3 Things You Didn’t Know About GDPR with Henry Herbert | Herbert & Ball #22
What do you know about GDPR? If you’re in the UK or the EU, you’ve almost certainly seen a buzz of publicity about it in the last year, and will have received dozens of emails asking you to opt in to future communications. It might have seemed like a good time to do some junk mail housekeeping and that, by not opting in, you’d get rid of some of them. Yet there’s still a lot of it coming in, and probably most of it’s legal. Confused? Nobody would blame you if you are, as the rules are not as clear as they first seem to be.
It’s not just email. Any business that holds personal data on a computer has to comply with GDPR. In truth, that means every business.
And it’s about to become more complicated. For example, companies based outside the EU – and that’ll include UK companies after Brexit, or companies from other countries whose only European subsidiary is in the UK – have to appoint a GDPR administrator within the EU.
To help unravel the rules, our host Oliver Dowson talks in this podcast with Henry Herbert. Henry was formerly a solicitor in a major London law firm, but left to form Herbert & Ball, a specialist firm that provides legal advice to SMEs across many different areas. In particular, he’s a specialist in data protection and GDPR, and spends his time advising businesses on marketing and website compliance.
If you’re into international business expansion, or simply just want to understand GDPR better, you’ll find this podcast a must listen.
Herbert & Ball was formed in 2017 to provide affordable, non-reserved legal advice to SMEs across a number of areas of law but particularly commercial contracts and data protection, with experience in the following additional areas: Aviation, Commercial, Franchising, Information Technology and Intellectual Property.
Contact details and Links
OLIVER: Today I’m talking with Henry Herbert about GDPR and Henry welcome to the ‘Grow Through International’ podcast.
HENRY: Thanks for having me Oliver.
OLIVER: That’s great, it’s a pleasure and we’re looking forward to learning some more about GDPR , particularly since it’s become such an important thing. Even though it’s been around for best part of a year, I’m not still sure that everybody knows what even the four letters stand for, never mind how it affects them. We’ll get into that , but would you like to introduce yourself first please?
HENRY: Absolutely, so I’m Henry Herbert, I’m a partner at Herbert & Ball LLP. We’re a specialist data protection consultancy amongst other things. I was formerly a solicitor at a major London law firm where I gained experience in data protection as part of corporate transactions, and decided it was something I wanted to do full time. So I set up a partnership, basically advising organisations in the run up to and after GDPR on a whole range of issues. Some very basic things such as privacy policies and basic documentation to subject access requests, complaints and everything else.
OLIVER: Just in case some of our listeners don’t know what GDPR is, and I suspect many of them really don’t and don’t want to admit it, can you give us a sort of “elevator conversation” and tell us what it’s all about?
HENRY: Absolutely, so it’s the General Data Protection Regulation. The regulation came out in 2016 and then came into force in in May 2018. Essentially it’s about handling personal data and making sure that it’s dealt with appropriately and handled securely, given the risks there are now with data falling into the wrong hands, or lost, etc. So really it’s about protecting personal data.
OLIVER: Does it affect every business?
HENRY: It depends. It will affect you if you’re in the EU or if you do business with the EU, you’re likely to be affected. There’s a number of tests for how you’re affected but I can’t imagine there is any business in the EU that doesn’t process personal data in some way, so they will all be affected.
OLIVER: It could be as simple as just keeping personnel records or keeping a mailing list?
HENRY: Absolutely, I mean it’s all the basic things such as employee data. Anything that can be used to identify someone individually is effectively personal data. The tests have been broader than that, but really if you can say who the individual is from the data, then it is personal data.
OLIVER: So it’s been in place for a year. How many businesses would you say are still not fully compliant?
OLIVER: I know it was very confusing for me when it first came out. I was trying to read all about it. I certainly notice from the myriad junk e-mails that I get, sort of inviting me to approve or not approve their contacting me, all seem to be doing it in different ways. There doesn’t seem to be a consistency.
OLIVER: Some of the businesses I was working with were saying ‘oh it’s okay, we’re just leaving everything in the hands of our IT department, they know what to do’ but it seems to me that this is something that sort of more a legal thing than an IT thing. Is it really a good idea to rely upon your IT department?
HENRY: Well it’s a combination of the two definitely. I think that’s why so many businesses have struggled. Some have tried to say this is IT issue rather than a legal issue, but really they are intertwined, and the nature of personal data means that you have to think about it from a range of perspective. That’s also probably a reason why people have struggled because they haven’t had the resource. They might have had an IT guy who’s trying to deal with it, but there’s some complex legal question which he might not be familiar with. I mean in terms of IT providers, things like CRM systems, they would be what’s called a data processor generally. So, to some extent you can pass on responsibility for security, but ultimately you remain liable if something goes wrong and you have to sue down the chain. So really there’s no way you are off the hook, you can just potentially get money back if they mess up. So, it’s not an ideal position to be in as a business, because you can’t really escape liability and you know you really have to audit your data processes to make sure that they’re handling data correctly.
OLIVER: I think the penalties are very high for non-compliance, aren’t they?
HENRY: In theory, yes. Up to 20 million euros is the higher tier, or 4 percent of turnover, but in reality, as most people expected, are unlikely to be imposed. not least because most businesses don’t have 20 million euros disposable cash in the bag. I think, you don’t need a particularly high fine to cause a lot of trouble for an SME, I think that’s the point. You know a £20,000 fine is likely to cause as much damage to an SME as a £1 million or greater fine. What’s interesting I think is the ICO. From what we’ve seen it’s continuing to fine as it said it would, and focus on the same sort of thing, so marketing breaches in not having consent to send e-mails to individuals. So, they haven’t really changed their approach there. That seems to be an area that people have routinely been confused about, when you can use email and when you can’t, but that hasn’t really changed. You see fines for Facebook and others, but those aren’t really the fines we’re going to be worrying about, as an SME. They’re going to be looking at what are the fines on small businesses.
OLIVER: I was going to ask whether anyone’s been fined yet, or there’s been any enforcement action taken?
HENRY: There has, but it’s continuing along the same lines. We haven’t really seen much of a change in terms of, things that are technically breaches of GDPR that are liable to fines, such as privacy policies not being on a website. That sort of thing is the thing people were concerned about, and far as I’ve seen, having looked at fines on the ICO website the other day, I couldn’t see anything like that. So really, I think it remains things like data breaches. Wilful, or rather negligent, data breaches are a high-risk area, and marketing mistakes, are two of the highest risk areas in our view.
OLIVER: Now we’re in the UK, but we have listeners on this podcast series all around the world. In the UK everyone as of today that we’re talking to is preoccupied by Brexit, with the outcome still being probably as unclear as it was two years ago, if not more so. But this of course is an EU regulation. Do we assume that it’s going to be basically carried forward after Brexit, assuming Brexit happens?
HENRY: Yes, absolutely, because Parliament’s already passed the Data Protection Act 2018 which effectively implements it into UK law. So, it’s going to be part of the UK law for the foreseeable future anyway. The relationship with the EU is obviously undetermined, and so is the nature of data protection as a result. I think there’s a few areas which UK businesses in particular should consider, one of them is appointing a representative in the EU if you don’t have a presence in the EU yourself, but you have customers in the EU. That’s going to be a new requirement for businesses to consider. The other one is transferring data to and from the EU, as we probably won’t be a member state after 29th March. It’s going to be necessary unless we have what’s called an Adequacy Decision, where we’re determined to be basically a safe country by the EU to transfer data to. It may be necessary to put what’s called standard contractual clauses in place between UK businesses and EU businesses to allow data to flow out of the EU to the UK. Essentially those are concerns which would affect any business in any country around the world outside the EU or EEA that is doing business with the EU or EEA. If you are processing data on EU citizens or people in the EU then you need to think about GDPR, because you are probably going to be in scope.
OLIVER: You mentioned very briefly back there the need for a representative for GDPR in Europe. Tell us a little bit about a little bit more about that?
HENRY: The idea is that if you’re a company outside the EU, and you’re processing data on EU citizens, they need to have someone that they can correspond with and deal with, and that the regulators can deal with, to make it easy to facilitate communication, complaints, public access requests and things like that. So, one of the articles under the GDPR states that you have to appoint a representative, i.e. an entity or potentially a person, in the member state in which some of the data subjects, i.e. the people you process the data about, are located. So, say you’re in the UK and process data on Irish people as part of your business, you need to appoint a representative and representative in Ireland if you don’t have any presence in Ireland such as a branch or subsidiary already which you could use as the subsidiary.
OLIVER: Do you need to do that for every European country if you’re working across multiple countries?
OLIVER: OK. So, anybody who actually needs some professional advice on this and actually needs professionally to have a data representative can be helped by you?
HENRY: That’s right. Absolutely, if they are going to be doing business with the EU post Brexit. The appointed reps service is something we offer and we can advise on.
OLIVER: That presumably also applies to non-EU companies with subsidiaries or operations or handling data in the EU now, so for example, our listeners in the USA?
HENRY: Absolutely, just as much. The UK is effectively becoming more like the USA in terms of data protection by virtue of others leaving the EU. Obviously, the situation is unclear. The US companies should be just as concerned about the same issues.
OLIVER: And if there was a US company or a Singaporean company or another country’s company which has operations or data on people in the UK post Brexit, let’s assume it happens. Will they need a data representative in the UK as well?
HENRY: No because we won’t be a member state after that point, we won’t be in the EU.
OLIVER: Okay. So, the protection regulations will be similar or carried for but not quite the same.
HENRY: It’s not quite the same.
OLIVER: Any other things that international businesses need to be aware of?
OLIVER: I guess that this is affecting or needs to affect every SME business, but it sounds like an awful lot of work, and I’m guessing it’s a very expensive legal process. Is that right?
OLIVER: I’m guessing that it’s only a matter of time before there is something that really wakes up regulators and makes them do something, and then everybody will be running scared. So it’s probably a good time if you haven’t done something about it to be thinking seriously about getting it right now.
HENRY: That’s right. I think there hasn’t been a grace period, but the ICO was certainly very busy after 25th May with a large number of complaints, and I think now, approaching a year on, the ICO is probably going to be less lenient with businesses. My personal opinion is that they haven’t done anything. Certainly, if you haven’t done anything and you get in trouble, you’re not going to be in a good position. If you can at least work towards compliance, you’re in a better position to not be fined, at least in the first case, unless you did something that was pretty bad such as losing the data. So now is the time to really get it under wraps if you haven’t, and just dedicate the time and resource to getting as compliant as you can be.
OLIVER: The honeymoon is over.
OLIVER: Henry that’s great. Thank you very much for talking to us. I think that’s been fascinating and I encourage listeners who need to get their GDPR act together maybe a great idea would be to actually contact Henry. You can find his contact details on the growinternational.org website on the page accompanying this podcast.
Any facts and opinions presented in this content are those of the author or speaker. The inclusion of this content on the Grow through International Expansion platform does not imply endorsement by the platform owners of such facts and opinions nor by any business represented by interviewees or contributors. Whilst every care is taken to check facts and figures, we accept no responsibility for their accuracy. Please advise us of any discrepancy and we will endeavour to correct the information as quickly as possible.