Today, we feature several entrepreneurs from the post-GDPR economy:
Jan Wouter of gdprlawyers.nl
Subscribe to Data Dives on any of the following platforms:
Erik Oehler: GDPR or the General Data Protection Regulation is back in the news lately. Hefty fines against British Airways and Marriott for the handling of data breaches sharpen the teeth of regulating bodies. In those cases, the UK Information Commissioner's Office or ICO. Earlier this year, Google was hit with a 44 million Euro fine for a compliance violation by CNIL, France's data protection office. But old habits die hard. The virtual data collection game has been running at scale for more than 20 years. It's hard to just turn it off.
But what really jumped out at me about GDPR was the economy it created. With new regulations and a mandate of compliance comes an entire ecosystem of jobs and opportunities to help companies which were, despite having two years to prepare, largely unprepared.
Just some stats. A dimensional research survey found that 83% of U.S. privacy professionals expected GDPR Compliance spending to be at least $100,000 for their companies, with 40% stating over 500,000 and 17% expecting over 1 million. And that's in the U.S. Where does that money go towards? The obvious roles like info security specialists, programmers to show if vulnerabilities come up. But there's an entire data strategy component to being GDPR compliant as well and a lot of people working to help companies get there. Today you'll hear from some of the participants in this new economy, data experts working with companies on compliance and defining their strategy, some of the problems they've run into and where we go from here.
From Alaris a Kodak Alaris business, my name is Erik Oehler. Welcome to Data Dives.
Erik Oehler: Some of the firms most impacted by GDPR have been small businesses. Two such companies in the Netherlands are aimed at smaller businesses and some of the unique challenges they face.
Richard: Hi, my name is Richard Kranendonk. I'm a partner in Pragmatic Privacy, which is a privacy consulting firm in the Netherlands in Europe. And I'm the founder of Rent-a-DPO.Co, which is a service that handles all GDPR related operations for companies from outside the EU.
Erik Oehler: A DPO or data protection officer is certainly a role for the modern era. GDPR mandates companies hire a DPO under some circumstances, but those are vague and most companies don't want to leave it to chance. Richard: Yeah, and it's increasing in necessity also because of the laws which are already active in the EU, but also other countries are now making initiatives in this area like the state of California for instance.
Erik Oehler: With Rent-a-DPO, Richard offers companies the option of hiring him for as little as one day a month to assist with data strategy. Richard: Smaller companies and medium sized companies, you don't need full time DPO, in the companies I work with, which are typically between 50 to 500 employees, we see that it's somewhere between one day a month and two days a week.
Erik Oehler: GDPR took a lot of these companies by surprise. There's a lot to know and even though many have tried to prepare, there's almost always more work to do.
Richard: They thought about it, they worried about it. They tried to educate and inform themselves and then quickly get lost in this goal which seldom states the VERY clear stuff you can do or can't do. I haven't encountered a company yet which has a solid data strategy.
Erik Oehler: Wow, that last line really hit me. Why don't companies have a solid data strategy? It turns out it's because it's almost an impossible task to take on, especially when data is your lifeblood. And because strategy isn't just a matter of deciding where you store the data, it's everything about it.
Jan: So I'm Jan Wouter, I'm a GDPR lawyer and IT specialist.
Erik Oehler: Jan works with companies in the Netherlands on identifying all of their data; cleaning it up, ensuring they're compliant, and developing a strategy going forward. The first step in that process is compiling a register, a collection of all the data a company processes.
Jan: I'll start with the process as well. When do you do this and for whom do you do this? Who are your clients? Are you insured? Do you have an accountant? Just go through processes, the administration process and the sales process and the actual making of the product process.
Erik Oehler: But even more difficult, he says is getting companies to break old habits.
Jan: Well, I did an analysis for a medical company in Amsterdam. I made a data register and just went over the data register over and over again with them. And they understood what it was and there was no more data, personal data saved. A few days later I got an email of my contact there and she said, "Can you please send me your resume so I can save this for future use?" Either she had this great sense of humor or yeah.
Erik Oehler: Meanwhile, a similar story plays out in the UK.
Harrison: My name is Harrison Mussell. I run a company called Periculo, which is a cybersecurity and data protection consultancy. And also founder of the startup Mappd.
Erik Oehler: Harrison helps companies in the UK with GDPR compliance as a managed service. And processes, not the data, are the hardest part of achieving compliance.
Harrison: There's a challenge for smaller organizations. The ones in particular kind of up to about 200 members of staff is very difficult sometimes to get them completely on board. They know they've got a requirement by law that they need to comply with this regulation. However, the hardest part of any kind of GDPR compliance or any compliance framework for that part is the cultural shift in the cultural change. So essentially making people actually believe it and kind of consciously follow what they need to day to day. An example being as an organization that you've kind of gone through this end-to-end uplift to become GDPR compliant if you can call it that, whereby you do a gap analysis, you'd find out all the gaps that they've got.
Harrison: Then you'd go through and kind of uplifted. Put in the processes, do the training and things like that. Then they're appoint... They can get some kind of certifications and things like that to show the level of compliance that they have. Which is all good and well, they're doing something and it's better than nothing. However, when you spend a lot of time in that organization, and particularly if you're sat outside of the organization itself as a third party, is that quite often they will still be doing those kind of old historic processes, all those things that they've kind of been stuck in their ways a bit without telling you. A lot of the work that I do with some of my smaller clients is almost like detective work. Harrison: However, when you're offering a data protection officer as a service, for example, you've got legal obligations to make sure they're doing things the right way.
Erik Oehler: So how do you weed out those processes?
Harrison: There's an awful lot of work that has to go into kind of keeping on top of people and getting yourself far enough into the business so that you can be part of those conversations that aren't in a formal nature when you're speaking to somebody individually. That's probably one of the biggest things that I've had to kind of change when dealing with clients, is to actually take a different approach with how you're embedded in that company. A lot of people might want to be a data protection officer or a security company for example that sits outside the organization, but it just doesn't work. Harrison: You need to be there, you need to be part of those conversations. You need to be part of the organization itself and kind of since making those kind of changes, people are more welcome into processes. They're more welcome into work in the way that you want them to. Security compliance isn't necessarily difficult getting a certification. You can do it as a tick box exercise, but actually embedding something within a company's DNA if you wish, is the most difficult part and that's where it takes time.
Erik Oehler: I asked Harrison and Richard whether there were certain roles within companies that were more resistant than others. Here's Harrison.
Harrison: Marketing being one. Sales; the revenue focused or product focused areas are usually the pain points from a compliance perspective because they've got deadlines. They've got targets, they've got things that they need to meet and they quite often see this as a blocker.
Erik Oehler: Richard says a lot of that reluctance comes from overvaluing the data they have.
Richard: People are very reluctant to let go of what they have and they tend to overestimate the business value of a lot of data assets. For instance, I worked with a scientific publisher company. They had a database in which all of this was thrown together. There was much un-clarity between about provenance of the data, about having consent or having other lawful grounds for processing this data because consent is not the only lawful ground. I entered into a discussion with their marketing team and then you have to... It's kind of like peeling an onion strategy.
Richard: You have to drill down and be critical about... This part of the data set comes from a company which you bought 15 years ago and what do you think the data value is of making contact with someone who once entered an email address 15 years ago and you can't for the life of you remember why they entered it and well hey, you obtained it. How much data do you generate from this. And then if you ask that kind of questions, you can eliminate a lot of data sets or parts of data sets. And if you approach it that way, it makes it a lot easier for people to part with this data.
Erik Oehler: There's also a perception as Harrison explains that small businesses are too small to be bothered with, that compliance is only for big companies.
Harrison: That is something that... I probably had that exact conversation with an organization who've said, "Well, what's the likelihood of this actually happening to us?" So long as you are actually reporting on the breach that you've got, it doesn't matter about the size of your organization. And I think the ICO did a good job to start off with kind of publishing some of the smaller organizations that had issues. But actually I think it was as soon as they came in with the 4% of your annual global turnover, or I think it's 20 million euros maximum fine. Then actually people started to think, "Okay, it might not happen to us, but if it did, it could be catastrophic".
Erik Oehler: In fact, Harrison has had some customers you wouldn't expect reach out.
Harrison: I've had a salon contact me about their GDPR compliance, which I would never have ever had a conversation with somebody who owned a salon about security or data protection. It would have been unheard of. You can see how it's changed and how kind of the media and the news managed to get it in such a big thing that a lot of people worried about it.
Erik Oehler: Correcting this approach is called privacy by design and it's systemic starting with greater awareness internally.
Richard: It starts with a people becoming aware of the risks they introduce when working with personal data. When you're working with a database with a thousand or even a million records, it starts to become abstract. You forget that each row in the database is an actual person whose lives may be impacted when their data falls in the hands of the wrong people or even with the best intentions gets used for different purposes that the data originally was provided for.
Richard: What the EU legislators hope to get to is that when you or I in our own companies, every time we start something new or go start working on a new system or introduce a new service or product, we think, "Am I introducing new risks here? Do I have enough lawful ground for starting this processing or have I properly looked at the measures, the risk medicating measures we have to take before we can actually get these services out there?" It's all about awareness and being responsible.
Harrison: British Airways and Marriott were in the news recently for pretty heavy fines for data breaches. The news cycle led to a lot of renewed interest in GDPR. Harrison says it isn't necessarily the breach that causes the problem. It's how prepared you are in your culture and processes and how you're able to handle the fallout.
Harrison: The conversations that I have with organizations is always that if you're going to end up with a fine or you're going to end up with any penalization from the ICO or any other regulators, it's not necessarily down to exactly what's happened, it's how you handle it. Although I think with the British Airways fine, they put in remediation and they done things, at least I'm pretty sure that potentially a number of things that happened that they'd held back and it was through the investigation how those happened that actually that fine had come about.
Harrison: Now I have a lot of conversations with organizations that often say things like, "We've always done it that way, so we were going to continue to do it", or "We're doing this because somebody else is doing it". Things like that that don't show that you're making enough of the thought process and being conscious of your decisions and documenting your decisions, are the things that kind of get you to the point where you're going to get a fine. It's showing that you're... it's the disregard and the lack of awareness, which is where you're going to get stung.
Harrison: If you're an organization who's made a mistake, you've got all of your processes in place and you followed that process and you've done everything that you can, then I think that it's likely that your, or sorry, it's unlikely that you're going to face any serious penalization unless this has been a repetitive issue.
Harrison: And it's all a step in the right direction. It's just the regulation itself is only going to be as effective as the people make it essentially. Unless people are actively kind of carrying out their rights as a data subject under the GDPR, the more people do that and the more people are aware of it, then actually the better this is going to become. Erik Oehler: So what can we do? How can we make people care about their data?
Harrison: It's all going to be down, even things like schools. I was having a conversation recently about whether or not schools should start teaching about privacy and kind of like your digital footprint and things like that as part of their school curriculum. Is it something that's important as personal hygiene, your digital hygiene? Because it's such an important part of now. I think these things are going to eventually start happening. But it's just such a massive subject and that's why it's so interesting, and that's why so many people get involved in it. Is that GDPR was kind of a good start to a future where data and organizations do things in the right way for the benefit of people, but also for the benefit of themselves and kind of not making it a one way relationship.
Erik Oehler: I asked Richard the same question about how well we educate people on the trade offs they make with their data.
Richard: I'd say humans are generally very bad at the trade off between instant satisfaction and long-term cost. That's why people smoke. That's why people drink. And that is also why people give their data away because some gratification which they can receive instantly.
Richard: I think we generally underestimate and cannot predict what purposes our date we will get used for. It also becomes a question of who can you trust with your data? And that's where I think the whole privacy thing is now very reactive. Once companies realize that it can also be a brand value. Maybe the whole way of thinking and even business models will turn around, like Apple is very active in that field. And there you see another point that privacy will become, how you say, move from a commodity to a premium good. On the one hand that means there might be models in which individuals will monetize their privacy. The darker side of that is that it will be a premium to have privacy and poor people might not be able to afford it. Richard: Well, starting with educating young people, young children is a very good thing I think. And there are certainly some initiatives underway there. Parents should play a role in that also. But also in the work environments. I often interact with HR departments to get to education, the education anchored in their whole employee journey.
Erik Oehler: Harrison noticed this problem and created his own company Mappd; you can find a link in the show notes and on our website; that deals with exactly this, the everyday person's relationship with data.
Harrison: And the whole point of Mappd originally was to kind of build this bridge between consumers and organizations so that people could get access to their information. People could have conversations with the business and actually that relationship of the data that you share between you and that third party could form that kind of a further relationship where you've got more kind of real time access to it. You can exercise your rights and things like that. Because if they're putting everything in place to facilitate it, then why you wouldn't offer that to your customers is a further benefit and to make it easy.
Erik Oehler: So Mappd's attempting to solve a problem that's growing, consumer apathy.
Harrison: And we did a lot of interviewing with people that we thought were interested in this kind of stuff. And actually turned out that when you asked somebody to take some time out of their day to be able to go and exercise their rights or do something come to the GDPR as a consumer, the majority of the consumers actually won't do it. There are some that do, but the majority don't care. Or it's another thing to add to their day and everyone's so busy that actually when you look at how massive organizations process data and everything is so complicated, everything kind of works in their favor because everything's so difficult that it's kind of less likely that people go out of their way to do something.
Erik Oehler: So what does the future of data privacy look like and what's coming next? I asked all three what they thought.
Richard: On the company side, you will see ways to look for automating the whole personal data life cycle management, and ensuring good data hygiene. It will become an issue in vendor management for all companies, a due diligence subject in mergers and acquisitions for instance. Certification will be a major field here because it saves companies doing the due diligence themselves. It will become an important part of brand value. If you can't guarantee me as a consumer, as an individual that my data is safe with you, I will not do business with you. I will go to your competitor. Jan: We've got a long way to go. The authorities, personal data should really grow and grow fast. If not, we've got a huge problem not only with the companies like Google or Facebook or Instagram, also Garmins that track data and track you wherever you go. Harrison: I think the next big step is when people like the ICO start to spend more time to actually go out and proactively check organizations. I think realistically that's one of the next biggest steps is when they get the resources and the capabilities. If they do, it's actually that's going to take everything to the next step and make companies even more conscious, even more aware.
Erik Oehler: And their advice for anyone just starting to take on this challenge of wrangling their data.
Harrison: Think about what you're doing and be able to explain yourself why what you're doing is the right thing. If you couldn't sit in front of the ICO and explain to them why you're doing what you're doing and why it's right, then you're probably doing the wrong thing. If you took any regulation or anything out of the window, you didn't follow any process or its compliance, if you applied that to every aspect of your organization when it comes to data or data processing, actually you'd probably be a very good... a pretty good place if you applied that across the board. That's one of the main things I have... One of the first conversations I have a lot of of organizations, is that if you can't do that, then it's likely you're doing something wrong. You need to make a change.
Jan: Well, certainly not hire a lawyer and spend loads of money on it, but do it practically; what data is going and how do you save this. Is my computer protected, is my IT protected? My business partners, accountants, do they comply with GDPR?
Erik Oehler: My thanks to Richard Kranendonk who you can find through pragmaticprivacy.nl and rent-a-dpo.co. Thanks also to Jan Wouter whose site gdprlawyers.nl just launched. And Harrison Mussell, a partner in periculo.co.uk, and founder of mappd.io; that's M-A-P-P-D.IO, who have closed beta testing and nearing their launch. Sign up to be among the first to get access to it.
Erik Oehler: This and every episode of Data Dives is brought to you by Alaris, a Kodak Alaris business selling scanners, software and services that make it easy for your business to be paperless. Learn more at alarisworld.com.
Erik Oehler: My name is Erik Oehler. Thank you for listening.