General Data Protection Regulation (“GDPR”)
As we edge ever closer to 25 May 2018 when the GDPR becomes enforceable, we have been spending time understanding our portfolio companies’ (and our own!) biggest worries when it comes to compliance.
The leading London law firm Slaughter and May have graciously offered round-table discussions — as well as good humour and invaluable advice — to many of our portfolio founders and their teams over the past few months. (Thank you Rebecca Cousin; Rob Sumroy; Lucie van Gils and Matthew Farrington). Nothing we say here should be taken as being endorsed by, or coming from them — we just thought it would be helpful to share with the wider community some of the common challenges we have all been facing and how we are thinking through them.
The following contains as many questions as answers, but knowing the right questions to ask is a powerful start in tackling the GDPR and should be a pre-cursor to creating a culture of conscious responsibility towards personal data within our businesses.
What is marketing?
This all centres around promotional activity. Royal Mail recently sent an email out simply informing their customers of a price reduction for certain parcel sizes. Was this marketing or simply an administrative communication? The regulator (Information Commissioner’s Office, “ICO”) identified this as marketing, in that it was deemed to be promotional (perhaps a price decrease or other ‘bad news’ may not have been seen as marketing material!)
Once you know you are trying to promote goods or services, it is then important to understand whether your communication is aimed at an individual. This particularly applies to e-marketing which is without question the predominate method of marketing today. For any B2C businesses, the answer to this will be “yes” and here, a second regime will be applying to your communications on top of the GDPR, this additional regime is — the Privacy and Electronic Communications Regime “PECR”.
PECR sets out what counts as valid consent to receive e-marketing communications. The standard will be moving from opt-out to opt-in. This means, for consent to be valid, it has to have some positive, affirmative action attaching to it — which, of course, you will need to demonstrate to a regulator, should you be asked to evidence it. If you can show valid consent under PECR, then you should also be able to show compliance with GDPR (note, there are 6 legitimate grounds for processing data under the GDPR — although, by this point in your preparations for GDPR, we are hoping you are familiar with the basics so will not recite the grounds here!)
Opt-out standard that is in force at the moment — which looks like “please untick this box if you don’t want marketing” — will be changing. From May 25th, someone needs to do something to signify they are happy to receive promotional materials, by ticking a box for example. [Note — closing a popup box requesting consent, is not consent!]
Can I continue relying on any of my existing opt-out consents?
Yes in the following two cases:
B2B (1) where you are sending e-marketing to legal entities (b2b businesses) — not sole trader or partnership. This is hard for the sender to know and we expect businesses to take judgment calls here on who on your database is or is not a legal entity (MrSmith@gmail.com — likely to be an individual!)
B2C (2) “soft opt-in exemption” — this is where in the course of a sale, or the negotiation of a sale, you’ve obtained the consumer’s contact details, having already given them the opportunity to opt out at that time. In this case you can continue to market to them, but this is restricted to marketing your own similar products, not third parties’.
I have an existing set of customers who have signed up to our daily newsletter, to receive promotional information, but they haven’t bought anything from us. Can I rely on soft opt-in?
No, nor is it enough that they’ve been on your website. If they had reached out for a quote, for example, you could justifiably say there had been a negotiation. Strictly speaking, any sale should be for payment/money.
If you have customers who have already specifically and explicitly consented to receiving marketing materials, they have given consent which is GDPR compliant, so this doesn’t need to be refreshed. But it doesn’t follow that, because they have signed up for a newsletter, you can send them anything else. Double check what the original wording was that these customers signed up to. The regulator wants you to be able to prove that you know what they have agreed to and you can show this. This is probably why we are all getting loads of refresher emails — businesses simply don’t have the records and want to be sure they can show this audit trail going forwards.
[N.B. there is new e-privacy regulation that you may have heard about which is going through the European process currently. The final text isn’t likely to appear until year-end 2018. The transition period will then be likely to be a minimum of 6 months (this will include electronic communications and cookies). This is one not to worry about for now, but the B2B exemption set out in (1) above may be scrapped. The approach to cookies is also being looked at, based in part on the fact that people aren’t paying attention to popups.]
What do I do about my current opt-out consents?
Have you noticed the recent flurry of requests to consent from marketing/promotional lists? Here, business are relying on existing opt-out consents, to ask people if they want to opt-in. If you ask someone for their consent to marketing, it is deemed to be in and of itself a marketing email. So after 25 May, you won’t be able to send out this type of email unless you have explicit consent to do so!
What about when you are sending the marketing message through Facebook or MailChimp or other third parties?
If they are sending the message out and controlling it– they are the ones who need to have permission. You obviously wouldn’t want to get caught up in them doing anything they shouldn’t be so — assuming you can negotiate these contracts — you should be including clauses which ensure that they will be doing their marketing activity in compliance with applicable laws (GDPR and PECR). You will also need to let your customers know that you are transferring and sharing their data to third parties in this way in your privacy notice.
The alternative is where you are marketing the goods and services of third parties to your customers or passing on customer information to third parties so that they can market their goods and services to them. This requires a specific and explicit opt-in. You need to think about the best way to communicate with your customers and how you are going to get the most effective up-take for them to opt-in: i.e. do you think more granular and digestible information on why each is being included is helpful and will encourage them to tick the opt-in? At a minimum, you’ll need to name the third party and explain what you are going to be sending out and sharing with that third party.
What about services that search for contact details — are they compliant? This info is all publicly available on LinkedIn and other websites so why can’t I use it?
It is still personal data and you are still required to comply with GDPR. You, or those businesses doing this for you, can gather this data, you should then decide what your processing ground is (which is likely to be legitimate interest). There is still a marketing problem, namely, how do you market to them with proper consent? Potentially you could use the corporate exemption, but beyond that, you also have to tell them that you have their data within 28 days of collecting it and putting it onto your system, or have someone process it on your behalf. You should be sending them a privacy notice, telling them you have it and what you plan on doing with it.
Beware of buying lists! Buying a list doesn’t mean you have the right to market to these people.
We aren’t sharing personal data so that third parties can market to our customers, but we might be transferring data for other reasons to third parties. How do we do that in a compliant way?
- Look for processing ground. If there’s legitimate interest, make sure you carry out the balancing exercise where you consider the detriment to individual and their privacy from what you plan to do and balance this against your business interest.
- If in doubt, tell the individual what you are going to do with their data! Put this in your privacy notice.
- This doesn’t mean asking them for consent (as we discussed with marketing) — this will be an informational service.
- Transparency: individuals then know who has their data and what is being done with it as well as what processing ground you are relying on to use that data in the first place.
- Comms should be clear and understandable. Don’t get lawyers to write privacy notices, or marketing consent requests! Some of the information included in here has to be legalistic but mostly this is about phrasing in a very understandable fashion. Have marketing people to write the comms, then get a legal eye to check it for compliance and effectiveness.
- Format of privacy notices: the regulator is a fan of short and simple, headline, digestible points with links to longer form information. Go for a user-friendly, layered approach. This will encourage people to actually read it!
Data controllers and processors. Who is what/when?
- Controller: decides about purpose of processing — what data is collected and what it’s used for.
- Controller to controller transfer: an example of this is a business giving data on its employees to its health insurance provider or pension provier.
- Processor: follows instructions and does what a controller wants it to do with the data provided. Note that some of your agency or contract workers will technically be your data processors — you may need to update your contracts in this regard. Look at your priority list in deciding how soon to action this!
- Controller to processor transfer: an example of this is a business giving data to a payroll processor or cloud provider.
- Whether you are a data controller or data processor at each point affects your (a) liability position (b) what provisions you should be putting in your legal agreements.
- Breach by controller: liability falls purely on controller. Regulator and/or individual claims should go against them. Albeit note the chain of involvement here — how did the controller get that data, what safeguards were put in place by any party who was transferring them the data? The businesses in this chain of transfer may also be investigated.
- Breach by processor: previously, liability attached to controller but processors can also now be liable for their actions.
Action: review and amend commercial contracts to include GDPR compliant clauses and to ensure you fully understand where you are exposed to liability (and where you may be passing this down the chain).
What about transfers outside EU? We have a separate US company — we have marketing teams in both countries, both processing the same data.
US is not an ‘adequate jurisdiction’, and has a very different approach to privacy.
There would be three options to transfer in this scenario:
- US Privacy Shield: some suppliers may have signed up to this. US companies voluntarily agree to comply with various privacy standards. If they do this, you can transfer personal data to them.
- Binding Corporate Rules: intragroup arrangements approved by two regulators. These can be time-consuming and expensive.
- Model Clauses — most likely and user-friendly course of action: EU commission has approved certain contractual clauses (with no amendments). The US and EU intra-group companies cansign these binding both of you, then you can transfer the data. Regulators then consider that you have adequate protection around this data. Put in place an intragroup data-sharing agreement including these clauses. Then set up a yearly review of the agreement to ensure relevant data continues to be captured.
Links to the model clauses for international transfers:
Controller to controller:
Set II was introduced in response to criticism that Set I was too onerous, particularly on the recipient. Data controllers may choose either set but may not amend the clauses or the Sets (except for the additional information that the specific transaction requires).
Controller to processor:
Generally, if you have personal data being transferred outside of EU, you have to think:
- What is my processing ground?
- What is my basis to transfer it outside EU?
We sell via distributors, lots of whom are outside the EU. Someone might enquire to our website and we might pass this information on to a third party in Asia (for example). Can we do this in a compliant way?
- Check if the jurisdiction is ‘adequate’. You may not need anything additional.
- If not, include the model clauses in your contract with distributor.
- You can always rely on consent from the individual who has enquired to pass on their data, but are you going to reach out to them to obtain this?. Perhaps you could respond by saying — your enquiry can only be dealt with if you pass on personal data to the distributor and see if the response is “I’m happy for you to pass it on”. This may be the cleanest route.
I’m a UK company with global customers. Am I captured by GDPR?
- Yes — these regulations will apply to your data, even if this relates to US (or other) persons. It is the nexus of the data controller that matters here, not where the customers are.
- If there was a breach affecting a US customer’s personal data, you would need to tell the relevant EU regulators.
- It is likely to be easier to treat all your customers in the same way (regardless as to where they are based) and ultimately better for PR!
What if I’m a US company?
- If you are a controller or processor based outside of the EU and you are processing data from individuals in the EU, the GDPR applies to you.
- If you are offering goods and services to EU individuals (even if this is for free) or you are monitoring their behaviour, you fall within the scope of the GDPR.
What are our obligations to our employees?
- What data do you have on them; why do you have it? It’s a good idea to have this figured this out in advance!
- Confirm your legal basis for the processing.
- Train your employees in how to look after other employees’ and your customers’ data.
- Create the right culture. Feel free to send prank emails when computers are unlocked to remind people to lock them!
- Write policies which are actually adhered to and can be adhered to — its likely the regulator will be even more unimpressed if you have a bulletproof policy, but no-one behaves with any consideration towards data.
- Do you have USB blocks; printing logs; can people email from your systems to Gmail/Hotmail; is there a limit on the size of file that can be sent; what access rights do people actually need for their specific jobs?
- Be careful about personal data that is created. People have a right to see information you have on them, for example, personal reviews. If you wouldn’t like them to read it, don’t write it down!
- Subject access request: this isn’t a new right. Anyone can ask for copies of their data. They can ask, do you have any personal data on me; why; where is it stored; do you transfer it; who else may hold that data and who you have passed it onto? Don’t forget in sharing this, you may be sharing someone else’s personal data. The ICO has very helpful guidance on this, with a good step-by-step guide as to how to respond to these requests. (A crafty suggestion: submitting a subject access request to Facebook before you close your account allows you to receive a nice clean set of all your photos!)
- Allow for 28 days to respond with the potential to get an extension if you are challenging the request.
- If you get overwhelmed with requests the regulator should understand that the business can’t just stop. They would just want a sense of what your plan is and how you would look at dealing with these requests.
- Right to erasure: This is a newer right. An individual will request that any data on them be deleted. Both of the rights — subject access and erasure — aren’t absolute rights so take a breath and consider your position carefully before responding.
What about CVs?
- Technically you should be sending prospective employees a privacy notice. A ‘Jobs/Vacancies/Careers’ tab should really include this; or you could even have an automated acknowledgment email linking to a privacy notice when a submission is made.
- A CV that has been voluntarily submitted and contains no sensitive data should be fine to share but it may also be sensible in the automated email response thanking them for their submission to note that the CV may be shared within the business (and to other businesses where you think they could be suitable) and they should contact you if they object to this.
- How long do you keep it? As long as necessary is the unhelpful response! If you fill the job, delete CVs 3–6 months thereafter, but you could justify holding on for longer for potential other jobs. Trade bodies should hopefully bring out some guidance on this in the near future.
- No one is going to be fully GDPR compliant by 25 May 2018 and the regulators know this.
- Your high risk areas should have been tackled: typically those that are most visible externally, like marketing or privacy notices.
- Updating your controller-processor agreements should be underway but may not have been completed just yet. You should have at least diligenced your processors and be confident that they will be compliant.
- You should be confident that you have generally been putting in a good effort to attempt to tackle and implement the GDPR.
- It is great that we are all thinking deeply about the way we handle personal data and you should be making good progress in this regard, but you aren’t alone in being some way off from gold standard compliance.
A Useful Resource:
The ICO website contains lots of very helpful information and is a great place to start with your queries — https://ico.org.uk/