PODCAST: 5 Myths about the GDPR
Welcome to Just Clarity, a periodic podcast about Digital. Just Clarity is produced by the team at Digital Clarity Group. We help leaders transform the experience they deliver to customers, prospects, and their employees through the effective selection, integration, and adoption of customer experience management technology. Learn more at digitalclaritygroup.com
Hello and welcome to this episode of Just Clarity, the Digital Clarity Group podcast. Recorded on July 5th, 2016. I’m Jake DiMare (JD), Director of Marketing at Digital Clarity Group and I’m joined by Co-founder and Principal Analyst Tim Walters. Today we’re going to dispel five myths about the GDPR, but first Tim, what is the GPDR?
Tim Walters (TW): Hi Jake, it’s great to be here. That’s obviously a key question if not the key question, in fact in our recent webinar that we did on the effects of the GDPR, which is available by the way for replay on Digital Clarity Group’s website, we asked what the familiarity with the regulation was and over 80% of the audience members said they had little or no knowledge of the GDPR.
So what is it? It’s the European Union’s new General Data Protection Regulation, after about four years of negotiations among the 28 now 27 member states. It was passed by the EU parliament and its due to come into effect on May 25th, 2018. The general aims of the regulation are the EU wanted to provide what they call a one stop shop for organizations dealing with personal data and although there does remain some leeway for the various member states to interpret or provide guidance in application of the GDPR, but the desire is to have one set of regulations rather than companies having to deal with 27 or 28 member state regulations and it does kind of minutely regulate how personal data can be collected and used and transferred and processed and etc, etc. In fact, we’re going to be doing an upcoming series of podcasts on the GDPR which will drill down into each one of these areas in considerable detail.
And finally, that perhaps the thing that is going to be most stamped upon people’s minds about the GPDR is that it carries very, very large fines. Namely up to 20 million Euros or 4% of a company’s annual global turnover, that is the gross revenue, whichever is greater. So for a small company you might think, “well we only have 10 million in revenue so 4% isn’t that much”, no you’ll get the 20 million Euro fine and a company like Google, 4% of Google’s 2015 global turnover is something around 3 billion dollars.
JD: This is really meant to get people’s attention.
Myth #1: GDPR only applies to companies operating within the European Union
JD: So we’re going to talk about some myths about the GDPR. Myth number one: the GDPR applies only to companies with operations in the European Union.
TW: Yeah the keyword here is operations. It certainly is not the case that applies only to companies that are headquartered in or that are centrally located in the European Union. Mainly the regulations apply to any company, actually to any organisation, but for the purposes of this podcast we’ll talk about commercial entities. So it applies to any company, anywhere in the world that has practically anything to do with any resident of the European Union, not just citizens of the EU, but anyone who lives within the EU. So that means that the legal reach and the application of the GDPR is not defined by geographic limits, like if you’re in this area it applies to you, but it’s defined by the goal of protecting the privacy and personal data of individuals within the European Union.
So it specifically applies to any company that either A: offers a good and service to any resident of the EU or B: monitors their behavior in one way or another. So in effect, when it comes to what companies does this apply to, is soon as any company located anywhere in the world reaches into the European Union to interact with a resident in the ways that we’re describing, then the GDPR reaches out to dictate how that company needs to handle personal data.
JD: Monitoring, what does that mean? You mentioned that.
TW: Yeah, it’s an interesting concept. So monitoring basically means: profiling individuals based upon personally (identifiable) data. So specifically the regulation says that, it includes the tracking of individuals online to create profiles and now I’m quoting “In particular to analyse or predict aspects concerning that person’s preferences, interests, reliability, behavior, location, or movements.” So think about how that applies to companies, think about how that applies first of all to most marketing practices today and the use of data, big or small data and then think about it applies specifically to companies that track your online visits and behavior. So if you install a tracker, you can see when you go to a typical website, you know somewhere between a dozen and four or five dozen trackers are actually alerted to monitor your movements and your present upon that site.
Now a tracker like that, the company that provides that tracker might be able to argue that they’re not providing a good or a service, they’re just sitting passively in the background, but they certainly can’t argue that they are not monitoring and profiling in the way that’s described in the regulation.
Myth #2: Every website owner has to be worried about the GPDR
JD: Myth number two: This means that any and every website owner has to be worried about the GPDR because after all, EU residents could visit practically any site.
TW: Yeah that’s absolutely true that in most cases you can, you know, type in any URL and you can visit sites in Russia or China or Australia or wherever you want to and EU residents could easily come to say your personal blog site or something like that. However, that does not mean you are liable to and have to comply with the regulations of the GDPR.
What the data authorities are going to be looking for is signs of intent. So did you intend to offer a good and service to residents of the European Union or did you intend to monitor them. So for example: if you have part or all of your site translated into a European language such as German, that’s a clear sign that you intend to interact with EU residents or if you have some information about shipping to the European Union, that’s another clear sign, but in the absence of all of those things, if you just have some kind of site that markets you know, something to people in North and South America and clearly you’re not interested in touching EU residents or in their business or their behavior than you would not need to comply with their regulations.
JD: That’s interesting. Just to bring it to the practical really quickly, I can still imagine a lot of people might be nervous about the fact that there is, sort of, someone who’s responsibility is to make a subjective determination about whether or not it was your intent to reach an audience within the European Union.
TW: Yeah and actually, in fact, it is going to get very tricky for a lot of organizations that think they’re not, that they don’t have anything to do with European residents, but end up in one way or another in possession of or touching some residents personal data. So for example if you want to advise a software vendor, a big software vendor lets just say for the sake of argument SAP, and you want to advise them on something that’s your business, you’re a consultant, and they say, “You know what it’s going to be easier if I just send you an Excel spreadsheet of the names and email addresses and maybe the titles and maybe even the phone numbers of my top 20 partners right? because that will give you an idea about who we’re working with currently,” that sounds very innocent, but according to the GDPR, as soon as that happens, they have made you what’s called the data processor and you are now processing personal data simply by being in possession of it.
TW: Even if you didn’t mean to do anything by it, you just passively received it in an email and yet, you are now part of a personal data chain and therefore liable for any violations.
JD: Very interesting. It won’t take long, I think, for even organizations that are not within the EU that have no intent of interacting with EU residents to say, “You know what, we need some sort of blanket global pop-up that says, ‘this website is not available’ or something’”. Interesting.
Myth #3: The EU is only concerned with reigning in tech giants
Okay, let’s see. Myth number 3: The EU is really only concerned with reigning in the behavior of the US tech giants like Google, Facebook, Apple, or Amazon.
TW: Yeah, so, certainly the EU has had, you know, a very long and very strained history of relationships with those companies in particular and other big US data giants, and they’ve, you know, threatened or applied fines to them in many cases and they’ve been frustrated because a company like Google doesn’t care about a $20,000 or a $200,00 or $2.5M dollar fine, but you have to look at the reasons for that ongoing antagonism and it’s not just they don’t like big US companies, but it’s rather they find consistently, they believe consistently, and have so for a number of years that companies like that, I don’t want to pick on those four in particular, but companies like that are often not exactly following the strictures of fundamental human rights of the European Union because it’s very important to recognize and it’s a little difficult for Americans in particular, perhaps to grasp that according to the EU charter of fundamental rights, there is a fundamental to respect private life and the right to the protection of personal data.
So the EU almost has quasi-constitutional obligation to ensure that, that fundamental right to privacy and protection of personal data is observed and that’s why they’ve been consistently bumping up against the practices of some of these big companies. However it’s very clear that if that’s the reason they bump up against it, then it certainly doesn’t apply to only to those serial violators so to speak, it applies to anyone who is in some way, not properly observing those stipulations around privacy and personal data protection.
So it’s not a short answer finally, it’s not motivated simply by a desire to defend against the US data giants and in fact, a one-person firm could easily be found to be an egregious violator of the GDPR and fined accordingly. So you could be data processing in your basement in your spare time and yet, if you’re not compliant with the GDPR you could be liable for one of those 10 for 20 million fines.
Myth #4: There’s nothing new here
JD: Myth number four: there’s nothing new here. After all the troubled relationship with the big US firms and the many fines that have been leveled show that the EU has been trying to protect these fundamental rights for years. Does the GDPR really change things?
TW: Yeah it’s kind of the flip side of the last myth that is there have been personal data regulations in place for a long time in the European Union, precisely because of that, what I called quasi-constitutional obligation, and the most central one of those is what’s called the 1995 directive, 95/46EC if you want to get into the Bureaucracy of Brussels, and it in fact it’s true that directive has the same fundamental aims regarding personal data protection and why, because it’s in the service of those same fundamental rights that are spelled out in the EU charter.
However, one: that directive was inconsistently legislated, it was poorly enforced, It lacked dissuasive measures, It was inconsistently enforced, as well, by various member countries, and it lacked that kind of ‘one-stop-shop’ goal which that is one of the primary motivations of the GDPR and secondly: even though they are similar and have similar aims, the GDPR now has substantial new or substantially expanded concepts around or requirements for what counts as personal data, what it means to get consent from an individual, how forcefully or aggressively you have to inform them about withdrawal of that consent or permission, about usage restrictions on any data that you gather, about data portability and giving it back consumers or allowing them to shift it to another provider and so forth.
So there are all kinds of new things or expanded things that mean that you can’t assume it’s business as usual under the GDPR.
Myth #5: Marketers are exempt from the GDPR
JD: Myth number five: Marketers are largely exempt from the GDPR. Well, that’s a big relief for me so I guess we can just call it a day.
TW: Yeah, exactly, as the Chief Marketer for DCG. No, you’re not out of the woods at all. I kind of hope that this myth is circulated out of ignorance, but sadly I suspect that some people with a vested interest in the current marketing technologies and the current ad tech eco-systems are purposely spreading misinformation about this in order for quite frankly, to preserve their current revenue streams for as long as possible alright? They want to calm down marketers, it’s okay, the world is not changing substantially so just keep on doing what you’re doing and keep on buying my stuff.
That’s kind of nefarious because of course to the extent they’re able to get marketers to fall for that fiction, they’re actually preventing them from a kind of timely response to really preparing the real obligations of the GDPR. They’re actually doing them a great disservice if that kind of willful misdirection is what is taking place.
JD: Let’s unpack that.
TW: Yeah, let’s go through this a little more patiently. So according to the GDPR, you need to designate what legal grounds you are relying upon for collecting personal data and there are six of them that are spelled out. Four of them are mostly legal or apply only to governments. So for example: if it is in the clear personal interest of the individual, then you may use or have access to personal data. The example there is if you are on vacation in Switzerland, you fall off a cliff and you’re in a hospital and the doctor needs some personal data about you in order to affect the care in the proper way, they may do that because it’s in your personal interest to survive okay? But there are only two of them as far as commercially entities concerned, there are only two grounds for collecting personal data that you can appeal to.
One of them is consent. That means just getting permission directly from the individual and the other one is what the regulation calls legitimate interest and that means roughly an activity that a consumer could reasonably expect a firm to carry out, and if legitimate interest is the legal basis that you appeal to then consent is not required. You do not have to ask them upfront if you may have access to and use and process their data.
So for example: if you bought a microwave oven online from Best Buy, you would probably be expected to have a reasonable expectation that Best Buy, given that they now have your address because and have your email address and your physical address because you had to fill out a form and have the thing shipped out to you, you could have a reasonable expectation that they’re subsequently going to send you email offers and they might subsequently send you printed catalogs, that kind of marketing activity would seem to fall under legitimate interest.
Now, second step: there’s a recital in the regulation and recitals are just the explanatory paragraphs at the beginning, they’re followed by the articles which spell out the specific provisions of the regulations. So there’s a recital, namely number recital 47 and it states quote, “The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interesting” closed quote. That sentence is a great monument to the power of lobbying because some marketing organization worked very hard in Brussels to make sure that sentence was added to recital 47 or somewhere else in the regulation and it’s just odd, it sticks out like a sore thumb.
JD: There’s a couple things that I’m very scared of again. There’s reasonably expect, may be regarded.
JD: That can sort of skirt the land of subjectivity.
TW: That’s the unpacking part. So the fact that the sentence is in recital 47 and is, therefore, a part of the regulation, has led some people in blog posts or articles to conclude and that quoting one of those blog posts, “Most of the business models in place in the online marketing and advertising industry today will not require data subjects to give their consent to the use of their data provided they stay within bounds of the user’s reasonable expectations”. So don’t worry about it the world isn’t changing after all, but as you correctly noted, there are two or three really significant but’s and provisions, provisoes that radically undermine any notion that the GPDR provides an exemption for data-driven marketing, at least from the consent requirements.
For example: earlier, the same recital 47 says that, “legitimate interest may be a ground for data collection”and then it says, “Provided that the interest or the fundamental rights and freedoms of the data subject are not overriding”. Provided that the individuals fundamentals rights and freedoms are not overriding, and it calls for a very careful assessment of the relative weight of the legitimate interest of the firm and the freedom of the individual.
So these things that, so legitimate interest certainly by no means does it override the fundamental rights that are spelled out in EU charter and in fact rather the recital says, we’re going to have to be very, very concerned that legitimate interest are not taking precedent over those legitimate rights and just as a reminder in case you’re wondering, there’s no fundamental right to marketing in the EU charter of fundamental rights, there’s no fundamental right to mail discount coupons to people, there’s no fundamental right to distribute news of your Christmas marketing campaign.
JD: I got to tell you, like right now, I’m a CMO of a publically traded corporation, I’m thrown up my hands and saying I need general council to sort this out (be)cause everything that you just talked about…
JD: There’s, sort of, so much legal mumbo jumbo mixed up in there. It seems like shaky ground.
TW: Yeah, that’s absolutely right, but the important proviso there and this is something we’ll cover in a future podcast as well, don’t allow yourself to think that it’s only the legal department’s problems, right? Like legal will sort this out for us, right? The dimensions of the shift that are required by the GDPR in terms of how you relate to consumers and prospects, how you ask them for data, what kind of data you get, how you use it, what you do with it after you’ve used it, when you have to ask them again and so on and so forth. This means that it’s going to be a kind of integrated company-wide reorientation around the use of personal data and it’s going to take all the village and several villages together probably to deal with this so don’t think that it’s just a legal problem.
So one, we can safely assume that the fundamental rights of the data subject are often, very often going to be overriding. So when the regulation says, you may appeal to legitimate interests for direct marketing purposes provided that the fundamental rights and freedoms of the subject are not overriding, that’s probably going to be a very tight restriction on that appeal to legitimate interest.
And then secondly and I think this is really interesting, a later recital number 70 says, “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing and that right has to be explicitly brought to their attention and presented clearly and separately from any other information. So what does that mean? It basically means that, you have to get consent to use legitimate interest as a grounds for collecting personal data because initially, and you’re going to be told by some marketers that this is great because if you use legitimate interest, you don’t have to get consent.
TW: But in fact, recital 70 says basically, you need (to) get consent in order to use legitimate interest. Now, what’s the difference? The only difference is that when you appeal to consent as the legal grounds for processing data, then you have to do it in advance. You have to say, “may I have permission to gather and use some of your data for the purposes of ___. When you appeal to legitimate interest as the ground you have to do it post factum, right? And then you have to ask as it says, explicitly and clearly, “do you object to me continuing your personal data for the purposes of X” right? “Which, by the way, I previously collected without your consent”, and so that it seems to me inherently more suspicious and less likely to be met with approval.
So it seems to me that you’re better off asking in advance rather than asking after the fact and again when it says it has to be present clearly and separately from all other information, it means that it can’t be a clause buried in some terms and condition that you know people are not going to read. It has to be presented in a way that you know they are going to read it and they have to indicate that they have read it in fact. So it’s as good as the consent requirement with the added complications worrying constantly about whether or not you’re overriding or not overriding the rights of the individual.
JD: Yeah, it’s interesting. I mean, I mentioned earlier the idea of wanting to ask for legal expertise on you know where the line is and what we can do. I think it’s sort of going back to the idea that a violation of the GDPR could be an extinction level event for almost any organization below a certain amount of revenue and there’s just so much complexity in here. I would think that a smart marketer would want to do everything in their power even to avoid being the subject of complaints.
JD: There’s probably going to be some amount of resources that have to be expended in order to simply defend yourself from the suspicion or allegation of a violation.
TW: Yeah and it’s even more, it’s even a little bit darker than that in a way. I mean, I don’t want to frighten people, I think it’s an interesting challenge, one: in order to see how you’re going to comply with this and just understand it initially. I mean, we offer workshops, a lot of people offer information and workshops around the GPDR now and secondly: it’s not just a challenge in some kind of onerous, new legal framework that you have to try and comply with, it also in a way that we won’t go into today, opens up all kinds of opportunities for innovative new services and business models around this value based exchange of personal data with consumers rather than just sucking it up like a vacuum cleaner.
JD: So innovative new services, yeah that’s interesting in sort of setting up a value exchange. What you’re referring to there is probably like Google where they say, “Hey we’re going to use your personal data, but here are all these free tools that are very valuable to you like Gmail and Google Documents and so on and so forth.
TW: For example, I think a better example is something like Amazon where, going back to the earlier question very quickly about, is this really just meant to pick on the American data giants like Amazon, Google and so forth. It’s arguable that Facebook and Amazon, in particular, are going to have an easier time dealing with the GDPR because they have a direct relationship with consumers, with individuals.
So it’s easy for Amazon to say, “provide us with some personal data and we’ll be able to give you a clearer benefit like one click buy”, right? We can’t do that without your personal data right? Or, you know, good recommendations, it’s arguable how good the recommendations are on Amazon, but nevertheless, you can kind of see, they can point you to the benefits that you’re going to receive. That’s much harder for a lot of other companies where it gives us personal access data and in some vague way that we can’t really determine, your experience with us is supposed to be better, and I think it’s going to be, the companies that…Precisely and that’s again where that opportunity for thinking about this opportunity from the positive side becomes clear. So instead of sitting down and saying, “How can we preserve as much of our current marketing practices while still complying with the GDPR”, you say, “Given the new guard rails defined by the GDPR, how can we create different, and new, and more attractive kinds of relationships with consumers that will allow both of us to profit?
JD: Wow, that’s a lot to process. Any last words?
TW: Yeah I just think A: in conclusion that all five of these myths that we looked at are probably based upon or motivated by, whether consciously or subconsciously by the wish to keep on doing business as usual despite the GDPR. Precisely that you know, okay it’s another regulation I have to comply with, but it doesn’t really change my world in the way I do business and I think it does.
There is no safe harbour, there’s no geographics safe harbour, there’s no haven from the requirements of the GDPR, not based upon your geography, not based on the size of your company, not based on your compliance with the current EU data protection directive and certainly not because your existing business model, like direct marketing, is somehow magically exempt from the entire regulation.
JD: So you can’t just outsource your entire data operation to Greenland or something.
TW: It won’t work.
JD: Excellent, well that’s a lot of information to process. Thank you very much for your time Tim and we’re going to as you said earlier, we’re going to have a series of podcasts and webinars and more content about the GDPR to help organizations prepare for and be in compliance when it takes effect. When is it, in May of 2018?
TW: May 25th, 2018.
JD: Excellent. Thank you to our audience, have a great day.
You have been listening to another episode of Just Clarity. Produced by the team at Digital Clarity Group. For more information on the topics we discussed today or the subject of customer experience management, please visit us at digitalclaritygroup.com