Transcript of the Video
Suzanne Dibble:
Hello, ladies and gentleman. I had hoped to do a live stream today about GDPR for people in the IT world, because I've had loads and loads of questions in the group about it and to be fair, I have been ignoring them. Because it's such a big area and it's complex and personally, I need to get my own head around it. And also, I'm not a very techy person, so what I've decided to do is bring somebody who is a techy person onto the call with me and I…we hoped it would be a live stream, but we haven't managed to get the tech to do that, so we're pre-recording this. But if you have got any comments or anything like that, then do feel free to comment when we post this video.
But hopefully, this will be a really good overview of the issues that you need to consider if you are in that IT world. So welcome Andre, thank you very much for being here. Would you like to just say a few words about who you are, what you do, what your whole perspective on this GDPR thing is? Etcetera.
Andre:
Right. Well, I'm Andrew Palmer. A lot of people know me from Elegant Marketplace, which is a Divi theme store, but I've also got my own business where I operate as a host of reselling and also giving people advice on digital marketing, etcetera. So within that, GDPR is very important to me because I host about 300 websites so am I a data processor am I a data controller, if I amend the website do I have to take notes of every time I've amended it. Am I responsible for the content that goes in that? Will my insurance, my insurance be affected, my premiums go up.
These are all questions that have been asked in my Facebook group and your Facebook group. So GDPR group has grown phenomenally over the last three or four weeks; has got all sorts of questions form all sorts of people, small businesses, medium-sized businesses. One of the confusions that I see a lot of the time is; if I host a website, who is in control of that data?
So I'm hosting a website through a re-seller account for instance I might have a VPS ... which is a bunch of private servers which I kind of own or I rent from a host. Who is the processor and who is the data controller, or vice versa. Or, am I both. So that's one question that we need to -
Suzanne Dibble:
Well let's pause there then. We will talk about that one. So the concept of a data controller, data processor, the joint data controller isn't new. Actually, there is some quite useful guidance from the ICO that I will post a link to this video. But really, if you ... so actually let's start with the basics of what's the definition of a controller and what's the definition of a processor?
Now in the regulations; a controller means somebody who determines the purposes and means of the personal data. Okay, so if you are of the names, just controlling; what the processing is and what the purpose is of that processing is; then you are a controller.
If you are a processor, what is a processor? Is a person who processes personal data on behalf of the controller. What we need to look at with the type of example that you mentioned, Andre, is the degree of discretion about how the processing takes place.
Okay, so if you are a processor who only processes in accordance with the directions of the controller; then yes we know we've got to have our processor agreement in place. That will actually say, the processor can only process in accordance with the instructions of the data controller. But, obviously, there will be commercial arrangements where somebody might be a processor and in regard to certain elements of the processing and even for certain purposes. They might also be a controller as well, in relation to different processing or different purposes. So we need to look at each bit of the processing and the purposes very carefully to work out the exact relationship there.
So the ICO gives some examples, okay, which I will read out? A car higher company contracts a vehicle tracking company to install devices in its cars and monitor them so the cars can be recovered. The vehicle tracking company is a data controller in its own rights. That's because it's got sufficient freedom to use its expertise to decide what information is collected about the cars and how to analyze that. It's entirely in control of its own data collection and because the operation of the vehicle tracking software is a trade secret and the higher company doesn't even know what information is collected. So although the higher company determines the overall purpose of the tracking; which is the recovery of the cars, for example. The fact that the tracking company has such a degree of freedom to decide which information to collect and how; means it is a data controller in its own rights.
Now to compare that to an instance of a Cloud provider. So say a local authority uses a Cloud provider to store data about its housing stock and residence rather than holding the data on its own IT system. The Cloud provider's contracted to delete certain data after a particular period and to grant members of the public access to their own records via a secure online portal. Although the Cloud provider provides a range of services and uses a great deal of its own technical expertise to do this; it's still only a data processor.
A key consideration is that the conditions of the contract mean that the Cloud provider has no scope to use the data for any of its own purposes; and in addition, the Cloud provider doesn't collect any information itself. Okay.
Andre:
Well-
Suzanne Dibble:
You see that it's two distinctions there.
Andre:
I definitely understand those two distinctions. The issue is with reselling hosting or a hosting provider. Sometimes clients are allowed access to a help desk or something like that and therefore they have to pass on their email address to be able to get that kind of help, for instance, or support.
I have my own help support system which is separated from my website; which is run by say, Fresh Desk, which is a Cloud provider or support systems. So who is the controller of the data in that instance? And who is the processor?
Suzanne Dibble:
Okay, so if you look at that example that the ISO uses about the local authority uses the Cloud provider; they allowed members of the public to access their own records via a secure online portal. It hosted a residents discussion forum as well, actually, missed that out.
So you can imagine in that scenario; those members of the public would be having their own logins directly with that Cloud provider. And the Cloud provider would be a controller in relation to the personal data; like names and email addresses and things like that of those residents.
Okay, in so far as other data that is stored in the Cloud. Then it seems that it would just be a processor in relation to that data.
Andre:
Okay, but what does that make me? Does that make me a data controller or a processor, or both?
Suzanne Dibble:
Probably both from what you've described.
Andre:
Okay, well that's very clear. So we need some... on that.
Suzanne Dibble:
So I think, so if you've got ... do you contract directly, you wouldn't be contracting directly with the users if you support desk, will you? Your clients have the contract with the end user.
Andre:
NO, we have some from a marketplace which is a different kind of thing. We sell on behalf of a vendor. The data is owned by us because; obviously they've purchased the product from us. We control, we're the controller of that data. We're processors of that data, or PayPal or whoever and all mailer rights and all vendors. So those are all connected. But what the clarity that people like me require, if I am hosting and or indeed selling products, is when do I cross the line from being a controller of the data, because obviously I capture the data but I don't process that data; in as much as for payments of the product.
Suzanne Dibble:
Okay, so let's look at the definition of processing, which is really wide. So processing means any operation or set of operations which is performed on personal data or ... so remember we are only talking about personal data here anyway.
Andre:
Yes, it doesn't apply to business to business transactions then?
Suzanne Dibble:
Well any ... so personal data... any information relating to an identified or identifiable natural person.
Andre:
Right.
Suzanne Dibble:
Okay, so it wouldn't matter if it was B-to-B or B-to-C or whatever. But if it's a name and an email address and that allows you to identify a living individual, then that's covered in the state of personal data. So processing, any operation or set of operations which are performed on personal data; whether or not, by automated means such as; collection, recording, organization, structuring, storage ... Okay so often I get asked, people say, I am just storing the data, I am not actually doing anything with it. Well, that is included in the definition of processing.
Adaptation, alteration, retrieval, consultation, use ... I mean what on Earth say why what is the definition of use.
Andre:
Not quite exactly is the
Suzanne Dibble:
Discouragement by transmission; dissemination, and this is another one or otherwise making available; alignment or combination restriction, arrangement or destruction. So an extremely wide definition of processing. So even the act of storing; is processing.
Andre:
Fetching. Okay, so that makes it clear. So anybody selling anything online is both a controller and a processor. Doesn't matter whether it's a free purchase and doesn't go to a payment gateway; they are a controller and a processor. I think that adds some clarity.
Suzanne Dibble:
In the scenario that you've described, yes. I mean there may be situations where people are just a processor because they haven't got that element of discretion about how to use the data of the client and they are not, maybe. No, you are right in that sense, so I was thinking about a VI or somebody like that. No, yes the VI will be a controller for at least, if she's got one client, then they will be a controller in relation to the data of that client; in terms of the name and email address and whatever they hold on them for the purposes of that relationship.
Of course what they're not a controller in relation to, at least makes, not in terms of the relationship is the client's data.
Andre:
Well I get that because it's not their data.
Suzanne Dibble:
Exactly…But in terms of the more complicated question about at what point do you become a data controller of your client's data; that's where you look at this degree of discretion over how the processing takes place using their own expertise.
Andre:
Got you.
Suzanne Dibble:
So, if for example, there were some IT services where ... Or maybe even a virtual assistant example; where the virtual assistant was deciding what emails to send out, what campaigns to do, maybe they had more of a discretion than just saying go in and press the button to send the email; if they had more discretion than that, for example -
Andre:
Of what goes to.
Suzanne Dibble:
And that would bring them into being a potentially joint controller.
Andre:
So you have to specify that in our terms and conditions and contracts with your customers. That's the clear thing that we need to get. It's because people within the industry are very confused about what rights you have to specify. And my view is not the professional view of this as well; is that actually just specify everything. Because if you think you are liable for that or you think you are that particular person like a controller or a processor, there's no problem about being completely transparent about that.
That's why I actually like The GDPR because it brings about transparency. One of the things that we need to get some more clarity around; and it's an often asked question both in the group and GDPR. I mean both groups are you what's going on because it's such a hot topic at the moment is the ... I've got the question here and I completely forgot what it was. Bear with me. One is what is a specific consent that applies to me, as a small business owner and two what is the... of use?
Suzanne Dibble:
Okay so in what context?
Andre:
How can I've got data on 40,000 customers labeled by signing up and buying those little checkboxes in purchasing. Saying you are now signing up to our monthly newsletters; they've opted in. They get an email double opt- in or whatever it may be. And that's been happening way before GDPR. So do I now have a legitimate use for the people before GDPR to send my emails -
Suzanne Dibble:
Oh, Oh my Goodness, we can get into that area, shortly.
Andre:
Okay because that's what the so we need to get into that. So let's go into the hosting side.
Suzanne Dibble:
Let's talk about that. J So let's try and keep this purely focused on the IT stuff.
Andre:
So when I need to do is clarify I got my host, they are a data center. They have all my clients data, including the website, they run the email address and they also run the support center. But are they a sub-processor or full processor of data?
Suzanne Dibble:
Okay, so a sub-processor is a processor. It's just where are they in the chain, really. So, if you've got your client here ... Say I'm your client and so I've got 20,000 people who bought my GDPR pack, I haven't by the way in case anyone is doing the sums. I'd be off in the Bahamas if I had. Not sitting here. No, I would be sitting here because it's my passion to help people. So, I've got 20,000 people on my list so I am the data controller, right.
Andre:
Right
Suzanne Dibble:
So I've engaged you. What did I engage you to do, Andre?
Andre:
You'd engage me to have your email marketing, have your digital marketing.
Suzanne Dibble:
Okay.
Andre:
Logins too. Pretty much everything; your server, your emails, your ... And I don't necessarily use them. But I have full access to everything because I am your host or our sub-host. I am a re-seller, therefore, I've got access to your control panel, you infusion soft for instance so I can put your orders together.
Suzanne Dibble:
Right. So I am the data controller, you're the processor. Now anybody that you use to process that data is a sub-processor. Okay. So if you think about it logically; what you are trying to do is pass this contractual protection down the chain. Because there is no point saying: Okay data controller you've got to protect the data here but when that data passes down the chain it's not protected anyway. That would make a mockery of all of it.
What we've got to do is pass on certain contractual protections down that chain. Now what the, what GDPR says about data processors is that you now have to have a written agreement with them that specifies various things. It doesn't have to be a stand-alone processor agreement. It can go in the terms of your, say service agreement with your clients, for example. But you need to make sure that you've got these specified terms in there.
One of them is that if you use a sub-processor; and if I was a data controller I'd want to make sure that you're only using sub processor I know about. Because one side of it is the contractual protection; you hope they comply with that contract. But really obviously this depends on the scale and the scope of your processing. But what we should be doing is due diligence up front on you as a processor; asking you: Okay who are you sending that data to and making sure that you're GDPR compliant and that the sub-processor is GDPR compliant. Then we have this contractual chain to back that up.
So what the processor agreement says and what you have to say according to GDPR is that if you use a sub processor and you will put an agreement in place. There will be an agreement between the processor and the sub-processor, that has these relevant contractual protections in them.
So if you are inside my database and you are doing things with it and whatever ... Now if you're using ... Who would be a sub-processor in that example? Who would you?
Andre:
It would be one of my developers. Yeah, one of my team.
Suzanne Dibble:
Is he freelance?
Andre:
Yep.
Suzanne Dibble:
Okay, great. So freelancer would be a sub processor. If you've got an employee, that's not a sub processor because that's part of your legal entity. So you don't need to put a contractual arrangement in place with an employee. But you would with a separate legal entity, say a freelancer, a contractor, whatever you want to call them. Then you need to put that processor agreement in place with them.
Now again, it's a matter of scale and scope. Some of them are… and I've got this chap in Borneo who does my web star, do I have to send him the model clauses. You can just imagine who he'd freak out if you sent him the twenty pages of contractual clauses that you are supposed to have in place if he's transferring data outside of the EEA. So that's something else to think about. If you're transferring data outside of the EEA; then unless that person is in a country that has an adequacy finding and there is not many of those. There's only 11 or 12 of them. Maybe I would put a link in the comment as to what they are. Then you also not only do you need to think about process agreement; you also need to think legally about putting a standard contractual clause into place.
Now if you are dealing with a processor who is, I don't know. Who would be a big processor that you might use? Who would you maybe
Andre:
Processing data? It would be a payment processor, surely.
Suzanne Dibble:
Yeah, so payment processor, someone like that. So obviously for me as a client,
Andre:
For you as a client -
Suzanne Dibble:
You would be having that relationship with a bigger processor on my behalf.
Andre:
It would be a host.
Suzanne Dibble:
Okay so a host then. So that host would be a sub-processor; and depending on the size of that host ... Obviously, if it's a big host, it doesn't want 10, 000 separate processing agreements.
Andre:
Okay.
Suzanne Dibble:
So what the host would be doing is they would be revising that into their terms and conditions and hopefully they would be including all the types of things that they need to include ... that GDPR says they need to include.
Andre:
They generally are, actually. All of the big hosts are doing it -
Suzanne Dibble:
But you guys, as the middleman, you need to be checking out that the hosting companies that you use are doing that.
Andre:
Yeah. Well they do, I mean that answers to four questions, to be honest. Especially is it possible to have set of terms and conditions that you ... you don't have to have a processor agreement from every customer.
Suzanne Dibble:
Yes and -
Andre:
If I've got you look at my place you got 40 odd thousand customers in my own business, I've got 360 websites that I host. Do I need to have set the agreement with every single one of them?. Or can I have a general agreement; say this is what we are doing with your data. And that's what this question is about.
Suzanne Dibble:
Yes. Exactly. So if you do have lots of clients and you're a processor, although it is actually an obligation on the controller to make sure that they use processors who are compliant; so follow on from that. Thinking that they should be providing you with an agreement.
Obviously, it's going to make much more commercial sense for you to write to your clients and say: We're fully aware of GDPR, we've amended our terms and conditions to make sure that they are in accordance with what GDFPR says about how we process your data. Here are the new terms.
Now that's what people like MailChimp and big players like that have been doing, obviously. Now if people don't agree to those terms, then ... and that's why people have been getting these messages that if you don't agree to these terms; then effectively, goodbye. Because people ... you have to introduce these new terms into your contracts.
Andre:
Yeah.
Suzanne Dibble:
So but yes, if you've got lots of clients; then you can just amend your existing terms of use. If they don't comply with them they are out.
Andre:
So that’s one reason I don’t comply….
Suzanne Dibble if they don’t agree to them, you know…
Andre: Yeah, if they don't -
Suzanne Dibble:
Basically you phrase it as a: Here are the new terms.
Andre:
Yeah.
Suzanne Dibble:
If they don't like them, they can terminate.]
Andre:
I am saying to clients; If you don't want to download your ... If you don't want us to have any data on your, you want us to forget your data; that means that everything that you've bought from us is also forgotten as well. So you don't have any access to any future updates or our software. That's the basis of it.
Spiral in the works, somebody has asked us to unsubscribe from an email list, a marketing list. They're still a customer so I'm ... and this is another question. It's also relevant to me as well. But they are still a customer, they still access their data, they still access whatever they've got in access from the website. I am allowed, therefore, under the GDPR, for asking people to either sign up to the new terms and conditions or not; to email every one of my customers, am I not?
Suzanne Dibble:
Yeah because, they just the marketing, so you can send them your brand of processing would be contractual. So you don't need them to opted in to receive notices like that. Now it's just opting out of the Marketing side of things.
Andre:
Exactly, so they've opted out of marketing that's fine or they've opted out of something else, but they can never really opt out of us making a genuine customer communication with them to say: ; Hey listen your software is being updated or download, that's another question from there.
Suzanne Dibble:
Yes.
Andre:
I think from the complexity point of view; as far as I'm concerned; we've covered it; unless you've got any more questions that people threw at you, right.
Suzanne Dibble:
I just wanted to say that about joint controllers, actually. While we are on. Because if think there is ever ... well, I guess there are. Where are joint controllers? It's where two or more controllers jointly determine the purposes [amends 00:24:28]of processing. Okay, so can you give me any IT examples where that would happen?
Andre:
Well you would have a marketing director and a marketing manager, perhaps. Or you would have a -
Suzanne Dibble:
So separate companies, separate legal entities.
Andre:
Separate legal entities. So you would have said we are IT fixes here and we are IT suppliers here. So for instance if try not to mention one; but it's got four letter and starts with D and ends with L. So they are a big company.
Suzanne Dibble:
Okay, I'm trying to work out who that is, but yeah. Okay
Andre:
The manufacture, they distribute, they store and they are distributors and then the distributors distribute to the end client. So the marketing manager of the distributor would have the data of the end clients and be able to connect with them in various ways. For instance, we are making a delivery today -
Suzanne Dibble:
But would they sit down in the same room and decide how to use that data?
Andre:
No. Not generally.
Suzanne Dibble:
Okay, so that's kind of the ... so Joint controller, that's where two separate legal entities are sitting down and saying here is what we are going to do with this data. Or they say, I'm going to decide this bit of the processing and you're going to decide this bit of the processing.
Andre:
Generally, two separate entities in the same room, if you like. I know where you are going with that -
Suzanne Dibble:
Not physically in the same room, that was just an analogy. But you know they, in terms of deciding what happens to that data. It's not just one, it's not just me. Say it's let's think of an example with me. So say I'm the data controller. I've got these people on my list. But I am coming to you as a Marketing Consultant, for example. You're saying ... well, even when you're ... wonder ... I think it would depend on how much discretion I gave you.
Andre:
I can only do what you tell me to do.
Suzanne Dibble:
Yeah, so but if I gave you, this is a relationship where I gave you an element of discretion or I put you in charge of a chunk of that database, for example, then we would be joint controllers.
Andre:
You would.
Suzanne Dibble:
Any scenario like that, that's common in your industry?
Andre:
Not as far as I'm aware. I 'be been in it for a while. I can't imagine data controllers tend to be the actual name says what it is. You are a controller of data. Whoever controls the data is in control. Generally people ... we are a bit shy about giving other people access to our data. We're a bit shy about letting other people control how that data is used. It's normally done under. We use them… as well. It's normally done under quite strict, well very strict criteria.
It's literally building that email and send it to this list. But don't send it to that list. So that's the only kind of decision making that I have to make. SO you have a ... Within Marketing and within customer lists, you have this separated out. I know life coaches, for instance, have up to twenty lists depending on what funnels they have.
You have the same situation with your... you use Infusion software, you use tags then you separate people into various kind of genres, if you like. Or they get certain emails within their funnel. Or they get certain emails that you want to send them with GDPR, one would be a controller or a processor. It's certainly rare; in my view, for people to be a joint controller.
I think it's two separate companies.
Suzanne Dibble:
What about, I have to give this more thought as an example in the IT world. But what about if you used a Marketing Agency and they had discretion as to maybe where ... Maybe you had a list of people but they had discretion about how that list was targeted in the advertising. Maybe
Andre:
So they would have demographic control over that. Depending on what that demographic is. They would work out what the demographic is by processing that data by age, sex, gender, whatever. Then they could control it in such a way that this particular month these would go out to a certain segment of that list -
Suzanne Dibble:
Uhmmm, yeah.
Andre:
You are talking about segmenting them. Then you would have to ask you, if you gave that job to me. You had a massive list and you said I can separate this out into this particular criteria. I would then do that, advise you of the criteria; then you would then say, as the main controller: Okay go for it and send it to the right kind of list. You might only say that once.
Suzanne Dibble:
Okay so the main controller, I think is where they jointly determine so I think it would have to be ... I mean certainly in the case of the ... I was going to say a joint venture; but then you would probably, the lists would still be controlled ... the data would still be within one of those companies. In the JV company. So I don't think that's ... Okay, I'm going to look into that a bit more and get some solid examples.
Andre:
Are you even sure that you can share those in a joint venture situation; even before GDPR because the data that I've captured ... you and I say here and now like we want to email our list, I'll give you all my data and you can do that. That wouldn't -
Suzanne Dibble:
I mean when I say joint venture I mean a legal joint venture. Which is probably very different to what makes people understand; where a new pair is formed and then two different companies and I own 50/50 in that joint venture. And we don't want to complicate it too much but if you had to in my privacy policy that would actually allow you share the date from the JV coup to the companies that own the 50% stakes under that privacy policy. But that's a bit -
Andre:
If we sell we join people then are data are joined; we got that in our privacy policy as well.
Suzanne Dibble:
Okay great. Well, that's a bit outside of the scope of this. So I will. I will probably do a separate video on Joint controllers. Is there anything else that you think form having had a quick look at the questions that the IT world was asking and community is there anything else that -
Andre:
I think that you've answered it in as much as ... there are things that people were really concerned with was I use a web developer in India, for instance; are they, he/she, a data controller or are they a processor? Or what are they? Who's in control of that? I think you answered that one in as much as you said about freelance. And now, the company that I use ... I use one company and I've had NDA agreements with them, a standard NDA with them, I've got standard working practices. So it's no big deal for us to say, write each other another letter to say: yes, this is what's happening with the data. That really is no big deal
It is when you go out on that hawk basis; say you've never met me or we are in a Facebook group like mine. You've asked me for help; you have no idea who I am, yet you've given me a login to your website. I am therefore in control of your data. So that's one of the things that I wanted to clarify.
Suzanne Dibble:
Well you’re processing it under the bare instruction.
Andre:
Exactly, but you still got access to the data and you can do whatever you want, basically.
Suzanne Dibble:
I think people are going to have to be a lot more careful about that. I absolutely agree.
Andre:
I have particular rules about people asking in the Facebook group for people to carry out work because there have been a few instances where people have been let down or how knows. But now; the actual owners or the controller of that data to make sure that the person they have put in charge of fixing that website or doing something with that website is actually a bona fide person. What this will do is take the rush out of to fix jobs.
Suzanne Dibble:
Yes.
Andre:
Quick fixes and all kinds of things like that, like WP curve or really big agencies that you sign up for 99 pounds a month or something and they will fix you a website in half an hour. They are going to have to have a GDPR declaration all over the place. And separate agreements and all that ... so yeah it's a mind full.
Suzanne Dibble:
What I will probably do what we talked about the terms won't they?
Andre:
Yes they will but they use freelancers as well. So from ... for us we use probably`12 freelances on a daily basis. It's very easy for us because they all work for one company. So the company is responsible for them. I am quite clear on that. I really appreciate this conversation. It's made me feel better.
Suzanne Dibble:
Not at all. I'm still doing more questions, but I have to look through the
Andre:
I've got a question. You can edit this as much as you'd like. But it's basically
Suzanne Dibble Speaker 1:
I think we need two minutes here, I was happy with that (laughing). Are you suggesting I need to edit it?
Andre:
Suzanne Dibble:
That's fine.
Andre:
That's fine, you are used to Facebook live as am I. I really find how I come across .. But the thing is that you have answered the majority of those questions from thread that I want to be sent; the questions that I'm getting asked by my customers as well as by the people within the Facebook group, who are also my customers as well, who are web developers that concern that they are going to get fined because they are the controllers and the processors and they just don't know who the heck they are.
Suzanne Dibble:
Yeah so in terms of liability, of course, what GDPR does do is put liability on processors which wasn't there before. So think it is ... Now when this kind of first appeared, processors like virtual assistants and people like that were in a panic because they thought what that meant; was they were liable for any non-compliance of the data controller. Now of course; that's not right. But to the extent that ... maybe there is a security breach at the processor end because they've not had the right technical and organizational security measures in place. Then yes, there is a liability on that processor.
I think processors need to ... What I'm going to add to my pack is a checklist for processors, which will be handy for both people who are processors and people who are controllers so that you can look through it and say: Okay what are the processor obligations under GDPR because it's wider than what are the contractual terms that we have to put in place between the obligations that come from different parts of GDPR. So that checklist is hopefully going in the pack this week. Tomorrow, hopefully.
Andre:
Is it a printed pack? I didn't buy it. I tried to get in cheap so I didn't get one.
Suzanne Dibble:
Well it's still fantastic value.
Andre:
I'll buy one, it’s a couple beer. I will buy one.
Suzanne Dibble:
It's basically when I set up the group I thought okay. I told people this information and people were like where we can get the privacy policy from, where can we get this from. I thought what I'd do is I'd clear up this pack and put in it everything that I think will help business to comply. So there's about 20 ... well, there's more than that because actually, I keep adding because I think oh that would be useful I added it to the pack. But people see twenty documents and think: "Oh my Goodness, I got to put 20 documents into place to be GDPR compliant" ... And of course, you don't.
The majority of small business owners you are going to need the privacy policy the policy, possibly the processor agreement and there are some helpful checklists. If you've got employees; then there is a whole pack of some important employee facing documents.
I just want to put in the optimum wording and your email refreshing consent and things like that. You data inventory that you need to do before you start.
Andre:
That's, I don't think that's hit on as often as it should be. Your data inventory. Where do you keep that, where do you store it. Do you store it as hard copy, do you store it as the electronic copy. That is the contract between say, developers, so I keep a copy of that contract. But also, how do I keep and also the mailing companies that help me a Mail Delight Mail Chip, they help me with the forget me forever and just delete me or whatever. They are also helping me recognize where your European customers are as well. So that's pretty cool. But, where do I keep my proof?. Where do I get my proof that Suzanne did sign up for my newsletter and she allowed me to send the 10,000 emails a week?
Suzanne Dibble:
Yeah okay, that's two ... explains two different things. The date of ... I am actually going to be interviewing someone who has produced an awesome tool for GDPR which includes a sort of data flow and data inventory and loads of more stuff and I am going to be showing people. It'd be more relevant to bigger businesses and maybe 10 to 100 employees and it's more of a professional company. So I am going to be interviewing him and working and showing people that tool.
It kind of will be simple. You data inventory; really, the purpose of that is first to inform your privacy policy because you can't complete your privacy without what data you collect, where it comes from, what you are doing with it, what the purpose is, etc.; if you haven't done that data inventory. That can be a spreadsheet.
Then you have to look at your obligations; keep records. That is in article 30. It specifies what records you need to keep. That's not as wide as you have to keep up to date record object and what you are doing with it. It talks about categories of data categories of personal data and this applies to processors as well, by the way. So there's a list of five things that processors have to keep good records of their processing activities. But this only applies to ... if you've got over 250 employees, it applies full stop. If you've got less than 250 employees then it applies unless the processing gets carried out is likely to result in the risks and the rights and freedoms of data subjects. It's not occasional and it includes special categories of data.
All personal data relating to criminal convictions. So I think I am doing a separate video on that.
Andre:
I've been through that.
Suzanne Dibble:
Yeah. But what that can look like, literally, I've been consulting with multinationals and they just have this huge excel spreadsheet basically that is ... it's absolutely enormous. In essence it"s an Excel spreadsheet. Now this tool that I am going to be doing in showing the groups depends on how fast you want to get about it and how ... like you said the scale and the processing of data that you are doing. But this tool is fantastic. That's the kind of record keeping that makes like easy, in terms of you get a data subject request and just click on a button and it's all there, kind of thing, you know?
So when obviously there are solutions for different sizes of business to do with data inventory. The other point you raised was about records of consent and we know that GDPR says that we need to be able to prove that we got that consent and on what date and where you got it and what particularly what you told them that you were going to do with the data at the time they consented.
Andre:
Yep.
Suzanne Dibble:
So for me I use Infusion Soft and Infusion Soft keeps a record of what the [was, what date they opted in and what time they opted in. So if anyone ever emails me and says, Oh you, I've not signed up for X; I will say: Well actually I can look back at the records and say well you did actually sign up for this on such day; and according to our privacy policy it says I'm going to send you this, this, and this. Would you like to opt out?
It depends on what system you are using, but a lot of -
Andre:
Made an announcement today that they aren't going to do that, and it's worked respectively as well. The only thing it won't apply to is if you've ... For instance had a website or you have been using a different mailing system. For instance, you were using Active Campaign, downloaded your data and then uploaded it to infusion soft. There's nowhere on this earth that Infusion Soft will know where that data came from.
Suzanne Dibble:
No that's where you got a risk if you migrated from one platform to another.
Andre:
If you've already canceled your active campaign group so what is your best advice in that situation?
Suzanne Dibble:
Yeah, we know that if they ... I posted a video just the other night after speaking to the ICO about this issue or do we need to get fresh consent prior to the 25th of May for Marketing purposes and if the consent is of GDPR standard of consent; then you don't need to get a fresh opt-in. One of the things that they are very hot on is having a record of that consent for exactly the reason that I said. If someone complains, you need to be able to say: Well actually, here's what you signed up for, here is what we told you we were going to do with our data, would you like to opt-out?
So if you haven't got that record of consent, perhaps because you've migrated to platforms or whatever; then legally you will need to go, if you want to market with the going forward, then legally you would need to go back to those people and ask them to re-opt in for Marketing purposes.
Now I say legally because in my day it's all the risk analysis. There isn't in this fast age protecting police force that's going to go around and a big guillotine isn't going to drop from the sky is we are not 100% compliant. But really it comes down to: Are customers going to complain, that's really you are going to be drawn to the attention of the supervisory authorities. Or it’s a competitor may be want to trip you up or you have a vindictive person that's out to get you or whatever.
So the safest route is, in my view, if you don't want sleepless nights, to go back and think if it as a really good opportunity to clean up your list. Refresh your consents and start on ... And I understand people's concerns you have a lot to… [ In the group about: Oh my goodness I've been away for 5 years and spent a lot of money on built my list of 10,000. But what's the point of having those 7,000 that don't open your list?. You're only impacting on the deliverability of the 3,000 that actually want to see your stuff.
So my view is, the safe thing to stop the sleepless nights is to get the fresh consent and then to take it a good opportunity to clear out your list.
Andre:
But it also sends a message, don't you think that you are willing to ask people to re-signup for your list. That you are getting, for all your ... 30% of our customers are European. Hundred percent of my customers in the UK are obviously Europe I give you an opportunity to one: say that we are GDPR compliant and you can also tell them surely why you are doing this
Suzanne Dibble:
Oh yes, absolutely -
Andre:
And if a customer isn't aware of GDPR, then maybe they might consent to you and what is this GDPR and how can you help me.
Suzanne Dibble:
We are extending this out slightly but I will mention it again, just because it is important. Firstly, existing customers; there's a chance that you might not need to get consent from existing customers. You could rely on their ground of processing of legitimate interest I the soft opt-in under PECR. So that's one thing. So you could potentially split out our customers and your non-customers.
The second thing to know is if you are established within the EU this applies to all of your data. Okay so it's not that you are just asking the EU people to re- opt-in you would ask everybody to re-opt-in whether that's the States, Australia, India wherever. If you are in the States and GDPR applies to you; then you only need to be thinking about the people in the EU Okay, that's kind of how it works
The other thing to say is that people, I think they might be thinking well I agree that it's a good opportunity to clean the list and get people to opt-in and all the rest of it. But the main one is people are getting opt-in fatigue. Because companies have left it to the last minute and it's like three weeks to go and suddenly we are getting hundreds of emails asking to opt-in, what can we do about that? So that is the risk analysis, isn't it?
Now in my day, I think that if you are asking for the opt-in, that isn't ... So there are two things that play here, one is GDPR and one is PECR. PECR is about sending unsolicited email marketing to individuals which include sole traders and partnerships. So it's not quite as simple as saying: Oh I'm a business so therefore I don't need to get consent because obviously there's a lot of people on your list who are sole traders and partners and it's pretty much impossible to try and identify if they are a limited company or not.
So PECR says you need to get consent from an individual for your email Marketing, unless the soft opt-in didn't apply. Which is essential, they've been a customer before. It's a bit more detailed than that but that's essentially it.
So in my view; if after the 25th of May; if you sent people an email that isn't a marketing email; it's just saying to them: would you like to opt-in for marketing purposes, right. Then there isn't a Marketing email under PECR.
And under GDPR, you would be emailing them under the grounds of legitimate interests.
Andre:
Compliance.
Suzanne Dibble:
Yeah.
So now the issue with that is that legally you would not be able to send marketing emails to them from the 25th May until whenever you thought all the fuss had died down and people haven't got "opt-in fatigue" before you send them that email asking them for the opt-in. Legally you wouldn't be able to send them those marketing emails in the interim.
But that's like oh my goodness, people have click fatigue thinking leave it a couple of months and get it then and maybe risk the fact that you've not sent any ... I guess you could send them value-based emails in that interim if you've ... and I am sure you would have legitimate interests to send them those value-based emails as long as you are always giving them the right to opt-out.
Andre:
Right.
Suzanne Dibble:
That that's another way of looking at it. So and also, I have posted a video last that, I had I spoke to the ICO about what a GDPR standard of consent means in order whether you did have that for the purposes of whether you get these re-opt- ins. I kind of felt they were softening their tone a little bit. So I think, you don't know which way to go do you; because you kind of what to get your re-engagement campaign and your opt-ins did before the 25th of May. Equally the ICO might be softening their guidance on that and you don't want to have this big sort of big opt-in campaign if two days before the 25th of May. The ICO would go oh don't worry you were right.
If you know where the consents came from you are okay, don't worry about it.
Andre:
That is the issue, isn't it. Not going to have 20 million people investigating all of the websites on the internet to see whether they are GDPR. They are going to go after the one with ... I'm going to imagine they are going to go after the big guys first, to make sure they comply and we know because we've received emails from the big guys that they are working toward compliance as well.
I think that is the issue, as long as we are working towards compliance. You have emphasized this time and time again. AS long as we are working towards GDPR compliance then we are okay. We've accepted that we got to be GDPR compliant; we are doing our very best to a small business. Some people are one man bands. Even your most competitively price GDPR guidance is out of their budget. They can't think of spending that kind of money on just getting advice and how much more advice do they need to pay for.
So that just does our best to comply and see if we do just get a slap on the wrist. The Data Controller from ... I keep forgetting her name, Denim, I think her name is -
Suzanne Dibble:
Yeah, it’s Denim.
Andre:
She is, you're right. They're softening their approach. They are saying, listen just do your best, basically.
Suzanne Dibble:
I think you are absolutely right and I have always said from day one that the risk of anyone in my group getting a fine is very, very low. I think people are rightly ... I don't want people to be worried, worried. But a little bit concerned about and what will prompt them to take action towards compliance is ... it's the sleepless nights, isn't it? Really.
It's the ... Is the customer going to complain about me? Is a competitor going to try and trip me up and what's ... and nobody wants ... I mean I don't think ... You'd have to be a very pissed off data subject to actually take you to court. But that's possible in the GDPR.
Andre:
Yes, well you have the legitimate reasons to do that. The courts don't want to be -
Suzanne Dibble:
Oh yes, you are absolute yeah.
Suzanne Dibble:
You need to send me an email, I'm suing you. It would get thrown out very quickly if it was a spurious claim. I think one thing is, you don't even want that sleepless night if that potentiality ... if you know you’re a small business and you're I got my privacy policy in place, I can do this. There are probably three for four steps they need to take. Take those steps and don't sweat the small stuff, you know. Get this sort of three, four, five steps in place then ... It doesn't matter so much about the... is it exactly 100% right. Because in most businesses; it's not going to be.
Andre:
And the advice I have… and if you have been through the ICO website like you have and some of it is still very ambiguous; but these are large amounts of data.
Suzanne Dibble:
Absolutely.
Andre:
I think 10000 emails is a large amount of data. But I don't think that they do. I think that's sort of the hundreds of thousands and the millions. The Facebook chat billion people
Suzanne Dibble:
Yes.
Andre:
People involved in that company, so I think small business we do have to calm down a little bit; but we also have to take an approach to every kind of directive that we have. We've got to pay out tax. We've got to charge the right amount of tax to people we are dealing with. We've got to abide by the laws of our country. GDPR is just another regulation that we've got to abide by. Like Health and Safety, like having liability insurance, it's a cost of doing business and I think that view on board and say I am in a business I've got to take responsibility. I pay bank charges. I've got to pay some money towards being compliant as far as data breach is going. That's the advice I am giving my clients. It's a cost of doing business. Time, a little bit of money, not too much money actually. There are some people out there charging immense amounts to keep compliant. But you know a little bit of time and effort and concentration on what you're going to do with data and thinking about how you would like our data treated. I think it would make it easier to comply with GDPR.
Suzanne Dibble:
Exactly. Wonderful we got a little bit wider than talking about IT services, but very valuable anyway so thank you so much, Andre, for coming on and sharing for a valuable hour. For a very busy man like I am a busy woman. So thank you so much for giving me an hour of your time. Feel free to show this. What your group is for -
Andre:
It's dealing with users
Suzanne Dibble:
I should be in your group I am sure I use a … thing.
Andre:
Well if you
Suzanne Dibble:
I know I will have to go and check it out.
Andre:
The recommended groups, I think what you are doing is phenomenal. We are going to be doing our own webinar as well. If I may ask you to be a guest for ten minutes.
Suzanne Dibble:
Absolutely, I'd be delighted. AS long as it is not I'm actually off to next Tuesday. So when I will be wind up in conferences for most of the day so if my schedule allows I will be absolutely delighted.
Andre:
A perfect answer.
Suzanne Dibble:
Thank you so much, Andre, I will no doubt see you in the group and maybe in your group. Thanks so much for popping by and sharing your thoughts with us and all that. Thank you so much.
Andre:
See you, bye.
