3 Things You Didn’t Know About GDPR #22

3 Things You Didn’t Know About GDPR with Henry Herbert | Herbert & Ball #22

What do you know about GDPR? If you’re in the UK or the EU, you’ve almost certainly seen a buzz of publicity about it in the last year, and will have received dozens of emails asking you to opt in to future communications. It might have seemed like a good time to do some junk mail housekeeping and that, by not opting in, you’d get rid of some of them. Yet there’s still a lot of it coming in, and probably most of it’s legal. Confused? Nobody would blame you if you are, as the rules are not as clear as they first seem to be.

It’s not just email. Any business that holds personal data on a computer has to comply with GDPR. In truth, that means every business.

And it’s about to become more complicated. For example, companies based outside the EU – and that’ll include UK companies after Brexit, or companies from other countries whose only European subsidiary is in the UK – have to appoint a GDPR administrator within the EU.

To help unravel the rules, our host Oliver Dowson talks in this podcast with Henry Herbert. Henry was formerly a solicitor in a major London law firm, but left to form Herbert & Ball, a specialist firm that provides legal advice to SMEs across many different areas. In particular, he’s a specialist in data protection and GDPR, and spends his time advising businesses on marketing and website compliance.

If you’re into international business expansion, or simply just want to understand GDPR better, you’ll find this podcast a must listen.

Herbert & Ball was formed in 2017 to provide affordable, non-reserved legal advice to SMEs across a number of areas of law but particularly commercial contracts and data protection, with experience in the following additional areas: Aviation, Commercial, Franchising, Information Technology and Intellectual Property.


Contact details and Links

Website: www.herbertball.com

LinkedIn: https://www.linkedin.com/in/henry-herbert-881b07181/


Twitter: www.twitter.com/HerbertBallLLP


OLIVER: Today I’m talking with Henry Herbert about GDPR and Henry welcome to the ‘Grow Through International’ podcast.

HENRY: Thanks for having me Oliver.

OLIVER: That’s great, it’s a pleasure and we’re looking forward to learning some more about GDPR , particularly since it’s become such an important thing. Even though it’s been around for best part of a year, I’m not still sure that everybody knows what even the four letters stand for, never mind how it affects them. We’ll get into that , but would you like to introduce yourself first please?

HENRY: Absolutely, so I’m Henry Herbert, I’m a partner at Herbert & Ball LLP. We’re a specialist data protection consultancy amongst other things. I was formerly a solicitor at a major London law firm where I gained experience in data protection as part of corporate transactions, and decided it was something I wanted to do full time. So I set up a partnership, basically advising organisations in the run up to and after GDPR on a whole range of issues. Some very basic things such as privacy policies and basic documentation to subject access requests, complaints and everything else.

OLIVER: Just in case some of our listeners don’t know what GDPR is, and I suspect many of them really don’t and don’t want to admit it, can you give us a sort of “elevator conversation” and tell us what it’s all about?

HENRY: Absolutely, so it’s the General Data Protection Regulation. The regulation came out in 2016 and then came into force in in May 2018. Essentially it’s about handling personal data and making sure that it’s dealt with appropriately and handled securely, given the risks there are now with data falling into the wrong hands, or lost, etc. So really it’s about protecting personal data.

OLIVER: Does it affect every business?

HENRY: It depends. It will affect you if you’re in the EU or if you do business with the EU, you’re likely to be affected. There’s a number of tests for how you’re affected but I can’t imagine there is any business in the EU that doesn’t process personal data in some way, so they will all be affected.

OLIVER: It could be as simple as just keeping personnel records or keeping a mailing list?

HENRY: Absolutely, I mean it’s all the basic things such as employee data. Anything that can be used to identify someone individually is effectively personal data. The tests have been broader than that, but really if you can say who the individual is from the data, then it is personal data.

OLIVER: So it’s been in place for a year. How many businesses would you say are still not fully compliant?

HENRY: I think that’s a very good question. It’s very hard to say, but from our experience, most businesses still haven’t really grappled with it. I think it’s hard to say that anyone is 100% compliant because it’s an ongoing process. There are obviously some that are taking it very seriously and others that haven’t taken it so seriously. A lot of businesses we’ve come across who have updated the privacy policy on their website for instance and left it at that, either because they haven’t had the time or resources to do any more, but we’ve also found that businesses that thought they were compliant, but actually aren’t compliant. There is still just as much confusion a year on as there was in the run up to the 25th May about things like consent, when that’s required, the legal basis for processing personal data and so on. I think most organisations haven’t really got their heads around it still unfortunately. I think the larger ones have, but the SME market, in the UK in particular, has really struggled.

OLIVER: I know it was very confusing for me when it first came out. I was trying to read all about it. I certainly notice from the myriad junk e-mails that I get, sort of inviting me to approve or not approve their contacting me, all seem to be doing it in different ways. There doesn’t seem to be a consistency.

HENRY: That was one of the trends I think that infuriated people, were the e-mails that came out telling people the privacy policy had been updated for a particular business, which you are meant to do, but really I think the consumer isn’t interested in reading that, unfortunately, and they actually got more spam e-mails than they would have got if GDPR had not been passed. So that was the sort of unintended consequence which is quite amusing.

OLIVER: Some of the businesses I was working with were saying ‘oh it’s okay, we’re just leaving everything in the hands of our IT department, they know what to do’ but it seems to me that this is something that sort of more a legal thing than an IT thing. Is it really a good idea to rely upon your IT department?

HENRY: Well it’s a combination of the two definitely. I think that’s why so many businesses have struggled. Some have tried to say this is IT issue rather than a legal issue, but really they are intertwined, and the nature of personal data means that you have to think about it from a range of perspective. That’s also probably a reason why people have struggled because they haven’t had the resource. They might have had an IT guy who’s trying to deal with it, but there’s some complex legal question which he might not be familiar with. I mean in terms of IT providers, things like CRM systems, they would be what’s called a data processor generally. So, to some extent you can pass on responsibility for security, but ultimately you remain liable if something goes wrong and you have to sue down the chain. So really there’s no way you are off the hook, you can just potentially get money back if they mess up. So, it’s not an ideal position to be in as a business, because you can’t really escape liability and you know you really have to audit your data processes to make sure that they’re handling data correctly.

OLIVER: I think the penalties are very high for non-compliance, aren’t they?

HENRY: In theory, yes. Up to 20 million euros is the higher tier, or 4 percent of turnover, but in reality, as most people expected, are unlikely to be imposed. not least because most businesses don’t have 20 million euros disposable cash in the bag. I think, you don’t need a particularly high fine to cause a lot of trouble for an SME, I think that’s the point. You know a £20,000 fine is likely to cause as much damage to an SME as a £1 million or greater fine. What’s interesting I think is the ICO. From what we’ve seen it’s continuing to fine as it said it would, and focus on the same sort of thing, so marketing breaches in not having consent to send e-mails to individuals. So, they haven’t really changed their approach there. That seems to be an area that people have routinely been confused about, when you can use email and when you can’t, but that hasn’t really changed. You see fines for Facebook and others, but those aren’t really the fines we’re going to be worrying about, as an SME. They’re going to be looking at what are the fines on small businesses.

OLIVER: I was going to ask whether anyone’s been fined yet, or there’s been any enforcement action taken?

HENRY: There has, but it’s continuing along the same lines. We haven’t really seen much of a change in terms of, things that are technically breaches of GDPR that are liable to fines, such as privacy policies not being on a website. That sort of thing is the thing people were concerned about, and far as I’ve seen, having looked at fines on the ICO website the other day, I couldn’t see anything like that. So really, I think it remains things like data breaches. Wilful, or rather negligent, data breaches are a high-risk area, and marketing mistakes, are two of the highest risk areas in our view.

OLIVER: Now we’re in the UK, but we have listeners on this podcast series all around the world. In the UK everyone as of today that we’re talking to is preoccupied by Brexit, with the outcome still being probably as unclear as it was two years ago, if not more so. But this of course is an EU regulation. Do we assume that it’s going to be basically carried forward after Brexit, assuming Brexit happens?

HENRY: Yes, absolutely, because Parliament’s already passed the Data Protection Act 2018 which effectively implements it into UK law. So, it’s going to be part of the UK law for the foreseeable future anyway. The relationship with the EU is obviously undetermined, and so is the nature of data protection as a result. I think there’s a few areas which UK businesses in particular should consider, one of them is appointing a representative in the EU if you don’t have a presence in the EU yourself, but you have customers in the EU. That’s going to be a new requirement for businesses to consider. The other one is transferring data to and from the EU, as we probably won’t be a member state after 29th March. It’s going to be necessary unless we have what’s called an Adequacy Decision, where we’re determined to be basically a safe country by the EU to transfer data to. It may be necessary to put what’s called standard contractual clauses in place between UK businesses and EU businesses to allow data to flow out of the EU to the UK. Essentially those are concerns which would affect any business in any country around the world outside the EU or EEA that is doing business with the EU or EEA. If you are processing data on EU citizens or people in the EU then you need to think about GDPR, because you are probably going to be in scope.

OLIVER: You mentioned very briefly back there the need for a representative for GDPR in Europe. Tell us a little bit about a little bit more about that?

HENRY: The idea is that if you’re a company outside the EU, and you’re processing data on EU citizens, they need to have someone that they can correspond with and deal with, and that the regulators can deal with, to make it easy to facilitate communication, complaints, public access requests and things like that. So, one of the articles under the GDPR states that you have to appoint a representative, i.e. an entity or potentially a person, in the member state in which some of the data subjects, i.e. the people you process the data about, are located. So, say you’re in the UK and process data on Irish people as part of your business, you need to appoint a representative and representative in Ireland if you don’t have any presence in Ireland such as a branch or subsidiary already which you could use as the subsidiary.

OLIVER: Do you need to do that for every European country if you’re working across multiple countries?

HENRY: You only need one. It just has to be in one of the countries in which some of the data subjects are, so you could have data subjects in every country in Europe having data processed by you, but you only need to pick one country, so say Ireland. Ireland, we think, is going to be most popular for UK companies, because of the language, and that’s something we set up as a service to offer going forward, but it’s really a sort of post box. We don’t expect most SME’s to receive a huge amount of correspondence. It’s something that goes in the privacy policy that you mentioned there, and you tick the box. The reality is if there’s a subject access request it will be dealt with by whoever’s responsible for that in your organisation, but you know if you tick the box appointing someone.

OLIVER: Would you have to put the details of this representative on your website, or just written into your privacy policy and make that available on the website?

HENRY: Yes, it will be the website privacy policy. I mean it has to be in any privacy policy you provide. You’re likely to have a number of different ones, such as a privacy policy for employees, but the most common one by far is going to be the website privacy policy, that’s what people see. So, it certainly must be in there.

OLIVER: OK. So, anybody who actually needs some professional advice on this and actually needs professionally to have a data representative can be helped by you?

HENRY: That’s right. Absolutely, if they are going to be doing business with the EU post Brexit. The appointed reps service is something we offer and we can advise on.

OLIVER: That presumably also applies to non-EU companies with subsidiaries or operations or handling data in the EU now, so for example, our listeners in the USA?

HENRY: Absolutely, just as much. The UK is effectively becoming more like the USA in terms of data protection by virtue of others leaving the EU. Obviously, the situation is unclear. The US companies should be just as concerned about the same issues.

OLIVER: And if there was a US company or a Singaporean company or another country’s company which has operations or data on people in the UK post Brexit, let’s assume it happens. Will they need a data representative in the UK as well?

HENRY: No because we won’t be a member state after that point, we won’t be in the EU.

OLIVER: Okay. So, the protection regulations will be similar or carried for but not quite the same.

HENRY: It’s not quite the same.

OLIVER: Any other things that international businesses need to be aware of?

HENRY: I think really it’s a question of how much business are you doing with the EU. As soon as you start trading with the EU, GDPR is something you need to consider, and the problem is it’s a sort of you’re either caught or you’re not caught situation. Once you’re caught, you have to do everything. So, I think really the key things to think about are data breaches. That’s the actual thing that’s going to upset people, and I think probably the most important practical part of data protection is making sure the data doesn’t get lost. So, it’s tied to security, having decent policies and procedures in place, where people don’t leave data on memory sticks and things like that. Those are all very important, and marketing is very important. Make sure you get that right and you understand that, because it’s not an intuitive area, it’s very much a regulated concept of what you what you can do and you can’t do without consent. I think also just making sure that outwardly you look compliant, so making sure you put a robust privacy policy on your website, because that’s what people are going to see in the first instance, and people are going to judge you based on your privacy policy as to how seriously you take GDPR, and then of course you know how you handle any data subject access requests. Those have to be handled very carefully because they do have the potential to snowball out of control if you don’t get them right.

OLIVER: I guess that this is affecting or needs to affect every SME business, but it sounds like an awful lot of work, and I’m guessing it’s a very expensive legal process. Is that right?

HENRY: It can be, absolutely, it’s either going to cost time or money really. It is something that businesses can tackle a lot themselves, if they’ve got someone who’s got the time to sit down, go through the documents and read about it, but as you said earlier, it’s confusing to the layman who’s not familiar with this area. So, I think really that that’s probably why most businesses have done something and then left it. An SME has done the privacy policy on their website and decided that that was enough for them, or they couldn’t bear to do any more document. That isn’t ideal, but it is sort of understandable when you have got other pressures in the business. Or what they’ve done is the privacy policy to start with by the 25th of May, and then they slowly plan to work through the rest of the documents. That’s what we often see, which is really the only the only solution. I think a lot of businesses weren’t aware of this until early 2018 despite it having been passed in 2016. The nature of these things is that it’s always a last-minute rush. It’s unfortunately a compliance exercise on a large part. You can leverage it to help your business and gain the trust and respect of your customers. People are increasingly concerned about how their data is handled with all the data breaches that have happened over the years. So, it’s I think that’s the only positive way to spin it is to try and look at the benefits for the business of being seen to be compliant.

OLIVER: I’m guessing that it’s only a matter of time before there is something that really wakes up regulators and makes them do something, and then everybody will be running scared. So it’s probably a good time if you haven’t done something about it to be thinking seriously about getting it right now.

HENRY: That’s right. I think there hasn’t been a grace period, but the ICO was certainly very busy after 25th May with a large number of complaints, and I think now, approaching a year on, the ICO is probably going to be less lenient with businesses. My personal opinion is that they haven’t done anything. Certainly, if you haven’t done anything and you get in trouble, you’re not going to be in a good position. If you can at least work towards compliance, you’re in a better position to not be fined, at least in the first case, unless you did something that was pretty bad such as losing the data. So now is the time to really get it under wraps if you haven’t, and just dedicate the time and resource to getting as compliant as you can be.

OLIVER: The honeymoon is over.

HENRY: Exactly.

OLIVER: Henry that’s great. Thank you very much for talking to us. I think that’s been fascinating and I encourage listeners who need to get their GDPR act together maybe a great idea would be to actually contact Henry. You can find his contact details on the growinternational.org website on the page accompanying this podcast.

Photo by Bernard Hermant

Leave a Reply

Your email address will not be published. Required fields are marked *

Similar works

The Future is Digital for International B2B Services #60

Reimagining your business – and yourself #59

Franchising as a Route to International Expansion #58

Any facts and opinions presented in this content are those of the author or speaker. The inclusion of this content on the Grow through International Expansion platform does not imply endorsement by the platform owners of such facts and opinions nor by any business represented by interviewees or contributors. Whilst every care is taken to check facts and figures, we accept no responsibility for their accuracy. Please advise us of any discrepancy and we will endeavour to correct the information as quickly as possible.