GDPR lessons learnt

Anonymous
Not applicable

GDPR lessons learnt

Hi All,

I've attended an IDM GDPR training session and I leant a couple of things I thought it would be useful to share. One thing I can say after it is that there are no black or white situations, there are a lot of grey areas (at least now, before ePrivacy comes into place). You should, on top of everything, use a person's data to their benefit and without causing any potential harm/stress, in a lawful, fair and transparent way.

  • Affected

- Every data controller managing personal data in the EU must comply with GDPR, even if they are targeting someone outside of the EU.

- Every data controller managing personal data outside of the EU must comply with GDPR if they are targeting someone IN the EU, even if the person is not from EU.

- GDPR applies only to identifiable natural people, that is, someone that can be identified, directly or indirectly.

Notes:

- IP address is considered to be an identifiable variable.

- If an IP address is an identifiable variable, a Marketo Anonymous lead is not a GDPR anonymous lead.

- Having identifiable information does not depend on its visibility in a platform, but rather based on possession.

- In order to know if a person is influences by GDPR is not enough to look at their 'Country' field data, as is a matter of they are at the time you are targeting rather than where they are based.

  • Consent

- Under GDPR, there are a number of different options that allow a company to target a natural person. This can be consent, but it can also be legitimate interest. Here is a link to an article highlighting what can and cannot be considered legitimate interest: DPN Legitimate Interests Guidance - Using LI under the GDPR

Note:

- Current customers that have not opted-in can still be considered as opted-in due to contractual needs.

  • Consent requirements

- Opt-in is only required with identifiable natural people.

ceo@CompanyName.com - requires both consent opt-in and opt-put

sales@CompanyName.com - requires only consent opt-out

ceo@CompanyName.com is considered an identifiable natural person, even if it doesn't specify the name/surname of the individual. This is because it can be indirectly identified (i.e. check who is the CEO of the specified company).

HOWEVER, after ePrivacy goes live, both examples will need both consent opt-in and opt-out.

  • Privacy policy

- Under GDPR you must show your organisation's privacy policies in every form. However, the fact that you have a link displaying them or even you have a consent checkbox for them, does not mean is GDPR friendly. You must make sure that they are understandable, easy and quick to process. If you have privacy policies that are too long or with details that could cause harm to the individual. Best practice is to put any details that could cause harm/stress to the person outside of the privacy policies link, in the actual form.

Also, you must give people the option of submitting a form without having to consent to privacy policies.

Note:

- Harm is considered to be anything that could cause a person physical/emotional stress.

It would be great to know your thoughts on the above and I hope you can find these points helpful.

20 REPLIES 20
Stepan_Egorov
Level 2

Re: GDPR lessons learnt

- Harm is considered to be anything that could cause a person physical/emotional stress.

LOL. Basically, that could be anything in your life - even a kitten image, if you had bad experience with kittens. That only underlines that all the GDPR stuff is so pathetic. They're indicating that they sort of care about people, but in fact imposing more checkboxes that no one cares about. "I have read and accept these and those terms". Nonsense! To say the least.

Grégoire_Miche2
Level 10

Re: GDPR lessons learnt

- Harm is considered to be anything that could cause a person physical/emotional stress.

This is not true. EU courts do not grant damages for things that are neither expressly in the laws or a violation of human rights. Harm in the GDPR is clearly defined as the possibility for any individual to control where is there private data and is done with it.

That only underlines that all the GDPR stuff is so pathetic

You do not care about what people do with your private data? info about your preferences in any matter ? you probably should think about it a second time.

-Greg

Stepan_Egorov
Level 2

Re: GDPR lessons learnt

The problem is that I do care. I just think that nothing would change in terms of their vulnerability. With dozens of hacks happening every day, in the future world we'll have to get used to complete openness. And that's sad, in my view.

The only tangible effect of GDPR IMHO would be to make us add more checkboxes. Have you ever read a privacy policy of a website you visit? I doubt it.

Grégoire_Miche2
Level 10

Re: GDPR lessons learnt

Have you ever read a privacy policy of a website you visit? I doubt it

If fact, I have but because it's part of my job as a consultant...

The GDPR will be of little effect on the hackers, you are right on this. But it will have some effects on the large vendors trading information they get for free into business. You name them

-Greg

SanfordWhiteman
Level 10 - Community Moderator

Re: GDPR lessons learnt

I just think that nothing would change in terms of their vulnerability.

It's not about the vulnerability of stored data to hacks, it's about what you are allowed to store, and thus what would/will be compromised  in the event of a hack.

There is a very substantial improvement, for example, in requiring financial institutions to store only password hashes and partial CC information. It doesn't make the underlying database less "hackable" in any way -- it's going to be just as attractive to hackers because they'll work on the assumption that you haven't followed regulations and will try to get at the data anyway. But what they see when they get there can differ greatly.

Anonymous
Not applicable

Re: GDPR lessons learnt

Hi Gregoire,

Although I completely agree with your conception of harm, our legal trainer mentioned a couple of cases were harm was actually due to emotional distress.

Now, I know and agree that that is too vague as anything can potentially cause emotional distress, but I believe what he was trying to say is to always have a strong case in the scenario that someone complained for example about addressing them with their previous name/surname.

Thanks.

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR lessons learnt

Speaking of whether or not something would hold up in court (if it ever went that far), some of the members of our Marketing team attended an IDC conference in San Francisco last week - where there was a lot of talk around GDPR.  One of the presenters was mentioning that although you may think that you're covering all bases when capturing the appropriate consent (by including additional attributes like opt-in date, the form or program where consent was given, IP address, etc., that even this may not be up for question since there's no actual proof that it was a certain individual that provided that consent (could be a co-worker, a fraudulent user, etc.).  Pretty scary when you start hearing this - even though many of us are going above and beyond to practice best-practice marketing under this new legislation.

Also mentioned at this conference last week by one of the well-respected presenters: he stated flat-out that if any data vendor/supplier tells you they are GDPR-compliant right now, that's a complete lie.  In fact, many companies now are targeting a "GDPR-ready" state by May 25, not "GDPR-compliant" (which many large/global companies are saying it's almost impossible).

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR lessons learnt

And just today, one of the "well known" B2B vendors that we use, replied back with this when we asked for them to confirm if they were GDPR compliant - here's a sub-section of their reply:

When reviewing GDPR compliance, it is important to note that there are six very distinct and separate ways in Article 6 to lawfully process personal data: Consent, Contractual Obligation, Legal Obligation, to Protect Vital Interests, Public Interest, and Legitimate Interest. Two of these apply to B2B communications: Consent, and separately Legitimate Interest - so written consent is not required to lawfully process personal data under the GDPR. Here's a post by the Information Commissioner who actually drafted the GDPR explaining the difference: https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/.

Our processing of personal data

XXX processes personal data of the data subject in the legitimate interest of direct marketing (Recital 70 of the GDPR is a good reference here as well), therefore is compliant. The data subject has the right to object to such processing for marketing purposes, so we send a notice of inclusion in our database to all EU contacts with all information required in such a notice, and most importantly clear instructions on how to object to processing, and as a result be removed from our database. Notices of this nature must be sent, at the very latest, at the time of first communication with the data subject. We send ours right after gathering the data regardless of when in the future the first communication may take place.

Another example of the many ways GDPR is being interpreted!

Anonymous
Not applicable

Re: GDPR lessons learnt

Hi Dan,

Yep. We covered the same topic in our training. There are 6 Lawful Basis under which a data controller can contact a natural person. However, I read today that the data controller will have evaluate, decide and document the Lawful Basis for contacting each individual.

There are also a lot of people relying on Legitimate Interest as one of these 6 Lawful Basis, but again, it is important to be very specific to which of the types of Legitimate Interest the data controller is actually referring to, for which it will have to perform what is known as a Legitimate Interest Assessment (checking the specific Legitimate Interest type, the necessity for it and whether or not is against a person's rights and freedoms). Also, every time the data controller uses Legitimate Interest it has the obligation of letting the person know, and give the person the right to object to it.

Even more, the fact that you chose one of the Lawful Basis to communicate with someone does not mean you can stick with it, it will have to be periodically reviewed in case that particular Lawful Basis stopes applying and needs to be changed.

Thanks.