known as a Legitimate Interest Assessment (checking the specific Legitimate Interest type, the necessity for it and whether or not is against a person's rights and freedoms). Also, every time the data controller uses Legitimate Interest it has the obligation of letting the person know, and give the person the right to object to it.

                                    Even more, the fact that you chose one of the Lawful Basis to communicate with someone does not mean you can stick with it, it will have to be periodically reviewed in case that particular Lawful Basis stopes applying and needs to be changed.

                                     

                                    Thanks.

                                    • Re: GDPR lessons learnt
                                      Grégoire Michel

                                      Hi Dan,

                                       

                                      I also observe that many people, especially in the data and marketing services supplier world, will try to use the legitimate interest clause to continue their work unchanged.... I personally think that this is a very dangerous course. I advise my customers to take to very carefully and make sure that these suppliers will 1/ send the emails themselves, 2/ send the emails in their own names with a clear mention that if they do promote offerings from someone else, they still do it in their own name. anything else is clearly off the mark.

                                       

                                      -Greg

                                        • Re: GDPR lessons learnt
                                          Dan Stevens

                                          Yeah, that seems the norm these days when asking our vendors/suppliers for their stance on how their company is compliant with GDPR.  I expect our GDPR/Legal team to shut this down real quick if they don't change their interpretation of the law - and thus how they operate as a data processor/controller. 

                                        • Re: GDPR lessons learnt
                                          Dan Stevens

                                          Reading further on down in this specific vendor's response - you'll all get a kick out of this one:

                                           

                                          We think the GDPR, based on its plain language, does not apply to B2B marketing under this test because the offer is to the employer, not the employee. (See Id. Art. 3(2)(a) (“The Regulation applies . . . where the processing activities are related to . . . the offering of goods or services . . . to such data subjects in the Union[.]”) (emphasis added).) In layman's terms B2B companies are offering goods and services to companies, not the data subjects AT those companies - their products and services are for the benefit of the company, not the consumer (data subject) - think of this as the difference between selling a vacation cruise to a person over the phone or email vs. selling a sophisticated firewall or backup solution to a company. But it is a gray area that wants additional guidance

                                            • Re: GDPR lessons learnt
                                              Sanford Whiteman

                                              In a sense you could file this under "Marketers who don't understand their own business model," ugh.

                                               

                                              Interesting attempt at spin, though. Since corporate personhood isn't recognized in the EU the way it is in the US, and a "data subject" is defined in GDPR as a natural person (not merely legal person) if you could establish that somehow no natural person's data was involved in processing, maybe you'd have something. But it would be impossible to make that guarantee since someone's work address is still "an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

                                                • Re: GDPR lessons learnt
                                                  Grégoire Michel

                                                  Hi Sanford & Dan,

                                                   

                                                  This is on this ground that it is possible to make a distinction between generic email addresses (contact@mycompany.com) and personal ones (first.last@company.com) and being allowed to treat the first with much cooler rules.

                                                   

                                                  But there it stops. As you duly point out, the GPDR is about personal identification, not data from the private sphere only.

                                                   

                                                  -Greg

                                                    • Re: GDPR lessons learnt
                                                      Dan Stevens

                                                      Yeah, I doubt that this is what this vendor is referring to.  They are attempting to interpret the law (and find whatever loopholes are possible (good luck with that)) that allows them to continue to operate business as usual - and therefore communicate to their customers that "yes, we are GDPR-compliant".  Knowing who this vendor is, the data that they have (along with the email addresses) are of individuals, not company/generic.

                                                        • Re: GDPR lessons learnt
                                                          Grégoire Michel

                                                          HI Dan,

                                                           

                                                          I fully understand this. Yet 2 remarks:

                                                          • One of the major telemarketing firm in France has announced a layoff plan recently. They have not published much about the reasons behind it, but I found the coincidence troubling...
                                                          • As a customer of these telemarketing companies, if they email in our name, we are co-responsible in case someone complains. So I would urge brands that sub contracts to these companies to very carefully consider having their own interpretation of the GPDR and not trust some who in fact has everything to loose in interpreting the GDPR strictly. Some things (buying database and importing them in our systems) will clearly be off-limit. Some might be tolerated, under the conditions that take detailed reviewed : how the emails send are worded? Is the responsibility for sending these emails clearly stated? How serious is their opt-out process? Their opt-in process?

                                                           

                                                          -Greg

                                                            • Re: GDPR lessons learnt
                                                              Dan Stevens

                                                              Hi Greg - what's your take on contact subscription/enrichment services like ZoomInfo, ReachForce, Hoovers, DiscoverOrg, Data.com, D&B, InsideView, RainKing, Lead411, etc.?  These are the ones that, IMO, are greatly going to be impacted (along with the typical telemarketing agency) and will need to change their business model to survive.

                                                                • Re: GDPR lessons learnt
                                                                  Grégoire Michel

                                                                  Hi Dan,

                                                                   

                                                                  Salesforce has started to retire data.com in the EU. No reason given, but that tells a lot, IMHO

                                                                   

                                                                  Data Enrichement can be OK (how to complete a person's information after she has entered your database through a form). You will have to get into details about what data you are appending, since it has to be relevant to your business.

                                                                   

                                                                  Lead appending (adding new leads to your database after an anonymous visitors with an IP that is linked to a specific company visited your web site) is clearly off limit.

                                                                   

                                                                  -Greg

                                                  • Re: GDPR lessons learnt
                                                    Sanford Whiteman

                                                    ...in the scenario that someone complained for example about addressing them with their previous name/surname.

                                                    Eh, this sounds like something that would be explained better on Snopes. Did the trainer cite the actual cases?

                                                     

                                                    Surely the lawsuit wouldn't be about calling someone by an obsolete name on its own, it would be about the fact that you revealed that you had broken a data retention law by calling someone by a name you shouldn't know, which is very different.  Most such "crazy case" examples don't include how a lawsuit was tossed and/or the argument was unsuccessful in real life, or they misstate what the real case was.

                                                     

                                                    Guess if you had been harvesting data you shouldn't have and then targeting vulnerable people based specifically on the difference between old and new data, and there was a smoking gun (leaked business plans referring to the emotional state of recently divorced people, for example) I could see how that might work. Like to see the real cases, though.