Transcript:

Speaker 1:           Welcome to the PS Insights podcast series sponsored by Kimble Applications. Professional services organizations strive for efficiency, success, and growth. This series is intended to provide key insights on how to achieve this from industry leaders.

Ian Murphy:       Hello. My name is Ian Murphy. Today I’m talking with Ardi Kolah on the challenges presented by the European Union general data protection regulation or GDPR as it is commonly called. Ardi is an Executive Fellow and Director of the GDPR programme at Henley Businesses School, and founder of Go DPO. He’s a former Senior Manager at Accenture and recognized as one of the leading data protection practitioners in Europe. Ardi has cabinet office and ministerial level consultancy experience, and regularly consults for a number of multi-national clients in financial services, banking, automotive, technology, and infrastructure sectors.

Adri Kolah:          Thank you very much Ian for inviting me today. I know that many people listening to this podcast are going to be very interested in what’s happening here within the European Union. And really what I’m trying to do today, is to shine a light for them in terms of how that applies within the United States.

Ian Murphy:       25th of May is go live date for GDPR. It’s been talked about now for many years, but there’s still a lot of misunderstanding, misinformation. Can you give us a quick view on exactly what problem it’s trying to solve?

Adri Kolah:          Your starting point was not completely accurate. It’s in fact been law since April 2016. What we’ve been doing since 2016 has been preparing ourselves to actually continue to trade within the European Union under these new higher standards of data protection, privacy, and security. That two-year transition period runs out on the 25th of May.

What that means though, in practical terms, is that anyone within the European Union, and that’s 500 million consumers, clients, customers, and employees, have got stronger data protection, privacy, and security rights than they had previously under other laws and regulations that may have carpeted the rest of the European Union.

This has kind of tied up really what we think about in terms of data protection and the expectations that people have in relation to the use of their personal data.

Ian Murphy:       This is focused on, as you say, the privacy and data protection of those people in the European Union, but it affects every company worldwide who may process, hold, or trade with the European Union when it comes to the privacy of citizens.

Adri Kolah:          That’s absolutely right, and it’s something which people are struggling to understand. The territorial footprint of the GDPR is beyond the boundaries of the European Union, the European Economic Area, because it’s anywhere where processing of data from within the European Union, and that could be European citizens or non-EEA citizens as well. That data is protected under the GDPR. So irrespective of where the processing is taking place, that is within scope of the GDPR.

With respect to the United States, there is a mechanism which has to be adhered to in order for that to happen. That’s called Privacy Shield, which is suggesting that you have the same level of protection, within your organization with processing of European Union’s personal data as if they were at home. If signed up, and it’s a self-certification scheme, then there has to be other mechanisms that you would need to rely on in order to process personal data from within the European Union and that would be what’s known as standard contractual clauses. These are things which have to be agreed in writing and you can’t deviate from those standards. There are other mechanisms as well, but it’s pretty tightly controlled is really what we’re saying here.

It’s not about where the processing’s taking place. It’s actually where those decisions are made in terms of the means and purposes for processing personal data. As an American organization, if you are actively engaged with reaching European Union citizens, then you have to comply with the GDPR.

Ian Murphy:       As you say, the scope is global. But for people outside of Europe, they will also have to deal with local privacy laws. In the United States, that could be at state level and federal level. How do companies begin to square potential conflict between GDPR and the laws that they currently have to adhere to in their own location?

Adri Kolah:          If we take the American experience, it’s very clear. If you are doing business with the European Union, as we were just talking about, then you have to comply with the safeguards that are in place in order to protect people within the European Union. Those safeguards will be spelled out within the GDPR. In addition to that, you may be a signatory to Privacy Shield, in which case you are guaranteeing that you’re going to comply with these high standards which reflect the GDPR. If you’re not a signatory to Privacy Shield, in other words, you haven’t self-certified that you’re going to do that, then you’ll need to adopt other mechanisms which protect personal data in that respect. And that’s known as standard contractual clauses. These again have been created by the European Commission.

Ian Murphy:       We keep saying privacy and data in our conversation. For a lot of people, they’re not quite sure what data is involved, and what privacy actually means here. Could you give us a view on that?

Adri Kolah:          The GDPR is only focused on personal data. It’s not focused on financial data, business data, profit and loss, share price, those kind of things. It’s to do with the living individual, not a dead individual.  Anything that can identify that individual, that could be a piece of data connected with another piece of data that could then be added together to identify that individual, then that’s within scope.

Within the GDPR, there’s also a category called special personal data and that’s what we would regard as being sensitive data. That could be biometric, genetic, sexual orientation, philosophical beliefs, religious beliefs, health data. That type of personal data attracts a higher level of protection.

Ian Murphy:       A lot of companies process data on behalf of third parties. They don’t collect it themselves. It’s sent to them. Historically, they have been exempt from a lot of laws around privacy and data handling. This has now changed. What do they need to think about? Is this about technical systems? Processes? Detailed items such as encryption or identification of data elements? Where do they start?

Adri Kolah:          That’s a great question. If I may, let’s just take a step back before we get into the detail of that question. The first thing to recognize is that the GDPR has effectively made us reboot our thinking about data protection, privacy, and security for the digital age. And you’re absolutely right, when you said that actually in the past, the liabilities were really in contract rather than in law. So, if we were to outsource the processing to a third party, which is what you were just describing, then if it all went horribly wrong, as the client, we’d have a contractual remedy for that happening, and we wouldn’t necessarily get it in the neck. Those days have gone.

As the client, you are deemed to be the data controller, that’s an organization or an individual. Think about what you’re doing in terms of a value chain. At any point in the value chain, you are responsible for data protection, privacy, and security. The further the processing takes place away from you, the greater the degree of risk, because the GDPR puts a risk-based approach around data protection unlike what we’ve had before. The further away the processing takes place, the greater the degree of risk.

What the GDPR very clearly states is that there is joint and several liability for the processing of that personal data, between you, as the data controller, and the data processor. That extends even further in terms of this value chain. Just imagine you’ve got a data processor, and then they subcontract to another party. That could be the sub-data processor. And typically, that could be a web service provider or someone like that. As the organization responsible for making the decisions as to the means and purposes for processing that data, you may not have a contractual relationship with that sub-data processor. Anything they do will impact you, because you are jointly and severally liable as we just explained. And that’s a pretty major difference between the GDPR and previous laws and regulations. And that’s very, very important.

The risk is up to four percent of your global turnover as a fine, or 20 million Euros, whichever is greater. The bigger risk, of course, is dent to your reputation, which is something much harder to recover from. You could probably find a law firm to appeal the fines, but you can’t really stop a situation where there could be an enforcement notice landed against you where they could force you to stop processing on a temporary or permanent basis.

So, what does this mean in practice? Which is going back to some of the detail of your question at the beginning. What this means is first of all, as a data controller, you should double check that whoever you’re using to process personal data can guarantee compliance with the GDPR. In fact, the GDPR insists that that is the case because you, as the data processor, are under an obligation to help your client comply with GDPR. It’s a quite interesting little feature of that.

The second thing is, you need to make sure, as a data processor, that you’re doing everything which is in accordance with the GDPR, irrespective of where that processing is taking place. This is where the confusion comes in, because people think, “Well actually it’s to do with the European Union.” In fact, it’s irrelevant where that processing takes place on the globe. You still have to comply with those high standards. That means from an organizational and technical perspective, you need to have the right people in place to do that. That would typically be a data protection officer to make sure that’s all done properly. You have to have people who are trained. Training is your front-line defence in relation to making sure that things are done in accordance with these high standards.

There is technology that you would need to deploy in order to achieve those outcomes, which means basically, you’re not creating risk. Remember it’s a risk-based approach, you’re taking very high or high risk. You’re reducing it to a residual risk, which doesn’t cause harm or damage, and you’re recording that you’ve done that. And that’s really, really important. There are a number of things that you need to think about.

At Henley Business School where I lead the GDPR programme, we look at this through three lenses. Business continuity, risk, and technology. You join the dots between those three things. If you’re able to do that, and you’re able to record how you’ve done that, then should there be a personal data breach at any point in this value chain, you have a narrative that you can put in front of the regulators, the supervisor authorities, those people looking over your shoulder to check that you’re doing things in accordance with these high standards. And you have an explanation as to how you’ve taken those steps to assure that people aren’t being hurt in relation to the processing of their personal data. If that’s the case, and you’ve got reasonable explanations, you shouldn’t really be whacked by significant sanctions and fines.

Ian Murphy:       Let’s see how those three come together. An organization is flying some customers to a conference. In order to book the tickets, they will ask for some personal data, name, date of birth, passport information. They will pass that to a travel agent who will book the ticket. The person processing the data at the organization may think that simply by deleting that email that was sent with that data on, that they have managed to remove all evidence from their system, and that they therefore no longer hold data. But of course, that data’s now on the system of the travel agent, and the company has to think about how does it control that. How does that play into the three elements here in terms of ownership, control, and being able to track data?

Adri Kolah:          That’s a really great question. Again, we could spend a lot of time unpacking that. But let me try to give you a sense in terms of where the logic is in relation to thinking about these things.

I really like the scenario, cause I think it’s something which could happen a lot in people listening to this podcast. The first thing is you need to have a legal basis for processing personal data. Is that legal basis consent or is it contract, for example. I would think the other grounds, there are six in total, probably don’t really apply. Let’s just say it’s consent, for the sake of argument. If you’ve got someone’s consent, then clearly what you have to do, before you’ve processed their personal data, is to provide them with a data privacy notice. Interestingly, it’s the only absolute right within the GDPR. There are lots of other what they call rights and freedoms that will help individuals protect themselves. Those are not necessarily absolute rights. But this one really is.

So, they need a data privacy notice. Within the data privacy notice, you’re going to be absolutely transparent and you’re gonna be accountable, and you’re gonna give them control, they’re the three things that’s expected of you when you’re doing this.

So, the first thing is you’re gonna tell them what you’re gonna use their personal data for. The context for that, the purposes, for how long, which is the point you were making in terms of the scenario. That retention period for that personal data. Also, if there’s a problem, who they can contact, what other rights and freedoms and interests that they have under the GDPR. Now, I’m making an assumption that we’re talking about European Union citizens here.

If things go wrong, they have a right to complain. They could complain to their supervisory authority. Here, in the UK, that’s the Information Commissioner’s office. And of course, there’d be other parties that they could complain to if necessary, as well. So, all of that’s wrapped up. That’s on the basis of processing their personal data with consent. And in your case, that would be required. It had to be unambiguous. Consent has to be freely given. It can’t be conditional on things. You couldn’t say, “Oh, if you consent to us processing all this data, you could enter a prize draw and actually get a free air ticket and a free entry to this amazing conference.” You can’t do that. It has to be freely given. It can’t be conditional on something.

It has to be separate from terms and conditions. So, if you are processing someone’s data and you’re doing it on a consensual basis, but there’s also a contract, that’s a separate legal ground. Just bear that in mind. There is a division in terms of contract and consent. In this scenario we’re talking about consent, ’cause I think that’s probably the most appropriate. Provided you do that and you’ve recorded that they’ve given their consent in an unambiguous way, that could actually them be ticking a box, not pre-ticking boxes. If they tick a box, they’ve actually acted in that way, then you should actually be fine and there shouldn’t be a problem with that.

Ian Murphy:       You’ve used the word consent in that last answer, and that’s something that is going to challenge a lot of organisations. Today, they now work on an opt-in opt-out basis. But opt-in is not the same as consent, is it?

Adri Kolah:          No. And I think there is some confusion there, because what the European Union has done is that they’ve actually raised the standard. We’ve gone from opt-in to consent, either on an unambiguous basis or where we’re processing people’s personal data, which is of a very personal nature, their health data, genetic data, biometric data, their sexual orientation, their religious or political beliefs, those kind of things, then actually we need their explicit consent, and that actually has to be recorded in writing. So, we’ve gone from opt-in which was kind of like a lower level in terms of their agreement when we’re looking at consent, to unambiguous or explicit.

Interestingly, the original draught of the GDPR only talked about explicit content, and lots of organisations had a bit of a panic attack about that, because that should be quite a difficult thing to actually do in every case. They recognized that. So even if you’re online for example, the idea of consent could be actually encapsulated in the browser that you’re using without having to constantly consent to doing things.

Where it starts to get a little bit murky is, from a European perspective, we have what’s known as the Privacy and Electronic Communications Regulation, or otherwise known as PECR for short. That’s under review. Originally, that Privacy and Electronic Communications Regulation was going to come out at the same time as the GDPR. But unfortunately, it got a bit derailed for all sorts of other things going on at the same time. I’ve recently spoken to a member of the European Parliament, and he tells me that next autumn, 2018, we’re likely to see what’s known as the E-Privacy Regulation or EPR. And that’s important in relation to the question that you’ve asked me, because that gives you more specificity in relation to email marketing, direct marketing, mobile marketing, SMS marketing, cookies, that kind of thing.

However, because I also work with the European Commission, I can tell you that the EPR isn’t gonna be any different to the GDPR. It is gonna be about accountability, transparency, consent, because consent is really important. Consensual approach to how we process someone’s personal data is absolutely core to the thinking in the minds of the European Commission, the thinking in the minds of the supervisory authorities, irrespective of where that processing is taking place within the member states of the European Commission.

Ian Murphy:       Professional services firms find themselves caught in a difficult position here. They may not be the organization gathering the data, but they will be responsible for a lot of the processing of data. They may not do the processing themselves. They may be handing that off to two, three, four parties in a complex supply chain. How do they begin to trace, track, and authenticate the handling, deletion, and otherwise processing of data?

Adri Kolah:          The first thing to recognize is that the responsibility, the legal responsibility for processing that personal data isn’t necessarily only on their shoulders. I would argue that the primary legal responsibility for making sure that that data, before it leaves the client, goes into their hands or other people’s hands is actually the responsibility of the clients. They have got to make sure that they’ve got that data lawfully. They have to comply with all seven principles of the GDPR, and that’s pretty important, before they can hand it over to, in this example, your data processor, and before that then can be shared with other data processors.

What they’ve got to do, if it’s a client in professional services, is to tell the client, “Look. We’re gonna use other people to process your personal data. These are the other people. This is what they’ll do with it. They may share that personal data of yours. It’s not our personal data. It’s yours, as the client. They may share that with other third parties. These are the other third parties they’ll share it with, and this is what will happen to that data.”

So, all of a sudden, the picture that’s being presented to the client is a very different one to the one that we may have presented in the past, where actually, we didn’t tell them any of this stuff. It just sort of happened. Now we’re under obligation to be absolutely transparent and to be absolutely accountable, because that level of accountability exists all the way through the value chain or the supply chain as you, refer to it. that’s really, really important.

The receiving party, the data processor, needs to check that actually the personal data that they’ve received is in accordance with the GDPR. Again, making the assumption that we’re talking about the European Union citizens of course, in this particular scenario. You have to say, as the data processor, to the client, “Can I just check how you’ve got hold of this data? And what was the basis for processing it?” Because processing, which is defined under the GDPR doesn’t mean that data needs to be in flight. It can be at rest. It can even just be looking at data on a screen. That’s also processing. If you are taking data as a third party, you need to check that actually when you’re processing that data, you’re not actually doing that again in contravention of the GDPR, because in fact, if that data hasn’t been effectively processed under the GDPR and there’s some problem with it, you processing that data post that point puts you in breach, and as we’ve already said during the podcast, there’s joint and several liability there.

The GDPR even goes further. It says that you don’t have to take instructions from your client if it puts you in breach of the GDPR. Again, that’s a very big difference to how things were done in the past. So, it’s down to you to determine how that data was harvested, if you like, before it got to you. And then, you’re under responsibility should you then outsource it to another third party. In your scenario, it could be a cloud service provider for example, then you’ve got to make sure that they also comply. But that chain, that responsibility for processing that personal data goes all the way back to the organization who started this process in the first place.

Ian Murphy:       We often see in marketing communications and on websites, phrases such as, “We will share your data with third parties who we choose, to improve your marketing experience, your website experience, to make offers to you.” Under your visibility statement there, are companies gonna have to now start to list exactly who they will share data with, or how do they manage that in case they have a request from a customer over the sharing of data?

Adri Kolah:          That’s a great question and one that actually I get asked a lot when I chair conferences and speak. What’s really important is to take a step back from that, and to think, do we absolutely need to process that personal data in order to deliver the product, the service, or what is called the information society service, which you may not be getting any money for, but you may be getting advantage or benefit from, like an app for example. Because the regulation is very clear. We need to apply the principle of data minimization, not data maximization. And this, again, is a bit of a change if you like. It’s a kind of moment for us. The Facebook and Cambridge Analytica scandal, if I can call it that, brought that into our thinking in a very powerful way.

We didn’t know what was going on, or 87 million people potentially didn’t know what was happening to their personal data. They were being profiled. They didn’t know about that, and all of a sudden, that information was added to other bits of information, and that was then sold on a commercial basis, and then that information was used to influence their behavior. This is totally at variance with the GDPR, because the big thing about the GDPR is we’ve all got to be completely transparent and accountable in relation to the personal data that’s being processed. That’s absolutely the driving force behind it.

You have to be transparent and you have to tell them, who is that third party, what are those purposes for which you want to do that? And the real test is in fact, is that appropriate from the individual’s point of view. One of the things that I’ve written about, which you can find on LinkedIn is putting the regulation to one side, does it feel creepy or cool? Although that sounds simplistic, it really does go to what we’re really talking about on this podcast. It’s doing the right thing, not because you’re listening to me describe what’s in the regulation, or going on a programme, or talking to your legal team. It’s doing the right thing because it’s the right thing to do. And I think we’ve lost sight of that.

Ultimately, the GDPR is in fact a human rights piece of legislation. In a sense, I would challenge everyone listening to the podcast to take a step back and think, how would I feel if that was my data? Would I feel that was okay, or would I feel that was a bit creepy?

Ian Murphy:       Ardi, we could talk for hours on this. It’s been great talking with you today.

Adri Kolah:          Thank you so much for inviting me, and I hope what we’ve talked about is a short space of time that we had, will give a bit more of an insight in terms of what this is really about.

And for us, in summary, it’s less about regulation and much more about reputation.

Ian Murphy:       You have been listening to one of a series of podcasts dedicated to sharing best practices for professional service organisations. These can be found on www.kimbleapps.com.