On The B2B Show, we showcase sales and marketing success stories from some of Ireland’s leading B2B practitioners (aka our heroes). We hope their examples and best practice advice serve as inspiration for your own challenges.

GDPR Podcast

Show transcript

We use Temi to automate transcripts for our videos and podcasts. It’s pretty good but not 100% accurate, so you might spot the odd quirky error. If this upsets you, write a strongly worded email to god for introducing imperfection into this world.

Ian Blake: 00:04 You're listening to the Btby podcast. We're committed to educating B Cmos, ceos and marketeers, looking for best practices on how to grow their business, learn from your peers on the tactics, tools, and strategies they use to consistently grow their business. I'm your host and Blake. Let's get into the show.

Ian Blake: 00:23 We're delighted, Mckenna with us today. Liam is a partner of ours and Gdpr is one of his specialist areas, so what? GDP? Only 10 days away, and our data commissioner, Helen Dixon commenting recently, she felt only 30 percent of businesses are ready for Gdpr. We're extremely lucky to have Liam on the show to share his wisdom or you're very welcome. We. Liam, thanks very much. Ian Likes to be here. Before we get into the show, can you tell us a little bit about yourself? Yeah, I'm their consulting partner in is ours and primarily focused on regulatory driven change, but I suppose I started my career back in dealing with firewalls and technology close on 20 years ago. Well, actually it's up more than 20 years ago now, so I've always had a plaza security and then became a previous view and really been connected to data protection over all those years.

Liam McKenna: 01:11 Bush, over the last two years, Gdpr has just been a very large proportion of our work and focus. So Liam, can you tell us a little bit about Missouri's and what they do? Yeah, certainly. So Ms Dot [inaudible] is present in 80 countries around the globe. It's 22,000 people, a very large professional services firm. So traditionally we would do audit, tax accountancy services and we've developed consulting over the last 15 years. We also do outsource payroll, so it's a very large organization coming out of France, which is our headquarter as one firm. So we have our clients have the benefit of having one team, um, one balance sheets and profit and loss across the organizations, which means we will always get the right people to the right job and that's um, it's a great place and we're making great progress in Ireland and across the globe.

Ian Blake: 01:58 Very good. And we know you look after, you know, Gdpr from ours and privacy is there. Is there any other specialist areas that you look after within the consulting team? We've a very strong hate or strategy team. We also do decision support and financial modeling and we do it consulting I suppose with my own focus is a lot on regulatory driven change, so GDP or falls into that. But we've done a lot with the banking regulations, codes of conduct and the like. And obviously we'll talk about the privacy regulation through the podcast here, but you know, that's, that's another thing that we're focused on already we're looking into and we'd anticipate work. So that's what my focus is a little bit more on the regulatory side with technology, but the consulting team is quite broad in what we deliver. Okay. Very good. So the Gdpr, so topical at the moment and only days away, you're obviously interacting with businesses, I'd say on a daily basis.

Ian Blake: 02:51 So could you just let us share with us what the, what the challenges they're facing and what they're doing to rectify them? Yeah. So obviously their businesses, as you said, the start, how the Dixon commented that only 30 percent of organizations are well prepared and so there's a very large difference between various organizations are doing the more mature organizations are looking at it solutions for subject access requests and understanding retention periods and these are probably more of the mature areas. Whereas the, there are other organizations which are really just starting the journey and they're ringing herself and saying, you know, can you come back to us and talk to us about Gdpr and how we should become compliant. I suppose the key thing is for us to address, provide the clients with the most relevant and useful information and advice given the point they're at and the time that's left.

Liam McKenna: 03:44 I know certainly when people ring us up now and they're saying we don't have a lot done or we have nothing done. It's clear to us that, you know, there's a couple of things you need to focus in on which our privacy statements, subject access requests, breach management. Because that's. We've been tracking the commissioner and I have for the last six months what she's been saying. We've been discussing with our clients who have had communication with the commissioner, what messages they're getting back, um, and we've just been following the news cetera. And based on that, it's quite clear that if you're transparent and that means having a privacy statement on your website that says this is what we do with data is we share this with this is the legal basis we have for doing this and really provides people with all the information and so that they can look at your website and actually know, okay, if I decide to do business with these people that are the byproduct of these people, this is how they're going to treat my data.

Liam McKenna: 04:37 And obviously being on the website, it's the most visible part of your compliance project. And if the commissioner were to receive a complaint and they could from the comfort of their own desk, look at your website and say, okay, these guys obviously have done something for Gdpr. Or they could say, look at that. They're using an old data protection statement there. That's all about the cookies on the website. They're nowhere. Okay, we need to focus in on these guys. So the privacy statement is the most visible thing you're going to have with regards to Gdpr. Then you know, the second thing is probably the subject access requests. Fifty percent of complaints to the commissioner in the last number of years have been related to people not providing to request responses in time and with the level of detail needed. So you know, understanding if we get a subject access request, which means provide me with all the data you have on me as an individual.

Liam McKenna: 05:29 That includes emails, that includes your core system, that includes spreadsheets. Just extracting the data and making it available. To me, if you're not able to do that, you're going to be in trouble. In the past, I suppose we, if you wanted to do a subject access request as an individual, you probably hang up the phone, irritated after some service call you didn't like. You then have to write a write a letter, finds an envelope, go to the post office by a stamp by while you there, and I'll get a postal order because it cost six, 25 and you no longer have a checkbook and then send the whole thing off in the letterbox and you know what you've lost interest and you've moved on. Yeah, hang up the phone and go on annoyed email for free. Send me all the days you have on me within 30 days.

Liam McKenna: 06:13 And that's really our people focused on an uncertainty at the level of demand and their ability to satisfy that demand if they have a Joe Duffy moment or something like that. Yeah, yeah. Okay. And, and subject access request. Just to be clear is is somebody emailing me, emailing a telecom provider and saying give me all the information you have on me. Yeah, but it doesn't necessarily have to be by email, but it's some form of notification. So we're a lot of our team organizations that we're dealing with know, with the, have this customer service staff trained up now at this stage if somebody says I want to subject access requests, how do they deal with it, etc. So it's to be prepared for the fact that we're anticipating that there are a number of rights of the individual. The Subject access request is one and we need our people to understand how those rights apply and if people challenge them on the phone or through some other form to prove to you know, invokes, right, well do we do it is irrelevant to us and how do we manage that internally to make sure we are compliant.

Ian Blake: 07:17 Okay. And you mentioned the third year, there was three things he said. One was the previous statement, the second was serve subject access request was, was there another, there was what breaches is another one that we know the commissioner has focused in on and there's probably less visible. You know, obviously if you don't have a privacy statement, it's incredibly visible. If you can't satisfy the subject access requests, it's going to be visible pretty quickly. Then the third item I mentioned was that there's now an obligation that if you have a data breach, you assess that breach and within 72 hours, no, not working hours. Seventy two hours of that breach. You make a decision to notify the commissioner and notify initially within that 72 hour period. So if you, if the commissioner finds out that you know you've been sitting on something for two months and a data breach, they will and you were aware of that, the likelihood is you'll get fined twice once for the data breach and one's for the reach of the reporting obligation.

Ian Blake: 08:15 All right, so, so there are kind of three kind of headline items to be aware of. Our listeners are predominantly b, two b marketers and from talking to our customers and other people within the business business marketing community, their challenges lie around, you know, list management or data management of the database. You know, people who have either opted in in the past or who have downloaded something I support. What advice would you give to them who have these databases and and are wondering what to do with them? Yeah, I suppose probably if they've done a lot of listening and reading on this, there might be a bit confused because there's quite a lot going on there beyond gdp or you know, we have a 2002 privacy electronic communications directive. We have a 2011 statutory instruments in Ireland which underpins das. We have the gdpr which is coming into force and we have what's called the privacy regulation, which is likely to come into force in 2019 and innocent in draft at the moment.

Liam McKenna: 09:16 So, so there's a lot of interpretation, you know, any one of those items in their own race would be a bit of a head scratcher. You have to sit down and work through and understand what to do. I suppose maybe to give you an example, because I think there is every organization, it's hard to give advice over the over this podcast, which everybody can apply, but if maybe if I just tell you what we're doing in ms [inaudible] with regard to our own assessment of how that impacts on our, our database of contacts and you know like many organizations are. Contacts will be a database that we made up of clients that we have individuals we've met along the way. People who've goTten business cards from over the years and said, oh, you know, they will keep them in touch with things. And I suppose ultimately what, what it comes down to is whether or not you need consent and this gdpr consent is difficult to achieve.

Ian Blake: 10:07 It requires a pretty high bar to evidence. And so you do have the option of either using consent or what's called legitimate interest and ideally you're able to use legitimate interests and that would mean that in effect, as long as you've got the right updates in your emails, you're okay. But maybe just to summarize it, where we've landed is based on the 2011 statutory instrument we can direct market to any business email address. There's an exception in there for that. Now, again, this could change with the privacy regulation, but you know, that's one tick in the box that will add grades. Okay. Um, so then we got to personally email addresses and again, you know, when we looked at our database of h, 20 percent of the email addresses were g mail, yahoo, items like that. And we were like, okay, you know, this is now not clearly a business email address, what do we do with it?

Liam McKenna: 10:57 And so we had a decision to make as to, okay, well if, if we can say we have, these are customers, we've dealt with them in the last year or we've communicated to them in the last year. We're providing communication to them about our services, not somebody else's and where the services are all similar. In that instance, we're allowed to continue to market to them via direct email. If, if those things aren't true, well then we're on risky territory. So what we chose to do is, because we weren't able to, there's quite a lot of ifs and buts there. We decided to remove all of the personal email addresses from our, from our database. And what we did was we got, we sent the list to the contacts who had entered them and said, look, you know, can you ask your clients or your contact if they would like us to add their business email address to, to our marketing database on are not what we are and we are getting into whole consent thing which would require us to, for them to opt in.

Ian Blake: 11:56 You see, for example, there are a lot of opt in campaigns. I'm sure everybody's received emails recently saying, look, we'd love to keep in touch with you. We'd love to continue to us our message. Click on this button and you'll opt in. The rate return on those is somewhere between four and 10 percent. So obviously it's worth doing if you've got another option, but it's not the ideal solution. Okay? So just because this, this is really, really interesting for us, for this community and I just want to test my understanding of it at the moment. You can direct market to a business email address, correct? Yeah. Based on the 2011 act, however we need to look at the privacy regulation in the future. But right now you can. Yes. Okay. Regardless of whether they got concenter they've given consent or not. Correct. Yeah. Okay. And that's our interpretation in our situation, right?

Liam McKenna: 12:46 I'm not giving legal advice here, so. Okay. and that includes in, in, you know, marketing emails, you know, if you have a database of a thousand people and they're all legitimate business email addresses, once you have a statement at the bottom of that email to say to give them the opportunity to opt out, that's. That's okay. Yes. Yeah. Okay. The other question and it relates to what we've just discussed is, is the difference between a sales or we'd call a sales email and a marketing emails. So the marketing email is, you know, a mass email to a thousand people or 10,000, whatever it is. And then you have a sales email, which is, you know, you meet someone at a conference, you get their business card and you send them an email or you, you guessed their email address. Salespeople would be, you know, might go onto a website or they might work off a list.

Ian Blake: 13:36 I just was wondering, is there anything to be aware of there in terms of emailing people that you know, haven't, you know, you've never met, never provided this at, you're not. They're not a customer. So yeah. Yeah. Where you know, where the client, where this contact is not a customer and you've never had any communication with them and it's a personal email address and you're sending them an email. You're, you're uncomfortable brand there. Okay. You need to be considering that. Now that's different to when you say sales email for example, if you sell cars and somebody comes into your show room on saturday and you know you, then they leave you an email address or they leave you a telephone number, but they aren't specifically asking for consent. They're consenting to anything. But you can continue to follow up that person under what's called legitimate interest for a number of weeks or even months and say, look, you know, typically sell three months of car sales processes three months, so I'm going to follow this person up.

Liam McKenna: 14:38 If it's not direct marketing, it's not marketing, it's sales and it's a legitimate interest. So I think you need to consider an all these things. what the commissioners advice has been is, look, there is some interpretation here. It's not clear that the moment at the moment the gdpr is really a theoretical textbook. There's nothing, no sanctions applied as a consequence of it. There's been no civil actions and they accept that there is a lack of clarity in areas. And what they've advised people to do is say, okay, well if you're going to do something that you're not sure is right, put it down on a piece of paper, one or two pages. This is what we thought about it. we challenged ourselves on it. we put some context around how the gdpr applies and this is the conclusion we came to. And in that event they've said, look, you know, we look upon that very favorably and in fairness to the commissioner, they've always been very collaborative and fair to organizations.

Liam McKenna: 15:34 So that may, that I suppose that approach may have to change a little bit given gdpr and the obligations on them for sanctions, et cetera. But it wouldn't expect it to change overnight. I just, as soon as you're talking there, liam, it reminded me of I think something I read recently about documenting, you know, how you handle data so you, you, you, you referenced there documented the fact that you thought about this particular particular scenario, but in terms of how companies are managing their data at the moment, would it be advisable for them to document it or not, you know, hundreds of pages, but you know, a few pages on this is how we approached our data. This is what we did, this is how we're dealing with these different, these different datasets. Is that something that. So there's certainly, there's a couple of points there.

Liam McKenna: 16:27 So under gdpr, if you have more than 250 staff, you are required to have. What's called a record of processing activities and even if you have less than that, it's very hard to rise a privacy statement and to know, you know, to be able to do the gdp or project without one. And what that is is basically added simplest fOrm. It's a spreadsheet that says these are the processes, this is the type of data, this is why we think we're allowed to use this data, this is, you know, who we share this with and you know, it asks a number of questions and so that is the is the very basic starting point for any gdp or project. And when I said to you at the start, you need to privacy statement, it's very hard to write a privacy statement if you haven't actually gone through that activity of okay, what are our processes, our personal data is assigned associated with them and what do we do it as a more basis and who we do share it with.

Liam McKenna: 17:17 Okay. So that's pretty critical. Then the second point is generally within the us gdp or projects, there is a set of standard documentation that's needed. You know, there's there's rights of the individual that you need to satisfy and those obligations that controller things like dpis, data, protection by design and default, whether or not you need to dpo a bunch of stuff and there's a kind of standard set of documentation that you end up with and then there's what we call that head scratching stuff, which is the one or two pages of things that were unclear. You had to make a choice on and you're hoping that if, if you ever do get challenged on it, you'll be able to pull out this bit of paper and they'll go, okay, fair enough. YOu're doing your best. we'll give you three months sorted out. Okay. Okay. Because I was distinguishing between the privacy statement on your website and then how you actually went about it internally, which might be.

Liam McKenna: 18:10 Yeah, no, absolutely. Like the, the, the, you know, I said at the start, I've been dealing with data protection for 20 years, but really up until recently we spoke about a principles of data protection and it was very high level. Now we're talking about 785 clauses of gdpr across 99 articles and it's much more detailed how we're looking at it and I think that one of the reasons for that beyond fines is that there's only one principal change and that principal changes accountability, so in the past the commissioner would come into an organization and they'd have to identify noncompliance, whereas now we're accountable. They come in the door and they say prove your compliance with gdpr. If we can't prove were compliant with gdpr will then were noncompliant. That makes it completely changes the relationship and how they can approach us and what we need to do and as you said, even in that circumstance it makes a lot of sense to have some sort of documents which maybe is put together with a strategy document or a policy document as you described something that explains this is how we're approaching this whole thing.

Ian Blake: 19:17 I'm very sensible. Okay. You mentioned earlier in our conversation that the privacy regulation, can you just provide an explanation as to what it is? Yeah, so like gdpr is about personal data and all use of personal data across any industry. The privacy regulation is not about personal data, it's about data that across electronic communications methods, so you know, it includes any rules that are set around direct marketing could apply to business data and personal data, but it is focused primarily on ie communication services as opposed to all services. So for example in healthcare, do you run a hospital? It's unlikely that you're going to be heavily impacted by your privacy. You know those pieces around cookies and like. But if you're into, if you're a marketing and if you're using internet channels will then it's going to affect people significantly. Now that the challenge with it is that it originally it was, it was intended to bring this into forests on May 25th so that it was at the same time as gdpr and we could just bring all of this thinking together and put one solution in place.

Liam McKenna: 20:31 Unfortunately it's been delayed now and I believe that Bulgaria or the or the presidents of europe at the moment, they're targeting getting the text finalized in the end of this month I think are in june or with then a view of bringing it into fourths sometime in 2019. So, you know, I was reading through it. It's pretty significant document there last week there was still a number of significant changes, attitudes, so, you know, it's hard to. It's hard to say exactly where it's going, but what I would say is that your decisions around direct marketing, around how you use consent around how you use cookies, they all need to be reconsidered at some point post the privacy directive getting finalized and obviously that's not ideal, which is why originally there was talk of aligning both gdpr and the privacy regulation bus. Uh, unfortunately that hasn't happened. Okay. I suppose either benefits to the fact that it's delayed to small businesses where they kind of get their head around gdpr, like, like all things when these things actually happen, does a little bit of a, an exhale.

Liam McKenna: 21:37 And people go, oh, you know, we kind of have our head around it now and then if he previously comms 12 months later, they'll have had a little bit of experience about, you know, becoming more compliant with gdpr and then it won't be as big a hurdle then to become compliant with privacy. It. Yeah, quite possibly. I suppose the flip side of that is if you look at, for example, if you do, if you do need to get into marketing consents, gdpr would allow you to say, have a statement, do you consent to us? Can you communicating with you over the next period or whatever. And you click yes or no are tick yes or no. And that's valid consent. However, under the privacy regulation, that's not going to be valid consent to. You're going to need to, to choose the channel that you're willing to accept this communication through.

Liam McKenna: 22:22 So, you know, it needs to say text host, email, telephone, whatever. So I suppose the challenge for organizations are there, some organizations, we had a conversation about it stars, about how you, um, how you communicate with people and the right to do it and it's much more complex when you're dealing with personal data as opposed to business data. But if you've put in a solution which is compliant with gdpr but hasn't considered privacy regulation in a year's time, you could find you've captured 30,000 consents and they're all invalid because of the privacy regulation. So we're trying to, when we're talking about to businesses about capturing consent and what they're calling re permissioning, we're building in where we can the privacy requirements. So they're very simple one there is including the different channels so that we know that's going to be required in the privacy regulation.

Liam McKenna: 23:13 Um, and it'll meet if we don't do it, it'll mean that breathes. He comes in and suddenly all those consents that were valid under gdpr are no longer valid. And you're back at the starting point again. Okay? so with that in mind, it's probably advisable for people to start thinking about this. certainly if they don't want to be doing stuff that, you know, capturing data that will be null and void and whenever this comes in. Yeah. And look, I suppose your question I gave you the negative side, like the point was, is it nice to have a little bit of a kind of lead in and if an organization is only really getting his head around privacy and the need for privacy, gdp, gdp or touches so many different areas of the business, whereas the privacy regulation is quite narrow and it's going to be dealing with the sales and marketing functions really.

Liam McKenna: 23:59 So you know, possibly if we've got some training, if we begin to get a bit of a culture of privacy going, if people start to understand where the personal data is or those things, you know, maybe maybe it will be helpful to have that break for some organizations. Okay. Very good. Just before we finish up, is there anything I haven't asked or is there anything else we could tell the audience about gdpr? No, I suppose a couple of things strike me. You know, the clients we've been working on for, you know, maybe a year, the, the larger organizations that have complex it projects and have been working on this a long time. I'm finding now as we come to the end of the gcp or project, it's onlY really at this point that we're starting to have real privacy conversations with people where, where you know, somebody will come up to me and say, you know, we're doing this with personal data.

Ian Blake: 24:50 Would it not be better if we didn't do that at all? Surely we don't really actually need it all. So there is a maturing here and getting some compliance documentation in place and getting over the initial hurdle is really the first step. I think this is going to become five, six months ago people were saying, is this y two k? It's absolutely not y two k everybody cares about privacy. Everything you read now is about privacy. You'd read about data breaches and the reality is, as you know, we are at risk. No society that has not had privacy has been a good society and you know, we do need to be careful about that and I suppose people are aware of us on a number of clients in recent weeks. Individuals unrelated to the gdpr project have come up to me and said, liam, I received this or this has happened to me.

Liam McKenna: 25:38 Can I make money out of that? And I'm like, well wait until May 26th because he can't today, but maybe it might. So what I would say is if you've had your head in the sand get started because it's not going to go away and you may well avoid the attention of people over the coming months because you know there's a limited resource in the commissioners. If you aren't getting complaints, you should be okay. So you know, don't be frightened of it. Find out where your data is. Roger privacy statement and start working through it, I would say is the advice I give people. Well thank you very much. That's all very valuable and great advice for a community that is really interested in this topic. So liam, thank you very much for your time and for the content. No gracie and thanks for inviting me on and, uh, the best of luck with your other podcast.

 

In this episode we talk to Liam McKenna, Partner and GDPR specialist at professional services firm Mazars. Liam tells us the 3 most important things to have ready for GDPR, how Mazars are dealing with GDPR and gives advice on how GDPR will affect B2B businesses.