Transcript of the Video
Hello, hello, hello. Welcome to Wednesday’s live Q and A on GDPR, for those of you who are still trying to get to grips with it ahead of the regulation coming into force on Friday. Not that there is any need to panic whatsoever, of course. That is just the start of things to come, not the deadline.
Welcome, welcome if you're joining. Now, let me grab my iPad because I believe that I might not have been asking... Answering questions in time order, which is a little bit disconcerting, because that’s what I was trying to do. For anybody who wants to tell me how I can see the questions in time order, which would be amazing.
Someone seemed to imply that there was a way of doing something to my iPad so that the comments come in time order rather than relevance. If anyone cares to drop me a comment as to how I make sure that I'm answering the questions in time order, that would be great. Otherwise, if I don’t have any answers to that I'm just going to have to carry on and do it in the order on the iPad.
Let's see if anyone’s replied to that particular question, and actually none of the... Here we are, here we are. Okay. I can see questions at the moment but not any guidance as to how I might turn the comments so that they are in time order rather than relevance order. If I don’t see that in the next minute then I'm going to have to just work through them as they come up on the iPad; there's no other way to do it.
Thanks to those of you ... Well, thank you to Alice who posted about the Jeremy Vine Show talking about GDPR. I just phoned up at the last minute and said, “Do you want me to come on live,” and they said yes. I had a good five-minute slot with Jeremy Vine and gave a great plug for this group, which was very kind of him. They also said, “Can we keep your number,” do I explicitly consent to them keeping my details so they can contact me for further opportunities, and of course, I said yes. Thank you very much to Alice for posting that in the group.
If you hear of any other... Obviously this week GDPR is a hot topic, so if you hear of any other shows, radio or TV shows discussing it then let me know and I will just phone them up and say, “Do you want someone who actually knows about it to come and come on air.” Thanks for that.
I've not seen any comments about how to get your questions in any kind of time order, so I'm just going to go through them on my iPad. The other thing that I'm super excited about is Mary Smith, who is a bit of a Facebook guru, she was like one of my business heroes when I set up my own business 10 years ago, she is interviewing me this evening at 6 pm UK time on Facebook live on her group. I'm incredibly excited about that. Lots going on, but most importantly right now, our Q and A. Again, I haven't seen any comments about how we can change the order of the questions to time order, so I'm just going to through them. Welcome.
Hello Martin, you must listen in to all of my lives, thank you so much for being with us. Casandra says, hi there Suzanne. Hello Casandra. What is the situation in EU countries where I work with clients through a translator, as the client will share sensitive data with me through the translator? I have verbally confirmed with ones I've used before that everything they are told is confidential, but do I need a written agreement now?
The first question to ask is, is it personal data because just because it's confidential doesn’t necessarily mean is personal data. First of all, ask yourself that question. Secondly, if that translator is processing personal data for you, then according to GDPR you need a processor agreement in place with that translator that has various safeguards in there and contractual obligations on the translator as to how they will protect that data.
A processor agreement, or processor terms, if you want to take those and put those in a different agreement, maybe you’ve already got an agreement with that translator for the commercial side of those services, then you can add the processor terms into that agreement. Both of those, the standalone agreement and the terms, are in my pack. If you bought that, that’s there for you. If you’ve not bought the pack, then frankly, what are you waiting for? The details for that are in the pinned post.
Luke says I work for an armed forces charity ... Brilliant, well done Luke, that’s fantastic. We support families of the fallen. We carry out support projects such as gardening work and general decorating, plus we supply remembrance benches and fire pits. Lovely. The families we support contact us initially for this, and we obviously keep all the details on file.
When it comes round to doing the support project or delivering the bench and the fire pit we then contact them via email or a phone call to arrange a date. Also, on Remembrance Day or at Christmas we send them a card in the post. Do we need to send them all an email or text message to ask for their permission to contact via email or phone call?
No. I would say that if they're contacting you initially then that would absolutely either fall under the contract ground of processing or legitimate interests, so no. As long as you're not gathering all that data up and selling it, which I'm absolutely 100% sure that you're not doing that, then no; you wouldn’t need their permission to contact them if all you're doing is doing that charity work.
Now, fundraising is a slightly different issue, but if you are just doing the actual charity work itself then that’s brilliant, you need to. In theory, you should be revising your privacy notice and telling people what data you're holding on them, what you're doing with it, if you are transferring it to a third party, maybe you’ve got suppliers that you need to transfer that data to, then that should all be in your privacy notice or privacy policy. I use the words interchangeably.
In theory, you should have that in place, Luke, but doing what you're doing I really can't imagine that anyone is going to complain about you not having one and you getting in any trouble about it. If you do want one, there's one in my pack. For charities, we did do it for free. I'd love to be able to give the pack for free but obviously there is administration involved in that in checking the charity number and the registration number and then sending it out, and we had to create a whole new Infusionsoft form to facilitate it and make sure it all got sent out right, and everything. Plus, as soon as we announced it literally about 3,000 charities got in touch. The charity grapevine is obviously very strong, but we are now supplying it for £50, Luke. If you feel that your charity needs that, the pack, then email [email protected] and you can get that pack for charities for £50.
Marco says, thanks very much for providing us with such great support. You're very welcome Marco, thank you for your kind words. Is consent needed when asking for customer feedback? No. I would say that falls under legitimate interest. Now, remember with the legitimate interest, it's, here is my disclaimer, it's a gray area. I'm giving you my thoughts on it, but whenever you want to rely on legitimate interest then you need to do your legitimate interest assessment; it's a balancing test.
There is a form for it, an assessment form in my pack, that you can go and use. You're effectively balancing your legitimate interests, the expectations of the person you're sending the information to, and then there are a few other little tweaks as well. Essentially, you're doing that balancing test, making sure it's okay. You're basically taking responsibility for looking after the interests of the data subject.
You must carry out that legitimate assessment form analysis I suppose, keep it on a written form and keep that on record. When I say, I think it would be a legitimate interest, that’s my shorthand for you going and doing the exercise and deciding based on the totality of your facts that that is actually appropriate for you.
Laura says, I don’t do any marketing but want to start sometime soon. Is it okay to write my privacy notice as if I have already... As if I already have this form, in marketing, or should I add this in when I start marketing? Do I need to have any clause saying the privacy notice is subject to change? Yes, you could have it so that the privacy notice anticipates you using data in that way.
You could change the phraseology of the privacy policy to say something like, we will... We may from time to time use your data for the following, and then list it. That’s all in the privacy policy that’s in my pack. Do you need to have a clause saying the privacy notice is subject to change; no you don’t actually have to have that. It's just a privacy notice, it's not an agreement, and so you can say that if you want to, but you don’t need to.
Carlo says, do we need a processor agreement with our email service provider if they are part of the privacy shield? Yes, you do. There are two separate things, a processor anywhere, whether they're in the EU or outside of the EU, you need a processor agreement.
Then aside from that, as a completely separate issue, you look at whether that processor is inside the... Sorry, I just had a very strange little message flash up on my phone that I've never seen before, which I don’t know... I don’t always go on there anyway, it seems to have sorted itself out. If your processor is outside of the EEA then you have to look to this additional level of safeguard of that data.
If the processor is in a country that has an adequacy finding then you can transfer freely to that processor with just the processor agreement in place. Remember, there's... The process agreement doesn’t need to be standalone, it can be terms that you incorporate into an existing agreement, and both of those options are in my pack.
If the processor is not in a country that has the adequacy finding; there's about 11 or 12 of them, some of them are quite random, the ones that you would typically ... Well, more rather be dealing with is New Zealand, Canada, and Switzerland. There are some really random ones, like Uruguay and the Faroe Islands. The US is not a country that has an adequacy finding in totality.
In the US there is this privacy shield certification where individual companies will sign up to the privacy shield, and there's only about 4,400 of them across the states. Now, if your US processor is part of the privacy shield then you can transfer data freely to that US processor, but you still need the processor agreement in place because that’s a separate issue.
Now, if your US processor or whoever else, is not... There's no adequacy finding, not part of the privacy shield, then you're looking to the next level which is you would look to put... If you were within the EEA, the data controller is within the EEA, then you would look to put standard contractual clauses in place between the data controller and the processor. Those are in my pack as well.
The issue that we have at the moment with standard contractual clauses is that they don’t anticipate a US controller because they were put into place when the GDPR didn’t have the... Before GDPR and data protection laws didn’t have the extraterritorial scope that they have now, where countries outside of... Companies that are outside of the EU are brought into the scope of GDPR.
Model clauses won't work with a US controller and a US processor. You then need to look at the derogations, one of which is explicit consent, another of which is contract, there's probably about five or six more but they are the two main ones... Or I think there's a legal one as well, but they're the three main derogations. In answer to your question Carlo, yes you still need a processor agreement as that part of the privacy shield.
Elaine says, I'd like to add processor clauses to my T’s and C’s rather than having a separate processor agreement. Can you quickly go through what to add, is it all of the standalone clause? Elaine, if you have bought my pack, there are standalone clauses in there. I'm not sure if they're in module two or whether they're in the additional material section at the bottom of the pack. Check out both places, but they're in there. The standalone clause, you need all of those in there. That is the bare minimum of what you need to include. Where in the T’s and C’s should they be added? No magic to it, wherever is a logical insertion point in your T’s and C’s.
Lucia says... What a lovely name, Lucia Garcia Alvaraz. I wish I had such an exotic name, that’s a wonderful name. I might change my name to that ... I want to say, Lucia. Is it Lucia? I don’t know. Lucia, can I call you Lucia? Thank you for hosting this Q and A Suzanne. You're very welcome, thank you. If we’re collecting emails asking for consent and we also collect information from our clients, who we sell services to, should we choose consent or legitimate interest to cover all of these? I've heard you can only choose either or, not both. I'm not sure which ground of consent would fit better.
If you look in the file section of the Facebook group I did a note on re-consent, and that gives a steer for email marketing as to whether the ICO says that it is legitimate interests or consent. There is, I think, a link to the ICO materials; it's a table, and it tells you if you send email marketing to corporates is this okay under legitimate interests; yes.
If you send email marketing to individuals and the soft opt-in doesn’t apply, is this likely to be legitimate interests; no. If you send by post is this likely to be legitimate interests; yes. It's really about the interrelationship and the interplay between GDPR and PECR, which governs unsolicited email marketing. If you haven't seen that yet, then I recommend you go and take a look at that.
Tyne; Tyne, what a lovely name. Tyne says, a bit confused ... No, I'm banning the word confused from the group and from these Q and A live sessions. We’re not confused, we’re just at different stages in our learning, okay. No more, “Oh my goodness, I'm really confused,” emails. We are just at different stages in our learnings. There's no panic, there's no guillotine going to drop from the sky on Friday; we are just at different stages in our learning. We are not confused.
We are also not confused because we are getting our sources from 10 different people who are saying different things. Choose which source you want to go with and stick with to that one and cut out all the rest of the noise. That will help you. Tyne says... I can't read it, I can't read the word, a bit confused; I’ll have to paraphrase it.
Tyne has read that cookie banners have to be able to stop cookies being launched until the consent is given, also, that records of the consents given need to be kept. However, I haven't seen you mention these, and you say that it won't be till next year that we need to be more specific about cookie matters. For now, a simple banner and a cookie policy and a privacy policy will do, which is right.
Okay, Tyne, you’ve clearly heard my view on it, so it's up to you to decide which one you want to go with. Certainly, in my view, with cookies there is... Cookies are brought within the realms of GDPR, and because of the reference to online, identifiers in the definition of personal data. If we decide that we need consent for that, remember the grounds of processing, but if we decide that we need consent for that then there has to be a freely given affirmative action that’s clearly informed.
Now, in my view and in the view of lots of other lawyers, the affirmative action is continuing to use the website after you’ve clearly informed them that you're using cookies and giving them clear details that they can adjust their browser settings if that’s what they want to do.
Now, obviously people who are selling cookie pop-ups are going to be saying that you absolutely need to have a cookie pop-up, and even going further and saying you need to stop the cookies firing before people click on that popup. Now, PECR also governs the use of cookies and consent, getting consent to cookies, and as we know that is being revised at the moment. It is possible that in the future that we will need to stop the cookies firing before the consent to the pop-up, whatever, and have more of a process around it.
For me, I am happily having my cookie policy on a banner on my website that is prominent, it's not hidden away, it clearly tells people what they can do and I'm happy with that. Tyne, if you want to listen to that, that’s great. If not, then go and listen to whoever else.
Jenny says, can you ... Hello Jenny? Jenny was in my very first ... Was it first or second mastermind, and Jenny is an awesome ghostwriter. If you want to write a business book and you haven't quite, or indeed if... I think you do fiction as well, don’t you Jenny, then go and speak to Jenny because she can help you with all that.
Can you explain what the difference is between collecting sensitive data and normal data? Is it possible to process sensitive data using one of the other criteria than consent, such as the fulfillment of a contract, without obtaining explicit consent?
I've done a number of videos on sensitive data and it is a complex area, but if you are processing sensitive data then dig a bit deeper and go and listen to the videos that I have specifically done on sensitive data. Essentially, what article nine says is that if you're processing any sensitive data, which is personal data revealing, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an actual person, data concerning health, or data concerning an actual person’s sex life or sexual orientation shall be prohibited.
Then it says that paragraph shall not apply, i.e. the prohibition shall not apply if one of the following applies. The first thing you have to do if you're processing any data is to have your lawful ground of processing, and we know there are six of those; consent is one, the contract is one, law is one, legitimate interest is another, vital interest, and public interest. You’ve still got to have one of those initial grounds of processing, and then you also have to have one of these next level conditions.
There are... How many of them are there; 10. I'm not going to read all 10 out. The explicit consent one is... Basically, this prohibition against processing sensitive data shall not apply where the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where member State law provides that the prohibition may not be lifted by the data subject.
What that’s saying is that member States can amend these derogations, and indeed in the data protection bill there are a fair few exemptions on that. I will... The data protection bill is like 300 pages long and it's very complex because it keeps referring back to the GDPR, and etcetera. What I will make time to do at some point is do a video on those derogations that are under the data protection bill, which obviously for those of you who are outside of the UK, where it applies to you; that’s just a UK law.
Although saying that I did read actually saying that... I’ll take that back. There is a little tweak on the territorial scope of the UK law and I’ll do a video on... Let's write this all down. I have this list as long as my arm as to things that I need to keep talking about. Hang on a sec... A video on the territorial scope of data protection bill. Right, that’s added to the list. Okay.
Explicit consent is one. The next is... And there is an employment-based exemption. There is a health-based exemption, which I've already done a video on. Jenny’s question specifically, Jenny, is it possible to process sensitive data using one of the other criteria than consent, such as the fulfillment of a contract? I think I've answered that question, Jenny, in that it's not one or the other. You have to have a ground of processing under your normal grounds of processing and then you look to the extra conditions. I hope I've answered your question there.
Gareth says, do we have any further clarification on the cookie stuff? Just talked about that. Donna says, Hi Suzanne, I've purchased your program and I am impressed. I'm helping my clients with GDPR and helping them with the privacy... It's not a question; it's just a nice comment; thank you Donna, and helping them with the privacy policy. I've found this very helpful to use with different businesses, very easy and user-friendly. Thank you. Good, excellent.
Donna, I hope that your clients have actually bought it for themselves and you're not using it for like 50 clients. The deal is with the pack. If you’ve got a few businesses yourself then I don’t mind, use them for one or two or three businesses, but it's not for use with your clients. If you want to use it with your clients then, by all means, sign up for an affiliate link, and you can. I think some people because clients are just sometimes rubbish at this kind of stuff. I think some of your consultants have signed up with your email address but you put in their name and company name. You can do that, but I need their records for our licensing purposes.
Casandra, can you ask another question? This is a little bit cheeky. Let's see if it's quick. Is it okay legally to add a simplified friendly, not legally checked intro and summary above our privacy policy referring to it? Yes, by all means. The GDPR just sets out the mandatory things that you need to include in your privacy notice, but if you want to add a bit of humor to how I say it at the start of your privacy policy, then that’s absolutely fine as long as you're not going against something that you're saying in the legal stuff, obviously. If you want to soften it a bit, in terms of the intro and the little end bit or something, that’s absolutely fine.
Luke says that’s great, that’s saved me over £400 worth of emails and texts. Good. Saying that Luke, what you should... Just to go back on the question, I think you were asking about re-consent, weren't you, is that right? Let me remind myself. Yeah. Luke, in theory, you should be letting people know about your new privacy notice. I would say it's always a risk analysis, isn't it? I think on your next communication with people I would just opt... Certainly, if you’ve got a website put your new privacy notice on the website and in your next communication with people direct them to that new privacy policy.
All right, where were we? Muriel says, Hi Suzanne, we are about to kick-off... I don’t know why I've got these sunglasses on my head…better. Hi Suzanne, we are about to kick-off various projects that involve clients and external data processors. Clients were unaware of GDPR, so we've issued them with a data controller agreement and of course with the processors too, but it's unlikely we’ll have them in place by the 25th of May.
If you’ve got a question there Muriel, then do add that on. If I'm guessing the question, is this a problem; that you're not going to have it in place by the 25th of May, then no. You are working towards it, there is no fast data protection police force that’s going to come around on the 25th of May and get you in trouble for not having done that.
Obviously, you’ve got to look at the risks involved and hopefully what you're also doing, as well as these contractual protections, is also due diligence on the processors and also helping the clients to become GDPR compliant. You just need to think of the risks of what's possibly going to happen if there's a data breach between the 25th of May and whenever you put these agreements in place, then what are the likely consequences of that.
Kay Lacey says, not sure if this posted before as I have tech issues. Do you agree with this assumption by other lawyers regarding journalism and media exemptions, a requirement of the GDPR is an exemption to protect the human rights of free expression, information? Other lawyers have interpreted this to mean that journalism reasonably believed to be in the public interest supersedes other rights as GDPR has put the onus on member States to provide exemptions. Lawyers have decided that the provisions of the 1998 act currently apply and GDPR will continue them.
Yes, Kay. That will be in the data protection bill. When I read it, I do remember reading about... I can't off the top of my head tell you exactly what it says and I'm not going to hold up the call while I wade through 300 pages to find the right place, but yes I believe that there is an exemption for journalism. When I get round to doing my video on the exemptions I’ll include that.
Brian says I'm really worried... We don’t do worry in my group Brian. We are a positive support based group that is just at different stages in our knowledge, nothing to panic about, nothing to be confused about. We are just at different stages in our knowledge about GDPR. I don’t target EU, but not sure what I need to do.
Brian, so the first thing to do is work out whether it actually applies to you. Go and watch my video on territorial scope. If you go to the files section of the group, there is a post that lists all of the videos that I've done and with links to them. Find the one on territorial scope and have a watch of that, and then get a hold of the free checklist, watch the overview video and you'll feel much calmer.
Camilla says, hello amazing lady. Hello Camilla, my new favorite best friend. I'm sure you're very amazing too. Want to buy your GDPR pack, I'm a processor in my role as a social media manager and will need to provide my clients with a privacy notice, right? Yes, right, you will need to do that. Do I give clients a processor to controller contract too? If I buy your pack, will this cover me for the future? If there are amendments to the info in the pack how would I keep my contracts up to date? Do you ever sleep? Thank you, the GDPR journey is fascinating, that is my favorite question of these lives Camilla. Thank you to that.
Do I ever sleep? Yes. First question; processor agreements. The controller is... There is an obligation to only use a processor who is compliant. The GDPR doesn’t actually say in so many words that it is the controller that has to give the processor agreement to the processor, but that’s kind of what people have taken that to mean; it is the controller’s responsibility to use processors who are compliant.
However, lots of processors have... If you're a processor and you have lots of different clients who you are processing for, you're not going to want to have 20 different variations or more of a processor agreement. Yes, you can be proactive about it and you can send the processor agreement to your data controllers.
Now, people have said, “Oh, does this mean I have to change the wording to the processor agreement in the pack?” No, you don’t. It's absolutely fine as it is. They say, “Oh, does this mean that I've got to change the parties order so that the processor comes first and the controller comes second?” No, it doesn’t matter. You can change it if you want, but it has no legal effect whatsoever. It doesn’t matter which order the parties are in. You can use that one if you want to give it to your data controllers.
If there are amendments to the info on the pack, how do I keep this up to date? That is a very interesting question and one that I'm going to post about tomorrow. When I... Well, I’ll give you a little sneak preview now. When I sell the pack, it's just the pack, because 197 quid for 20 plus documents and all this free stuff that I'm doing in the group, I personally think amazing value, and so… the pack. Obviously, there are going to be changes coming up, and so what I've decided to do is to, as a freebie, I'm going to include updates for a year, and this I think is entirely ... I think it's great for you, I think it's also very reasonable to me because there's going to be a lot of changes coming up within the next couple of years.
PECR is changing obviously, so that’s going to impact on stuff. What we are going to be doing is that there will be free updates for a year, and then after that people can continue to subscribe for a very low annual sum. It won't be a recurring charge. We’ll be asking you if you want to do that. I’ll be putting a post in the group and also emailing people about that in the not too distant future.
Dave says, do I need to pay a data protection fee to the ICO if I collect email addresses and market to them with the aim of selling digital downloads such as music and software? The first thing to say is that some people think that if GDPR applies to you all you need to do is go and register with the ICO. That couldn’t be farther from the truth.
Registering with the ICO is one element of the data protection framework that we have now. That is now changing so that the... We’re moving away from registration and putting onto a public register what we’re doing with our data and we’re moving to internal accountability.
That whole process of registering with the ICO is being phased out and in its place, when the ICO realized that all of their revenue was going to be cut off when the registration fee was taken away, they're now implementing a controller charge which is funnily enough is a very similar price but a little bit more than the existing ICO registration fee. It's going to be £40, rather than £35.
If you're already registered with the ICO, and that’s 12 months, then that will continue in place and then when that expires you will go onto the controller charge. I suspect that what they will do is that at the moment we have... There is a page on the ICO website where you go and you do a little online quiz, although it's not quite exciting enough to be called a quiz but answer a series of questions; do you do this in your business, do you do that in your business, and then at the end it spits it out and says yes you need to register or no you don’t.
I suspect... From what I've read on the controller charge, it's very similar but a little bit different, so I suspect they're going to tweak that slightly and have that on their website so that people will be able to go through that similar assessment and find out whether they need to register for the controller charge or not, because not everyone will need to do so; it depends what you're doing within your business.
Fiona says, hello Suzanne. Hello Fiona. I'm just getting to address my bot list, awesome. Haven't managed to get to grips with my bot list at all, Fiona, so well done if you're using bots. I use a double opt-in for all subscribers and mini chat which has added a feature for users to download. Do I need to notify the subscribers about my privacy policy? I use my broadcast to alert for Facebook live and supporting with free technical info.
Do I need to notify subscribers about the privacy policy? This is interesting because is that data held on Facebook, or are you in some way storing it on your own systems, downloading it, using it; I don’t know actually because I don’t really... We kind of set it up but we haven't really got to grips with the bot. Do you know what I mean by the bot? It's like the Facebook message bot that people are using. Some of you have signed up for mine but we've just done nothing with it because we are not entirely sure what to do with it.
Do you need to notify the subscribers about the privacy policy? I don’t know enough about how it works, but basically, if that data is on the Facebook platform and you're not a sort of getting it down, downloaded to you, then you don’t need to inform them of your privacy notice. That’s Facebook’s data and Facebook has done all that. It's when you download it that you would need to in some way communicate that to them.
Actually, I've just seen Fiona’s reply there, she's saying, “Yes, but some can download.” Okay, the information that’s downloaded then you would need to give them the privacy policy at the point of download or soon thereafter. You could, I suppose, in theory, give it to them right up front when they're signing up for the bot. I don’t know how the technology of that works, but the thing with privacy notices is that you have to provide them with that information at the point of collection of the data.
Delif, I hope that’s how you pronounce it, Delif, says the indemnity clause in your data controller process agreement is written strongly in favor of the data controller. Yes, it is. As the data processor, can you help please with equivalent words in which protects us to the maximum extent possible?
Indemnity... I just noticed I've got a bit of hair sticking up there. With the data processor agreement, the one in the pack at the moment has clauses that are highlighted that you don’t need to have in there and that if you're a processor you might want to take them out because they are in favor of the data controller. If you don’t want to include the indemnity, then you take it out. It depends on the negotiating position between the parties.
If you want to put an indemnity in on the data controller, then... I don’t know. Delif, what is the data controller indemnifying you for? You're not liable if they mess up in any way. I don’t know. Delif, why don’t you message me a scenario that you're thinking about and I can give that some thought. At the moment I can't think of why the processor would need an indemnity. Interesting point, Delif. Message me about that one.
Suzie says, Hi Suzanne, we are a print company, one of our customers turns business cards into stickers for their clients then forwards them to us to be printed. As these often include names, addresses, phone numbers, etcetera, is there anything we and they need to consider for GDPR compliance?
Okay, Suzie, this is a general kind of here's my business, how do I comply, which we don’t do because obviously there's 30,000 in the group and if we did that then we wouldn’t have got very far. What you need to do Suzie, if you haven't already, is go and watch the overview video that’s in the files section of the Facebook group and also get a hold of the checklist, the free checklist.
If you read the pinned post in the Facebook group and work through that then you'll be able... It's a really good idea for all of you who are new to the group, you really need to get a basic understanding of this so that you understand what it's all about because we can answer your one-off questions but what happens when you have another 10 questions. It's a really good idea to get to grips with the basics of data protection law and what this is all about. I'm not going to answer your question there Suzie. I think you need to go and work that out.
Actually, Suzie, if you're talking about you as a processor then the extra things that... You need to think about it in terms of you as a data controller, so in terms of you using your customer data and what you need to do there, then in terms of you being a processor, if you're a printer, then you also need to think about putting a processor agreement in place with your clients, you need to think about security of that data, etcetera. Start with the pinned post, work your way through that.
Lucia says, thank you, I wish... Or, Lucia says, thank you, I wish I had your name. You really don’t honestly. Can you imagine the teasing I got at school with the name Dibble? My favorite rhyme was, Dibble did a dribble on the kitchen floor, Mrs. Dribble wiped it up and Dibble did some more; very childish use of my name, Dibble and dribble. I still today get called Dribble, and I have to point it out that actually, it's Dibble. Thank you for your kind words anyway, Lucia. Also, those of you who remember Top Cat, do you remember Top Cat and officer Dibble? I have quite a few teasing about that, in my youth.
Florian says I have a client in the US who provides hosting services. We maintain their server and therefore have access to her client’s information. Do I also need consent from my client’s clients? If your client is in the US... Hang on. You’ve got a client in the US who provides hosting services and you maintain their server. Okay, so we’re talking about the US client’s clients information.
Firstly, is that... If the US client is the data controller then is that client’s information about data subjects within the EU, because if it's not then that US client is outside of the scope of GDPR. If they are not intending to provide goods and services to people within the EU and they're not targeting the behavior of people in the EU then GDPR won't apply to them. That’s the first question.
If you're a processor, I think this is the question here, but if you're a processor you don’t need a lawful ground of processing from the data subject in order to process under the instructions of the data controller. You're borrowing the lawful ground of the data controller in order to do the processing, okay. You don’t need to have an additional lawful ground in order to do that processing. I hope that makes sense.
Carlo says, can we collect emails from people who are requesting to join our Facebook group and transfer them directly into our email service provider without a capture page? If yes, how should we word the email request? Now, this is an interesting question. What I do at the moment, obviously we've been running Facebook ads to people on Facebook and inviting them to join this Facebook group, and when people sign up for the Facebook group we say, “Do you want to receive our free checklist?” Sarah says, “You're more Top Cat than officer Dibble in my book.” I did like Top Cat, thank you, Sarah.
When people apply to join this Facebook group, Facebook gives you the ability to ask three questions, really, which are designed to stop spammers. In those questions I say, you might remember when you signed up for the group, “I say do you want to receive our free checklist? If so, enter your email address,” so I'm getting the email address at that point.
I have a software tool called Group Funnels, fantastic bit of kit because my virtual assistant in the Philippines was literally spending all week manually... We were taking screenshots of those email addresses and then typing it up and then sending people the checklist that they'd said they wanted to make sure that they got it straight into their email inbox. This software called Group Funnels which basically with one click of the button does it all for you, which is fantastic.
Obviously, I've been collecting that data pre-GDPR, but if I were to do that post GDPR then what I would do is I have got my affirmative freely given consent for me to send them the checklist. I will send them the checklist, and then in that email when I send them the checklist I will say to them, as a PS, “By the way, I hope you enjoy this checklist and think it's amazing. If you want to hear anything more about GDPR, including updates on enforcement, updates on PECR, updates on this, that and the other, and I might send you details as to how I can help you or discount codes or things like that, then sign here, then click here,” and I'd be getting my opt-in at that point if I decided that I needed consent as my lawful ground of processing.
Remember, PECR at the moment... I don’t know where you're based Carlo, but PECR at the moment only applies to EU businesses but next year it's likely to be extended to the same scope as GDPR. For those of you who are in the EU, we need to also think about PECR, sending unsolicited email marketing to individuals unless the soft opt-in applies. Done lots on that, if you're still not up to speed with what that’s all about then go and look at the... There's a note on re-consent in the files section, or there's a number of videos on the soft opt-in and PECR.
Carlo, if you're outside of the States... Sorry, if you're outside of the EU, maybe in the States, then I think... Decide what your lawful ground is. You might decide that you could rely on legitimate interests to send that direct marketing, so do your legitimate interests assessment, look at the re-consent note and all the other stuff that'll help you on that.
Then if you do decide that you're going to rely on legitimate interests then when you send them that first email, once you’ve downloaded the details from Facebook, then you'd be reminding them of their right to object to the processing, which is essentially an opt-out, and sending them details of your privacy notice. Okay. I hope that all made sense. It's quite a complex area.
Matt says... Actually I'm just going to have... I have to have a swig of tea. Hang on. Matt says, as a WordPress theme company in the US customers give us access to their websites in order to resolve support issues, this may contain personal data. Therefore, I interpret this as the customer being a controller and us being a processor. I'm trying to incorporate the standalone processor clauses into our terms of service, but many are incompatible with the nature of our business. What should we do?
The areas of incompatibility are we access their site and may make changes. We do not keep backups of their data; that’s the responsibility of the customer, so could not restore it in the event of a physical technical incident. We use sub-processors and contractors who are outside of the EEA; it's unreasonable and unrealistic to list out the names of these people and inform the customer whenever we hire someone new.
You're a WordPress theme company, customers give you access to their website, yes, so you would be a processor. Yes, I agree with that, Matt. Let me just have a look at the processor terms. Now, have you checked Matt... I haven't got it with me, or have I, have I got my little pack of documents here? Hang on. I do. One second.
Let me find my processor agreement. Well, they're actually saying that the printed version doesn’t actually show the highlighting, but let me just see. We access their site and make a change. We don’t keep backups of the data, right. Does it actually specifically say that you have to keep backups? Okay, I'm not going to... I can't search this quickly enough, but basically... Matt, are you looking at the... I think you do, so you're looking at the standalone. Are you looking at the standalone? Yes, you are looking at the standalone processor clauses.
They are mandatory. If it's... I'm not sure that it says you have to keep a backup, it's more about putting in place reasonable technical and organizational measures to protect that data. I’ll have to... Let me make a note of that, another thing and I’ll come back to on it. Hang on, backups. What's your name? Matt Frost. Okay. I’ll get back to you on that Matt. Good question.
You use sub-processors who are outside of the EEA. It's unreasonable and unrealistic to list out the names. Yes. I think you can get a general authority or a specific authority for sub-processors. There's a note on that in the processor agreement. Obviously, you will want to go for the general authority.
Richard is saying, suppose someone else assures you that backups are being made? I don’t know, I’ll have to look into that further, Matt, and I’ll do a post on that. For memory, I'm not sure it specifically says that you need to keep a backup; it's more about the overall security and technical and organizational measures to keep that secure. I’ll get back to you on that. Sorry for the long question there, and the long thinking time, but that wasn’t... It's not often I get questions where I'm like, “Oh okay, let's think about that,” so thank you.
Gareth says that’s about the cookies. Byron says, how enforceable is GDPR? They're not going to bother, don’t worry, it's all fine. Ignore it. No one is going to enforce it, don’t worry. I'm joking. Obviously, I'm joking. How enforceable... This is a good... I'm being a bit there, but it's a good question, isn't it, how enforceable is it. You might be outside of the EU, so that’s, in fact, more of a sensible question.
The answer is, we don’t know. We know that the ICO, I think they're getting an extra 200 enforcement staff, so that’s clearly something that they are taking seriously. The fines going up has reflected how all of the European, including British authorities, are taking it seriously. Obviously, with the Facebook issue, they are investigating Facebook, we will see the end result of that and see whether there are any fines, etcetera, but we don’t know... We've got a crystal ball.
The real risk for me is, my concern and small businesses concerns, shouldn’t be really thinking, “Oh my goodness, I'm going to get a €20 million fine,” or in Facebook’s case it would be a 109 billion as a potential maximum fine based on their last year’s turnover, but more about brand reputation, about disgruntled customers taking action against you, about sleepless nights, etcetera. It's a risk analysis, isn't it? I've said this all the way through everything I've done in this group.
I’ll tell you what the law says, it's for you as a commercial organization to do a risk analysis and see what you do and what you don’t do. I can't answer that question, Byron, because I haven't got a crystal ball. Certainly, the worst breaches, they're going to investigate, aren't they? If you send an email out and you’ve got a large number of subscribers and they're not happy about it and they complain, then chances are you will get investigated. Again, does that mean 100,000 subscribers, does that mean 50,000, does that mean 10,000, I don’t know; it depends on what you're doing that’s going to piss them off.
As a web design agency, this is Byron’s rest of his question, as a web design agency our clients are asking about opt-in and out cookies and how they can set up their GDPR compliance but we can't advise legally. No, you can't. I talked about cookies earlier, so hopefully, you heard that. There's also a video that I did ages ago on cookies and consent, so have a watch of that too.
Good afternoon Richard Finchen, nice to see you. Kirsty says, in your two-hour training video you said processors should get written instructions from controllers before processing. I'm a freelancer who does regular work for a client where I perform a certain role and do the same tasks, such as sending out the monthly newsletter. I think there's a question in there Kirsty, but it'll be really helpful if you could actually put the question in and not just the circumstances.
What I'm imagining your question is, is that you're saying do I need to get written instructions every time you do that repetitive job, and the answer is no. If it's within your scope of work and you have, maybe there is a schedule in the freelance agreement that says here's what you're going to on a regular basis, then you don’t have to go and get written instructions each time you do that regular task. If the scope of that extends, then make sure it's documented.
Mabel says, thanks for the GDPR pack, really useful. Thank you, Mabel, I'm glad it's been useful. I didn’t quite understand your explanation about the processor agreement, I thought that if my email marketing provider, MailChimp, was GDPR compliant and had the privacy shields and I'd taken the trouble to check they were compliant and had documented that, that was all I had to do. No.
The privacy shield is one thing, a processor agreement is another. What people like MailChimp have done is MailChimp is part of the privacy shield but they’ve also amended their user terms or put in place an addendum which should hopefully, I haven't checked it... But they're saying they're GDPR compliant, so you would hope so, that amendment or that variation to their terms would effectively put in place the processor clause.
I'm not saying you need to send the processor agreement to MailChimp, because they won't sign it, because they’ve got hundreds of thousands or if not millions of customers around the world and can you imagine if they had to sign a processor agreement for each one, but what they will have done is an addendum or amended their terms of use. Tyne is saying he won't use the word confused again. Good, excellent. Thank you, Tyne.
Jennifer says, the advice I heard on another webinar... Okay, seeing as Jennifer wrote some very nice things about me the other day, thank you, Jennifer, I’ll answer it. If you have a freebie and you want to put the person on your list and say, “Just sign up for my list and you'll get this bonus,” as long as you lead with the list you're good... Yes, I agree with that, otherwise, you need consent to give the freebie and for them to remain. Is this true? Can we give people a bonus so we don’t have to get them consent to be on our list?
Well, the first bit I certainly agree with. If you say, sign up for my newsletter which includes discounts, promos, etcetera. And, by the way, you get this amazing free report for doing that,” then I think that’s fine. I've done a video on that or a couple of things on that in the group. Otherwise, you need consent to give them the freebie and for them to remain; yes, if you’ve decided that consent is your lawful ground of processing for that.
Don’t forget there are other grounds of consent. Sorry, I've said it myself now, there are other grounds of lawful processing, and it might be that you decide that it's legitimate interests, particularly if you're outside of the EU you might decide it's legitimate interest, but you have to do the legitimate interest assessment and have that documented.
Can we give people a bonus so we don’t have to get them to consent to be on our list? I don’t understand that question, but in terms of if you're trying to avoid consent, then look at legitimate interests. If you're outside of the EU, PECR doesn’t apply to you at the moment. Can you incentivize people? Yes, in my view.
Richard says Suzanne is... I think this is a note for Byron, Suzanne is careful to describe her content as guidance rather than advice. It seems the difference is important. Yes, it is. If I am giving you... Firstly, advice implies in some way that people can rely on any of this. As per all the disclaimers that I have everywhere, you can't, because I don’t know your 100% circumstances, would love to but unless there's a new technological way of plugging me into all of your knowledge and experience in your business, it's not going to happen.
Obviously, when I work one to one with my clients we have an engagement letter, it's all regulated. I sit down with them, we talk about the ins and outs of every aspect of their business and then I give them legal advice. What this is, is education, is training, and it's guidance. Thank you, Richard, for bringing that up.
Hey Mitch, that’s about the cookie thing. Martin, what is your take on the domain registrar issue where the main body is saying they cannot hide personal data and needs more time to be GDPR compliant. If they don’t provide info... If they don’t ensure personal data is private does that mean our web host and domain registering companies are non-compliant, and further are website developers who maintain the website and hosting are unable to be compliant?
Many domains are purchased by individuals who personal contact details... Excuse me, public, yes. I don’t have a view on that at the moment, Martin. I know the issue but I haven't really had a chance to exercise my gray cells on that. That’s on the list as well, but interesting issue.
Nathalie says, what happens if you're late in complying? Do these changes all have to be done by the 25th or can it be done afterwards if the user isn't ready? I have clients who have a lot to do in order to be compliant making the Friday deadline unlikely for them.
As I've always said, obviously the regulations come into force on Friday. There is not a vast data protection police force walking around on Friday, where if you're not 100% compliant you're going to get in trouble. The ICO stated that it's really the beginning, not the end. As long as they are working towards compliance they’ll be absolutely fine. The one thing that they probably do need to think about is whether they need re-consent because there is... It is such a consumer issue now. If they are sending out their re-consent emails after the 25th then you might get a few people kicking off about that.
I think that’s the only thing that I would really be advising... Be guiding, thank you, guiding people to think about, is getting those... If you decide and be very careful about whether you need to get re-consent or not, but if you decide you do need to get re-consent, and there's loads of materials in the group that'll help you decide that, not least in the file section there's a document called re-consent, if you decide you need re-consent then I would do that before Friday, because people are just getting savvy about it and they might complain if you do it afterwards or if you don’t do it and then you email them afterwards, they might say, “But you know...” That’s probably the only thing that I'd say, look at that.
Then obviously in order to do that, if you need to do that by Friday, really you need to send them... Well, you do; you need to send them the new privacy policy. You need to have that in place. If you want to do your privacy policy, you kind of need to have done your data inventory so that you know what to put in your privacy policy. They're probably the three key things that I would say, that in an ideal world get done before Friday.
Kate says, Hi Suzanne, thank you for all the info here. You're very welcome. I’ll have more tea. How are we doing on time? Oh my goodness, we've gone over. How can an hour have gone already? That’s just crazy. Did we start at one o’clock? We did, didn’t we? My goodness, let me just check and see. Hang on one-second thought.
Actually, let me just see, this way, hang on. Actually, I don’t know why I turned the screen that way, probably so you can't see my kid’s Lego in the background. Can you see the kid’s Lego there, all messy in the background? It's taking the professional… of my office situation, if you can see the kid’s Lego there in the background. Hopefully, you just didn’t see my diary there with all the personal data in it. Anyway, I've got a 2:30 call, and I need to have some lunch. I can do five more minutes, and then that’s it. I can't believe that an hour has gone by so quickly. How time flies when you're having fun. I think we’ll do three last questions.
Hi Suzanne, thank you for all the info here. I've done your legitimate interests assessment and have decided I can rely on this as my grounds to sending follow-up emails when new prospects download my lead magnet. I've made this clear in my privacy policy. Jolly good. My question is, what do I need to say on the opt-in form itself? If you're relying on legitimate interests you don’t need an opt-in form. Okay, am I missing something there?
You're relying on legitimate interests for sending the emails. Okay, no, my mistake; follow-up emails, okay. You're getting people to opt-in to the lead magnet and then you're using the legitimate interest to send them the emails, the follow-up emails. Okay.
The first thing to say, Kate, is, make sure that legitimate interest is okay. Think about PECR if you're within the EU, firstly, and that’s if your follow-up emails are going to include marketing emails. If it's just value based follow-up emails, then I agree, you're probably fine to rely on legitimate interests.
On the opt-in form for the lead magnet, then really, you just need to say enter your email address if you want to receive X and then have a link to the privacy policy. You could say if you want to... Because it's all about being clear and upfront and transparent, etcetera, then you could say, “We are also going to send you to follow-up emails with value-based content about the same subject but in better marketing speak than that.”
Otherwise, you just really need to have that link to your privacy policy at the point of sign up. You don’t need a tick box for them to actually opt-in to get the thing, because they’ve given you their email address for that thing; that’s the affirmative action. I hope that is your... She's saying, but do I still need to write we’ll also send you offers, etcetera, on the opt-in form, or is this not necessary if you're relying on legitimate interest? Yes. Look at PECR because you might need to get opt-in consent for that, for PECR purposes. Yes, look at... There's also a great blog by Optimized Press which is all about opt-in forms, and they’ve written it using my material, so take a look at that as well.
Gareth says, excellent Live, thank you very much. Thank you Gareth, that’s very kind of you. I've just realized I'm a bit a wonky here. There we go, right. Okay, we’ll choose one more question. Caroline says, I'm a bookkeeper and have to run anti-money laundering checks and verify my clients; I use two companies to do this, one big company states they're a joint controller and have nothing that I can agree to about being joint controllers. The other state they're a processor and despite emailing them they’ve still not provided a processor agreement. What can I do about the joint controller issue? Also, do I need to delete all my client records from either provider if I can't show compliance? Interesting.
I don’t know whether they're a joint controller or not. They are processors, but whether they're also controllers or not, I don’t know. Typically if they’ve got their own regulatory obligations that they would need to have to do something with that data, acting outside of your instructions, then they would be a controller as well as a processor.
I have put it on the list to add to my pack, a joint controller agreement, but that’s not going to be by Friday that’s for sure. I would... With the one that said that they're a processor, I think I would try and get to the bottom of whether they are a controller or not. I'd ask the company that says that they are on what basis are they a controller and if they do have certain regulatory obligations, etcetera, then I would agree they're both. The one that says they're a processor if it turns out they are a... I'm sure they're processors anyway, then I would send them your, from the pack, send them the processor agreement from that. If they're just being kind of obstructive and not wanting to resolve this issue for you then I'd try and find someone that is.
Well, there's lots more questions and I'd love to keep going but I do need to; A, go to the toilet; and B, get some lunch before my next call. Thank you, again, for being here. I'm really enjoying these Facebook Lives. It's much better than... I hardly sleep, sometimes I've sat there at 2 am thinking, “Right, what would be useful for the group for a video today,” and I'm literally sitting there at 2 am thinking, “Okay, we haven't covered this yet, so I’ll do a video on this,” and it's much better to be here in the daytime and the sun shining and you're all here asking me questions and it's fantastic.
I'm really pleased to hear that it's been useful for you guys, which is obviously the main aim of the game here. Thank you for being here, and thanks for your continued engagement in the group. Who knew that GDPR could be so much fun, I hear you say. Thanks to all of you, again, who’ve bought the pack. As I hope you know, we are trying to improve that every day, we’re working on a bit of a roadmap at the moment that will hopefully make it easier for people to follow, for those who need a bit of extra guidance.
We’re going to be adding documents in. There's certainly a few more on the list that we’re going to add in without any further charge. We just want to make that as comprehensive as possible for you and make it easy for you to be compliant.
Thanks for being here, thanks for being in the group, thanks for being generally awesome people, and enjoy the sunshine. I will catch you... I'm doing one tomorrow at, I think it's 11:30, and then Friday is a bit of a tricky day for me, but I'm going to try and squeeze one in. I think we’ll have to see how that goes.
For those of you who I'm seeing for curry on Thursday night, our GDPR party has migrated into a curry night, so very excited about that, really looking forward to seeing you guys there, and hopefully I’ll have some news about my GDPR book on, well, hopefully by the time we go for the curry. We’ll see.
Watch my video; I'm doing an interview later with Mary Smith about Facebook, what GDPR means for people who are using Facebook for advertising or groups or whatever else. If that is interesting to you then I'm doing that at 6 pm UK time on her... I think it's on her Facebook page, I think. Go check that out. I've got an exciting blogging interview coming up tomorrow that'll be live in this group, for the bloggers out there.
I can't remember the rest of the week, all a bit crazy. Thanks for being here, love you lots. My goodness, I'm going to get a little emotional here, it feels like I've come to the end of this 90-day journey where I've been doing this video day for 90 days and it's like the end is in sight. I'm getting a little bit over emotional here. Thanks for being here with me, really appreciate it.
