Garrett Holmes: |
All right, Suzanne, thank you so much for joining us today. I appreciate you taking the time to talk about GDPR with us. Before we get started, would you like to introduce yourself? |
Suzanne Dibble: |
Sure. I’m Suzanne Dibble. I’m a 20-year qualified lawyer from the UK. I know I don’t look it. There are a few lines around here, but surely I don’t look old enough to have been practicing law for 20 years, but I am a data protection lawyer, and that’s what GDPR is all about. I have the largest group on Facebook, at the moment, about GDPR, a hugely engaged Facebook group where I just can’t keep up with all the questions, quite frankly. I’ve done some pretty cool stuff, which I won’t bore you with, in relation to data protection. |
|
I know my stuff, in summary, and I think I’m probably the only lawyer that actually, really understands the online space. You talk to a lot of lawyers who understand data protection, and you talk to them about Facebook retargeting, and they look completely blank. So, because I actually do this in my own business … So, I trained and practiced at the world’s largest law firm, but then I started my own legal practice about eight years ago, and I’ve used digital marketing extensively in my own business. Again, I say I’m probably the only lawyer that I know that actually does that to any effect. So, I’m probably the only person that knows the reality of digital marketing together with the complexities of GDPR. |
Garrett Holmes: |
Definitely, definitely. Well, thank you for, again, taking the time to chat with us. Let’s just jump into it. Let’s go over what GDPR is. You have a whole presentation planned, so I’ll just let you take it from here, and go over everything GDPR. |
Suzanne Dibble: |
Gosh, okay, well, how long is a piece of string? Actually, how long do we even have? I just did an interview with someone else that was supposed to be an hour and a half and we hit two hours, and there was still lots that I hadn’t said. GDPR is huge, actually. Obviously, I’m going to focus in on the bits that are particularly relevant for digital marketers and also talk about it in the context of your demographic, which I believe is probably like 75% US and 25% other English-speaking countries. |
Garrett Holmes: |
Yes. |
Suzanne Dibble: |
So, we’ll keep that in mind. Okay, so what is all this fuss about GDPR and does it even apply to you if you’re in the States? You’re probably thinking, oh my goodness, this EU law, why on earth are digital marketers even spending any time telling us about this? Because surely it doesn’t apply to us. Well, it does, okay? Basically, it’s all about data protection. Data protection is in the news at the moment with the Facebook and Cambridge Analytica case. You know, Zuckerberg has been testifying in front of Congress. Is it Congress? Did it all right? |
Garrett Holmes: |
Yep, yep. |
Suzanne Dibble: |
It’s a really hot topic at the moment. What GDPR does is it really brings our data protection laws up to date with what’s going on with data. The last data protection laws that we had in Europe are 20 years old, and if you think about the differences in what we’re doing with data now and what we did 20 years ago, there’s a huge chasm and difference between what we could do then and what we can do now, so it’s only right that the law catches up with the reality of our data processing. |
|
Now, it comes into force on the 25th of May, which is about a month’s time, and if you are outside of the … Obviously, it applies to you if you’re in the EU, and if people in the UK are watching it and thinking, “What about Brexit?”, well, sadly, Brexit or no Brexit, we are going to have to comply with these regulations because the UK wants to ensure a free data transfer flow into the rest of Europe, so we have to have the same standards of data protection as they do in Europe. |
|
But if you’re in the US or you’re in Canada or Australia or wherever else and you have data … I’m not going to use the technical term, “data subjects,” just yet, because you won’t know what that means, but you have customers, prospects, employees, suppliers, anyone whose personal data that you hold, in the EU, then you need to comply, because this regulation is all about looking after the data protection of people within Europe. So that’s what you have to do. |
|
I have seen some forums and some groups with US businesses like, “Right, well, I’m just going to stop selling to the EU. That is it. I’m going to geo-block people from my site, I’m just not interested.” And that’s fine, you know? That’s a commercial decision for you to take, but you’re cutting off potentially a good income stream there. Even if you’re not making anything at the moment, who’s to say that you wouldn’t have goods, products, and services going forwards that would be a big income earner from an EU customer base? I think that once you realize that actually there are a few simple steps you can take to comply, you’ll probably see that’s a lot better option than cutting off your EU customer base. But it does apply to you guys. |
|
So, what is GDPR all about? It’s about processing personal data, in a nutshell. If you process personal data, then this applies. Now, you might say, “What’s personal data, and what’s processing?” Well, both of them have extremely wide definitions. Personal data is anything that identifies a living individual effectively. If you have a name and an email address, then that can identify a living individual, and that is under GDPR if you are processing it. Now, processing is really wide and can just include storing it. So, I’ve had people that say, “Oh, I’ve got historic lists that I’ve brought in. I don’t do anything with them anymore. They just sit there. Surely I don’t need to both about them.” Well, do you, actually, because storing is also part of processing, so pretty much anything you do with that data brings you within the scope of GDPR. It’s extremely broad. |
|
What we need to do is if we are processing personal data, then we need to bear in mind certain principles and we absolutely need to make sure we’ve got a lawful ground of processing that data. That’s really what GDPR is all about, making sure that you’ve got a lawful ground of processing the personal data and bearing in mind these principles. Now, if that’s all you take away from this session, then that’s good. If you know that you’ve got to have a lawful ground for processing and that you’ve got to follow those principles, then that’s great. |
|
Okay, so why else is this important, apart from the fact that this is a law from the EU? You might think, “Well, I’m not going to bother with that. Even if it’s a law, who’s going to find out if I’m doing anything wrong? Who’s going to enforce it, etc.?” Well, the legal backdrop to it is, is that the fines have significantly increased. This just emphasizes the importance with which the regulatory authorities are viewing data protection. The fines have gone up to €20 million or 4% of your worldwide turnover for the previous 12 months. If you look at Facebook, for example, and European regulators are currently investigating Facebook, 4% of its turnover last year would mean a fine of $109 billion, okay? |
Garrett Holmes: |
Wow. |
Suzanne Dibble: |
Yeah. That’s the kind of … I know people listening to this or watching this or reading the blog aren’t going to be turning over that amount of money, but that’s the potential of the sanctions. Now, saying that, unless you are processing data on a large scale and you’re doing something particularly bad with that data … I don’t think Facebook had a bad intention. They just didn’t think far enough ahead, you know? |
Garrett Holmes: |
Right. |
Suzanne Dibble: |
But they were processing on a large scale, so unless you’ve got any dodgy practices or you’re processing on a large scale, chances are the only way that you’re going to come to the attention of any authority is through complaints, okay? People are becoming much more aware of this legislation. Certainly, in the UK, our data protection authority is doing a PR campaign about this legislation to make people more aware of their rights. So, you’re going to start getting more questions about, “How’d you get my data?” “I’m going to report you to the ICO,” you know, etc. |
|
You still might be thinking, “Well, I don’t really care about the ICO, because they’re not going to come to the States and hunt me down.” But what you might care about is losing customers. There’s reputational damage. Even within industries, there’s … If you get a reputation within, say, the digital marketing industry or within the coaching industry or within the expert industry or whatever else, as the protection of personal data becomes more of a cultural norm, if you are the anomaly, then you’re going to start to lose customers. In my view, it’s much better to embrace this, put into place best practice, and be at the forefront of respecting people’s data. |
|
In my view, if Facebook, when they became aware of the scandal, when they became aware of the full facts, rather than just making Cambridge Analytica delete the relevant data, if they’d have come clean at that point and really presented themselves as this forward-thinking organization that really cared about people’s data, they wouldn’t be in the difficult position that they’re in now, in my view. So, why not be an early adopter and be forward thinking and get your house in order, and really, really value your customers and their privacy? |
|
The other thing to point out is that if you are a data processor, which I imagine quite a few of your subscribers might be, that means that you’re processing data on behalf of a data controller, someone who … So, say I’ve got an email list of people who’ve signed up for my freebie. I’m the data controller of that list, okay? Now, if I sent that to you in the States to process that in some way, so maybe I’ve got a virtual assistant in the States who’s helping me with my email marketing, or I use people for Facebook advertising in the States, and I’m sending you that data for you to provide to me the service with, then you as a processor have to be compliant with GDPR, and, as a data controller, I’m not legally allowed to use you anymore. The more that people understand that in the EU, then if you are a processor in that type of context, then if you’re not GDPR compliant, then you’re going to start losing customers. |
|
We had an example of that in my Facebook group… Oh, there’s my assistant just wandering by in the background. See you later. We have an example in my Facebook group, where there was, I think it’s Derek Halpern, is it, who has Zippy Courses? I think that’s him. There were quite a few people in my Facebook group who had said they’d written to him and said, “Are you GDPR compliant? What are you doing about it?” Initially, he’d written back and said, “Yeah, nothing to do with us. European regulation,” you know, etc. |
|
Within literally the space of a few weeks, they had completely changed their tunes. Presumably, because quite a few customers from the EU had got in touch asking the same question, and they suddenly thought, “Crikey, we better start to take this kind of thing seriously, or we’re going to lose all our EU customers.” So, within a few weeks, to his credit, they had started looking at GDPR, putting the right systems and processes in place, so that they could respond positively to EU customers when they asked that question. It’s relevant for a number of reasons for people who are outside of the EU. |
|
Okay, so, now you’ve decided that it is relevant for you and you’re going to hang around and watch the rest of the video. Let’s talk about the data protection principles. There’s six of them, and they are all very relevant. To be fair, they’re not new, but what GDPR does is it brings it into sharper focus. The first one is about lawfulness, fairness, and transparency. Basically, if you’ve got anti-spam laws, you can’t spam people. You’ve got to do things lawfully. |
|
You’ve got to do things fairly. Now, again, it’s very subjective. There isn’t any guidance as to what “fairly” means, but if you’d be okay with people using your data in a way, then that would be more than likely be fair. You’ve got to deal with it in a transparent manner, and what that means is, is that you’ve got to be really upfront about what you’re going to be doing with people’s data. What you need to do, if this applies to you, is you need to have a privacy notice that if you’re, for example, collecting emails for a lead magnet, at the point of collection, you would need a link to that new privacy policy that is really, really upfront and transparent about what you’re going to be doing with that data. |
|
You have to put in there the specific data you’re collecting, exactly what you’re going to be doing with it, if you’re transferring it to third parties, who they are and what they’re going to be doing with it. You’ve got to be able to let people make an informed choice as to whether they want to share their data with you. They can only make that informed choice if you tell them exactly what you’re going to be doing with their data. One new legal document that you will definitely need is a new privacy notice that you are going to be giving to your prospects whenever you’re collecting their data. |
|
The next principle is about purpose limitation, and that, again, means that you’re being really clear about what’s the purpose that you are collecting the data for. Then you can’t just decide to use it for other purposes. You’re going to only use the data for the purpose that you’ve advised people. Makes sense, doesn’t it? You’d hope that if you’re giving your details to somebody and they say they’re going to use it for email marketing and you’re happy for them to do it, they can’t then just decide to sell it to a third party without me knowing about it or consenting to do it. |
|
You can only take data that is necessary for the purposes. Again, if we think about our lead magnet and our email signup box, you need their name, you need their email address. What else do you need to be able to fulfill that purpose? Do you need their inside measurement? No. Do you need their marital status? No. Now, question mark over a phone number, because I know often many people put in a phone number in their data entry for a lead magnet. |
|
Arguably, you might need phone numbers if, for example, you have a fairly instance of people putting in incorrect email addresses and you want to be able to phone them up and say, “We’ve got the wrong email address here, what it is?” Then you could arguably put the phone number there for that. Whether that’s going to encourage people to sign up or not is another matter, but legally, I think you could stretch it to say that that was necessary, but trying to keep the data that you’re collecting to a minimum is the general principle. |
|
Data’s got to be accurate. You’ve got to have systems in place making sure that the data is accurate. What might that look like? For an email list, well, if you’re getting bounces, then clearly, that is inaccurate data. You should either be deleting that data or if you tried to get in touch with them and failed, or you should be somehow trying to get in touch with them and trying to correct that data. If you’ve got their phone number, obviously, you’d use that phone number and say, “What’s the accurate data?” |
|
You’ve got to think about storage limitation, which is that data can’t be kept for longer than is necessary for the purposes for which you’ve advised them of. This goes back to, you’ve got email lists that are 10 years old. You shouldn’t be keeping those. They should be deleted because if the purpose was an event that was 10 years ago, for example, you’ve kept that data for far too long. It’s really just, if we practice good list hygiene, anyway, and regularly tidying up our databases, then that’s all good, but if we’re not, then we need to keep in mind these kinds of things. |
|
Probably, it’s not new, but the most important thing, and what’s come out of my Facebook group is how little people actually know about this and how little people focus on it, is the security aspect of data. Making sure that there are appropriate security measures in place so that people can’t come and hack into your system, steal your list of email addresses, and then send them spam or phishing emails, etc. We’ve got to really have another look at our systems and make sure that their security is adequate for the data that we’re processing. So they’re the overriding principles. There’s nothing there that doesn’t make sense, is there? It’s all pretty obvious. |
Garrett Holmes: |
Yeah, pretty straightforward. |
Suzanne Dibble: |
People tend to kind of lose track of those principles. I think the things that have got the practical impact is the fact that people will need this new privacy notice. That’s kind of the practical step that people need to think about. Should I just keep going? |
Garrett Holmes: |
Yeah, absolutely. This is great. It’s a lot, but I mean, that’s the whole point, is we want to get to the bottom of, what are the steps that we need to take to make sure that we’re compliant? |
Suzanne Dibble: |
Yeah, absolutely. I think it’s really important for people to understand the context and have some solid foundations in this, so that then, they can more easily answer their specific questions themselves, you know? |
Garrett Holmes: |
Exactly. |
Suzanne Dibble: |
I get lots and lots of little tiny, specific questions. I’m like, “Just think about the overriding principles. Think of the bigger picture. What is this designed to do? That will more than likely inform your answer to the question.” |
Garrett Holmes: |
I do have a quick question for you. |
Suzanne Dibble: |
Yeah? |
Garrett Holmes: |
You talked about how you can’t ask people for more information than you need. Asking for phone numbers, maybe, or maybe not. But one thing that I’ve seen is that people will ask for an email, and then they’ll ask like, “Check this box if you’re,” let’s say, “if you’re an agency,” or, “Check this box if you’re just an entrepreneur or an individual contributor.” Is that type of information collection okay? |
Suzanne Dibble: |
You mean for segmenting purposes, things like that? |
Garrett Holmes: |
Yes. |
Suzanne Dibble: |
I think that segmentation is good, in my view. It’s not requested by GDPR to that extent, but it means that we can tailor information that they’re likely to be interested in, which, really, is what GDPR’s all about. Well, part of it is all about that. Yeah, in my view, I think the purpose there is for segmenting, so I would have above those tick boxes, I would say, have a statement to say, “In order to ensure that we can send you properly targeted information, please tick the boxes below to let us know which category you fall into.” Clearly, the ticking the box, the purpose would be segmenting that information, so I think that would be fine if you expressed it that way. |
Garrett Holmes: |
Perfect, perfect. |
Suzanne Dibble: |
Yeah, okay, so let’s look at the legal grounds for processing. Remember, the questions that you need to ask yourself. One, is it personal data? If it’s not, then none of this applies at all. It’s got to be data that’s capable of identifying a living individual. Secondly, are you processing it? Well, chances are, you are. The third thing is, do I have a legal ground for processing this data? If you don’t have a legal ground for processing the data, then you can’t do it. Well, you can. There’s not going to be a big light. Your computer isn’t going to blow up if you don’t stop processing it, but that’s when you run the risk of complaints, investigations, fines, etc. |
|
What are your legal grounds for processing? With GDPR and marketing generally, people get really hung up on consent and tick boxes, but it’s not all about consent and tick boxes, okay? There are six lawful legal grounds of processing and four of them are going to be relevant to people on this call. The first is consent, and that is that the individual’s given clear consent for you to process the personal information. |
|
The second is contract, which is where the processing’s necessary for a contract you have with the individual or because they’ve asked you to take certain steps before entering that contract. So, someone emails you and says, “Can you provide me with a quote for X, Y, and Z?” You don’t then need to go and get their consent to provide them with that quote, because your lawful ground of processing is contract, okay? |
Garrett Holmes: |
Yep. |
Suzanne Dibble: |
Similarly, if you’re using personal information as part of a project that you’re working on, you don’t need to get consent for using personal data in the confines of that project, because that’s based on contract. The third one is legal obligation, which is where the processing is necessary for you to comply with the law. For people who have employees, for example, if you are asking them for their social security details, that is under a legal ground of processing, because there’s an obligation on those as employers to get that information, so we can pay the employer taxes. So there will be quite a few areas of processing that fall under a legal ground of lawful processing. |
|
And then the other one that we, as marketers, like to talk about a lot is legitimate interest. There is this kind of question mark over it. Does marketing fall under consent or legitimate interest? Big discussion going on at the moment, which I’ll come onto a big more later. For legitimate interest, it’s where the processing is necessary for your legitimate interest, so if I have a list of people, is it in my legitimate interest to market to those people about my services? Yes, that is a legitimate interest of my business to email those people, and the recitals actually say that direct marketing is a legitimate interest. |
|
What you’ve got to balance that with is whether there’s good reason to protect the individual’s personal data which override my legitimate interest. You’re always doing this balancing test between my legitimate interest versus the individual on my email list and their protections, their privacy, any impact on them, and you’ve got to do that balancing test. Now, the problem with legitimate interest is, it’s just not black and white. It’s a bit of a gray area. |
|
If you choose legitimate interest, then the onus is on us choosing that ground to have gone through a considered process as to whether we can rely on that or not. You’d need to complete a legitimate interest assessment form that goes through this three-stage test, and then at the end, you think, yeah, I’m pretty confident that this would fall under legitimate interest, and I don’t need to go and get consent from people. Generally, marketers don’t like doing that, do they? If you don’t have to, you don’t want to go and get people the tick a box, because we know that quite a lot of people aren’t going to do that. |
Garrett Holmes: |
Right, right. |
Suzanne Dibble: |
In an ideal world, we would rely on legitimate interest, and then we don’t need to get consent, but what it does mean is that we are taking that responsibility of doing that balancing test and making sure that the data subject, the person on my email list, is not suffering, if you like, because of that. So, an example between that interplay between consent and legitimate interest is that if you have existing customers and you want to send them marketing emails, particularly where those marketing emails are very relevant to what they’ve already bought from you, then in my view, you would rely on legitimate interest to send those marketing emails to your existing customers, okay? |
|
Because, it would be within their reasonable expectation to receive those emails, and because it would have a minimal privacy impact. You’ve have your opt-out at the bottom of the form. Because with the legitimate interest, you still need to notify people that they can object to the processing, and if it’s direct marketing, then you have to absolutely stop it if they object. You just do an opt-out like you would for consent ground of processing. |
|
For me, that’s fine. So, existing customers, in my view, you’d rely on legitimate interest to continue to market to them. Now, for customers that you had 20 years ago, that’s a little bit different, because if you haven’t messaged them at all in the last 15 years, say, and they suddenly get an email out of the blue, then they’re not going to expect that, and in my view, that’s the kind of email that you would need consent for. You would need to obtain that consent to be sending them those. I mean, why you’d want to email a customer that you haven’t been in touch with for 15 years, I have no idea, but I’m just using that as an example to make the point. |
|
Now, of course, the gray area is, what do you do about the 18 month-old customers, you know? You have to decide where is that line for your particular business. I was speaking to someone who owns a chain of beauty salons this morning, and she does a lot of email marketing and Facebook advertising and things like that. Her software provider, where she stores her opt-in consents, her CRM system, her email marketing system, they have advised her that anyone who has been a customer in the last 18 months, that she should rely on legitimate interest for that. So, clearly, that’s what they’ve decided is appropriate for that industry. But you need to think, “Okay, well, what is my sense check on that?” Really, put yourself in the customer’s position. Are they going to expect to hear from you or not? If they’re not, then you would need consent if you wanted to start marketing to them. |
|
Now, the reason why this is particularly a pressing issue is because the regulations come into force on the 25th of May. Now, if you have a list, an email list, already, and they’ve consented, you’ve decided that your lawful ground of processing is consent, because maybe you’ve, I don’t know, they’re prospects that have come in through, you’ve either got a lead magnet or whatever else, and you’ve decided that you need their consent to market to them … Excuse me, one second. I’ve been talking all day. My voice is going. |
|
Yeah. The reason why this is a pressing decision is, if you don’t have GDPR standards of consent for existing people on your email list, then you need to get fresh consent from them before the 25th of May, or you don’t have a lawful ground of processing that, and you would have to opt those people out of your email lists. So, people are, I wouldn’t say panic … Well, some people are panicking about it, because certainly, the people in my group at the moment who are doing these refreshing consent campaigns, they’re seeing only 10% of their list are opting in. So they’re losing 90%, and they’re thinking, “This is a terrible travesty.” |
|
But actually, for me, it’s actually quite good. It’s just good for digital marketing, isn’t it? It’s good for your email marketing because probably, the 90% that haven’t opted in haven’t been reading your emails for the last however many years anyway, which is impacting on the deliverability of the people who actually did want to see them. Actually, it’s not as bad. If you do lose a chunk of your list, it’s just because they weren’t that interested. So, basically, you need to send that email requesting fresh consent before the 25th of May, okay? That’s why there’s an urgency on your decision as to your lawful ground of processing for sending marketing to clients and prospects. Does that make sense? I know there’s a lot to take in there. |
Garrett Holmes: |
Yeah, so I think the one thing that I have a question about is, so, I’m in the US, I have my email list, and in order to do this in compliance with GDPR, do I segment my list for the members that are in the EU to do that? |
Suzanne Dibble: |
Yeah. For you in the States and people outside of the EU, then yes, if you can segment your list so that you’re just talking about the people in the EU, then yes, that’s all you need to do. |
Garrett Holmes: |
Okay, and what if I’m in the EU, and I’m marketing to people outside of the EU? If you’re in the EU, does it blanket everybody that you have to do this with? |
Suzanne Dibble: |
Yeah, this is a really interesting question and one that’s just come up in my group recently. Now, I haven’t been able to find any guidance on it, but from the way that I read the regulations, and the way that they phrased it differently between if you’re established in the EU or not, my interpretation of it is that if you’re in the EU, that’s it. You’ve got to be compliant in all respects, and if you’re outside of the EU, it’s only in relation to data subjects in the Union. They phrase it as “data subjects in the Union.” What does that mean? Does that mean that if someone’s there on holiday or something like that? |
Garrett Holmes: |
Right, right. |
Suzanne Dibble: |
Not that anyone’s going to take it to that degree, but it’s not entirely clear. But my interpretation of it is that, as I said, so if you’re in the EU, then it just applies, full stop, and if you’re outside of the EU, then we’re talking about it in the context of EU data subjects. |
Garrett Holmes: |
Got you, perfect, thank you. |
Suzanne Dibble: |
Where was I? The reason why getting you a lawful ground to processing right, it’s really key, actually, not just pre-the 25th of May, but on an ongoing basis, as well. That is probably the key question about GDPR, what is your lawful ground of processing? I have to say, it’s not an easy question, because there’s such a gray area over the use of legitimate interests. |
Garrett Holmes: |
Definitely. |
Suzanne Dibble: |
Okay, so what else do I need to tell you about consent? Yeah, so there’s a higher standard of consent with GDPR. Consent has to be a clear, affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subjects’ agreement. What that means by “clear affirmative act,” it means you can’t have an opt-out anymore. It’s got to be opt-in, okay? Because there’s no affirmative act if someone’s just not opted out. You know what I mean by an opt-out, don’t you? They say, “If you don’t want to receive our marketing, click here.” |
Garrett Holmes: |
Right. |
Suzanne Dibble: |
That’s not sufficient. It’s got to be, “If you do want to receive our marketing, click here.” |
Garrett Holmes: |
What if there’s a page where there is an opt-in, and it says, “Click here to opt into our newsletter” and what not, but it’s automatically checked? I see that a lot. |
Suzanne Dibble: |
Yeah. Can’t do that anymore, so no more pre-ticked boxes. |
Garrett Holmes: |
Got you, okay. |
Suzanne Dibble: |
Yeah, you’ve got to get rid of those, too. It’s really about giving the data subject genuine choice and control. If it’s possible for them not to understand things and they’re going to be opted in, then that’s not sufficient. You’ve got to really spell it out for them and get a positive action from them. You can’t bundle consent anymore, either. You’ve got to be as granular as possible and specific as possible about the different processing and purposes. |
|
So, I don’t think that that means that you have to break it down to every element of marketing, for example, so I don’t think you’d need a tick box for, “Tick here if you want my email newsletter, tick here if you want details of our events, tick here if you want to hear about my podcast,” you know, I don’t think it means to that level. We haven’t really had much guidance on it. |
|
Then if you were wanting to share with third parties, it would need to be a separate tick box. You couldn’t have that all combined and say, “By ticking here, you agree to us sending you marketing emails, and we’re going to share it with some third parties.” You’d have to split that out into two separate tick boxes. The more that you can split the consent out, the better, but equally, you don’t want a list of like 30 tick boxes for people. |
Garrett Holmes: |
Yeah, nobody’s going to do that. |
Suzanne Dibble: |
No. Okay, what else on consent? Oh yeah, just be aware that there is an even higher standard of consent for sensitive data. If you’re dealing with sensitive data, special category data, things like data consisting of racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, things like that. The kind of data where if it got into the wrong hands, it would have some kind of impact on the rights and freedoms of the data subjects. |
|
What you need to have for that is your lawful ground of processing, but then you need a separate ground on top of that to process sensitive data. Typically, that’s explicit consent. The regulations don’t say what explicit consent is, but the guidance says that that would be a signed statement or a dual opt-in. They call it a two-stage verification process, but what I would call a double opt-in. So, I just want to flag that. Obviously, there might not be many people who that applies to, but just to flag that there is this special category data that deserves even more protection. |
|
What else do I need to say? Yeah, so you obviously have to have your opt-out at the bottom of all your emails. If you’re using any kind of reasonable email marketing system, you always have that opt-out at the bottom anyway, but what the regulations also say is that you should offer a specific opt-out every two years, and occasionally, send reminders about the ability to withdraw consent. Remember, this is only if you’re processing under that lawful ground of consent. Remember, consent is not the be-all and end-all, but if you are processing under that ground, then at least every two years, you need to send a specific email saying to people, I don’t know exactly how you’d phrase it, but some marketing spin that would make it sound, obviously, really a stupid idea to opt out. |
Garrett Holmes: |
Yeah, “Are we still friends?” |
Suzanne Dibble: |
Yeah, exactly. That kind of thing. But you need to do that every two years, and then who knows what “occasional reminders” mean, but maybe every six months, you need to send the specific email that is like, “Hey, are you liking the stuff we’re sending you? If not, remember, you can always opt out,” that kind of thing. Again, remember, there’s not a vast police force that is going to check upon this stuff. It’s really about complaints, maybe competitors trying to trip you up, which could happen. |
Garrett Holmes: |
Wow. |
Suzanne Dibble: |
So you may as well, if you know about it, you may as well do it. The other big point, actually, is that the onus is on the data controller to keep records of the consent, so if there is ever a challenge, you can point to that record and say, “Well, actually, you consented on this date.” You also need to keep evidence of the privacy notice that you had in place at that time, so that you can point to the purposes that you identified to that individual. That might just be as simple as having a filing drawer with your privacy notice in it, and on the top of it, write the dates that it was effective from and to, because chances are, you’re going to need to update your privacy notice over time as your purposes change, etc., so just make sure you know what the privacy policy was in place at the time that that particular consent was collected. |
|
Okay, what else do I need to talk about? I guess that’s kind of the overview. I’d say the most important thing is to really understand the lawful ground of processing. I think once you get that right, it’s all good, you know? But also, don’t forget that consent is just one of those lawful grounds because otherwise, I think people tend to try and tie themselves up in knots trying to work out a way that, is consent necessary, here or here, and how do we get our tick box? Oftentimes, you don’t need that consent at all, so just remember that consent is not the answer to everything in terms of data protection. What else should I talk about? I could talk about Facebook advertising? |
Garrett Holmes: |
Yeah, I think diving into Facebook advertising would be a great place to go here. |
Suzanne Dibble: |
Okay, because I know a lot of people have got concerns over that. It’s not clear. I was speaking at a GDPR conference yesterday, and I was speaking to a marketer who, well, they were doing the session, actually, I was listening in on. She stood up and said to a room full of people, “Facebook marketing is dead due to GDPR.” |
Garrett Holmes: |
Wow. |
Suzanne Dibble: |
I was like, well, A, it really, really annoys me when people make blanket statements like that without any kind of discussion of the background and the things that led them to that conclusion. I went up to her afterward and said, “Well, I don’t agree with you.” She said, “Clearly, you’re going to need consent for people to use Facebook marketing, and no one’s going to agree to that, so Facebook marketing is dead.” I said, “Well, I disagree with you.” In my view … So, okay, let me take a step back. The way to think about Facebook marketing, and indeed any social media platform, is that when the data is on their platform, they’re in charge of it. They’re the data controller. They need to have got the lawful ground of processing for that data themselves, yeah? |
Garrett Holmes: |
Yep. |
Suzanne Dibble: |
Yeah, okay. So, if people are sending me LinkedIn InMail or whatever, I don’t really use LinkedIn much, but they’re sending me an InMail or whatever, then that should all be governed by the terms of that service and their own privacy notices, yeah? And they have agreed to use that functionality. Where I become the data controller is when either I take their data off that platform and do things with it in my own email marketing or whatever else, or if I have my own data and upload it to that platform, yeah? So if I’m creating a custom audience in Facebook, for example, and I take my email list and upload it to Facebook, then I’m the data controller, and I need to have made sure that I have a lawful ground of processing for that purpose, okay? |
|
So, I then have to ask myself, okay, well what is my lawful ground of processing for putting people into Facebook so that they can see my Facebook ads? The debate that I had with this lady was she said it would clearly be consent, and I said, well, actually, I think it would be legitimate interest. We had this discussion, and the ins and outs of it and whatever. She ended the conversation by saying, “Well, phone So-and-so,” who is like the preeminent privacy lawyer. I know you guys think I’m the preeminent privacy lawyer in the UK, but I’m not. I’m just very good at translating this kind of stuff for digital marketers. But the guy. |
|
So, I phoned him up, and I say, “Hi, So-and-so.” Tell him this conversation, and he said, “No, I agree with you.” Thankfully, because I thought I was going a bit crazy. He said, “No, I completely agree with you.” So, the good news is, we think, me and the preeminent privacy lawyer think, that you would be able to rely on the legitimate interest ground for Facebook advertising. So where we upload our lists into Facebook, we would be able to rely on legitimate interest, and you would not need to get consent to Facebook advertise. You can imagine, can’t you, if you emailed your list or at the point of collection, a lead magnet, if you say, “Tick here if you are happy with us to use your data to send you Facebook adverts,” nobody’s going to tick that, are they? |
Garrett Holmes: |
Right. |
Suzanne Dibble: |
It’s hard to make that enticing, don’t you think? |
Garrett Holmes: |
Yeah. There’s no pretty way to put that. |
Suzanne Dibble: |
No. That, for me, is a key one. If people are saying to me, “You need to go and get consent to do Facebook ads,” then that’s going to be remarkably difficult for people, I think. Now, what you do need to do, is you need to put it in your privacy notice, for sure, and tell people that that’s what you’re doing, but that’s very different to having a tick box. |
Garrett Holmes: |
Absolutely. |
Suzanne Dibble: |
Yeah. So, what also it would be a good idea is that obviously, people can opt out of your email list, because you’ve always got that unsubscribe at the bottom. Now, if people opt out of that, then it would also be a good idea to opt people out of your custom audiences list on Facebook so that you’re not pissing people off because that’s how complaints are going to be made. If you can do that and if you’ve got people who can check that on a weekly basis or even a monthly basis depending on the frequency of the Facebook ads that you’re doing and the number of data subjects that we’re talking about who are opting out, but if you keep fairly on top of that, then that seems to me to be a sensible thing to do so that you’re not pissing people off. |
|
But for me, I think, and the data collection lawyer that I spoke to also thinks, that we can rely on legitimate interest, which is good, because otherwise, like I said, I was very concerned, because I do a lot of Facebook advertising myself for my own business. If you were saying to me I can only Facebook advertise to the people who tick the box, then that was concerning me. So, what else do I need to say about the Facebook advertising? Yeah, so Pixel, people are saying, “Oh, can I still use Facebook Pixel?” Well, yes you can, because that’s an example where Facebook are the controller of that data, okay? But what you really need to have i a cookie policy that spells out what cookies are being used on our websites. |
Garrett Holmes: |
And you see that a lot more now. I mean, just in the past couple of weeks, I’ve seen so many of the websites that I frequent with a bar up top, Updated Cookie Policy. |
Suzanne Dibble: |
Yeah, exactly, yeah. That’s another thing, so we need our new privacy policy, we need our new cookie policy, and yeah, that’s kind of what I’ve talked about so far. So, that is Facebook advertising. Can I just talk a little bit about using processes, because I think that’s quite key? |
Garrett Holmes: |
Yeah, absolutely. |
Suzanne Dibble: |
If you use anybody that processes your data and they are a processor, you have to follow certain steps. If you’re in the EU and you’re using processes, well, anywhere. There’s another set of hoops to jump through if they’re based outside of the EEA. But if you are using a processor full stop, then you have to follow certain steps. Essentially, the logic here is that you’re protecting this data. You can’t then transfer it to a third party who’s got no controls and security and whatever else and it can get hacked into and stolen, etc., so it’s really some steps to make sure that that chain of protection continues in place. |
|
So, what does GDPR say about using data processors? Actually, let me say who might be a processor. People who are processors are, like I said before, people who are doing your Facebook ads for you, people who are doing something with your email list. Maybe it’s a virtual assistant, payroll providers, bookkeepers, even people like Xero, so if you use cloud-based accountancy software, Infusionsoft, MailChimp, AWeber, Google, Facebook in itself, all processors. They process our information. |
|
It could be you’re a one-man band, it could be a freelancer that’s a processor, or it could be Facebook who’s a giant organization. You’ve got all these different scales of people who are processors, but essentially, they are processing our data, our lists of data under our instruction. What GDPR says is that you can only use processors who are GDPR compliant. In my group, we have a spreadsheet of the bigger processes who we have questions of, and we know where they are in terms of their GDPR compliance. We know that people like MailChimp are already … Well, they say they are GDPR compliant. So, AWeber. I think Infusionsoft is a little bit behind the curve, or it was last time I checked. There’s a schedule in my group of common software applications like that, and where they’re up to on that. |
|
But what we need to do is ask our processors, so we need to sit down and we need to do a data inventory of all of the data that we hold, where we got it from, what we do with it, what our lawful ground of processing is, how long we store it for, what the security is, and particularly, which third party we transfer it to? And you get your list of processors, and then you need to literally get in touch with those processors and ask them a list of questions, which is all eliciting whether they are GDPR compliant or not. |
|
If the answers are, “We’re not compliant,” then legally, we have an obligation as data controllers not to use them anymore. This applies to people in the States. Obviously, if they are a processor and their customers are people in the EU, then that applies, but also, it applies to the extent that they are a controller, and if they are processing data of people in the EU, then they need to make sure that their own processors have that same level of protection in place. |
Garrett Holmes: |
Makes sense. |
Suzanne Dibble: |
They’ve got to comply with GDPR. |
Garrett Holmes: |
Would there ever be an instance of a processor not wanting to be GDPR compliant? I mean, it just makes sense, if you’re a big processor and you’re dealing with data around the world, you would just become GDPR compliant? |
Suzanne Dibble: |
Yeah, absolutely. All the big ones are, well on top of it. |
Garrett Holmes: |
Great. |
Suzanne Dibble: |
Yeah, yeah, no, they are. It’s the smaller ones, really, that you’ve got to have a think about because again, it’s a risk analysis. If you’re not doing large-scale data processing and you’re not doing anything too invasive with that data and maybe you use a freelance VA in the States and she hasn’t got a clue about GDPR, then it’s your risk analysis as to whether you continue to use her or not. But legally, by the letter of the regulation, you should not be using her if she is not GDPR compliant. |
Garrett Holmes: |
Yep. Makes sense. |
Suzanne Dibble: |
Okay, so the first thing there is to put the processor … Sorry, you’ve got to make sure that they are GDPR compliant. And what do I mean by that? Well, there’s due diligence, like I say, you just ask them a list of questions. “What are you doing about this, what are you doing about this, what are you doing about the other?” And those questions are in my Facebook group, if people, I’m sure you’ll put the link to it at some point. Those questions are in there. |
|
The second thing to think about is GDPR prescribes the things that should be included in an agreement between you and the processor. It’s mandatory to have an agreement between the data controller and the data processor that sets out these, it’s about eight things that the GDPR says you have to have in there. This is all designed to ensure that protection of that data. You either have a standalone process or agreement, or you can incorporate it into your service terms and conditions. That’s what a lot of the big processors are doing. Like MailChimp isn’t writing to all of us with an individual processor agreement. They’ve just amended their terms of use to include the things that you need to include in there to be compliant in that respect. But if you’re dealing with smaller processors, then you’ll need to send them a processor agreement to make sure that you’re covered. |
|
What else on processors? Just be aware that with GDPR, what it has brought in, which is new, is liability for processors. It is something that if you are a processor you need to take really seriously, and I do lots of videos in my Facebook group, but there are specific videos in there on the liability of processors. If you are a processor, go and check that out, because that is, for you guys, that’s the biggest change that GDPR brings in. It’s your own liability. You’ve got to be really, really careful about using sub-processors because again, it’s protecting that chain of data. There’s no point of the controller being compliant and the processor being compliant, but then that data is transferred to a sub-processor who isn’t compliant at all, and there’s a data breach at that level or whatever else has happened at that level. So, you’ve got to think about that chain of data. |
Garrett Holmes: |
If you’re the controller and you’re compliant and your processor is not compliant, I guess, can both of you get in trouble for any issues with the data that gets used there? |
Suzanne Dibble: |
I think that if you have done everything that you should do as a controller and you’ve asked the right questions of the processor and you’ve put your processor agreement in place, then the fact that the processor, that something does happen with the processor, then the controller wouldn’t be liable for that. If the controller just has ignored the whole issue and has just continued to use a negligent processor, then they would be. So, it’s very much an obligation on the controller to make sure that you are using a processor that is compliant, and then if it just happens that there is a problem … If you’re using a “compliant,” compliant in inverted commas, processor, but there’s a data breach, for example, then the controller wouldn’t be liable for that. The processor would. |
Garrett Holmes: |
Okay. Makes sense. |
Suzanne Dibble: |
Yeah, okay. What else do you need to know? What else do I need to tell you about? What are people concerned about from your perspective? |
Garrett Holmes: |
I think you’ve really covered the core of what we as marketers need to know, is just what steps do we need to take to protect ourselves and make sure that we are compliant? I think the biggest thing, which we did cover, was, what if I’m not in the EU, or what if I am in the EU? How does that differ? I think we’ve covered pretty much everything. One thing that I do want to ask you about is, what’s next? With these steps that the EU is taking with GDPR, not that you have a crystal ball or anything, but do you foresee this becoming more widespread around the world, as data compliance is becoming more and more of an issue? |
Suzanne Dibble: |
Yeah, I do. From comments certainly, from Senators, etc. on the Facebook case, there are definitely people who are pushing for increased regulation in the States. So, I wouldn’t be surprised if you see a … Mind you, I don’t know how long it takes to push through laws in the States, but yeah, I think there will be enhanced data protection laws in the States. I think other, certainly, Canada’s data protection laws are pretty good already, actually. They’re recognized as a country that has an adequacy finding. As I said, if you’re transferring data outside of the EEA, then you have to jump through certain hoops, but if the country has an adequacy finding, it’s almost as though you can transfer it freely. It’s like the EU said, “You’re good enough at data protection, so we don’t have to worry anymore about protecting the data.” Canada is one of those jurisdictions, so Canada’s pretty good. |
|
But yeah, I think as more scandals break out about use of data, like the Facebook and Cambridge Analytica case, yeah, I think that this is the start of it, really. I think you just can’t ignore it. Data’s so important now. The Economist said that data is the world’s most important asset. It’s more important than oil, so it’s only right that there is appropriate protections for that data. |
Garrett Holmes: |
Definitely, definitely. |
Suzanne Dibble: |
Would you like me to give you a quick, sort of quick checklist of things that people can practically do to wrap up? |
Garrett Holmes: |
That would be perfect. |
Suzanne Dibble: |
Okay, great. |
Garrett Holmes: |
And then if you could kind of share some resources. I know you have your Facebook group, but any additional resources as well and where they can find that group would be super helpful. |
Suzanne Dibble: |
Okay, great. What you need to do first off is understand what is personal data and what’s not, so I’ve covered that on this call, so hopefully you know now. Any data that identifies a living individual is within the scope of GDPR. The next thing is, carry out an inventory of the data that you already have, so you need to look at it from all sources. Obviously, you’ve got your email list, but you’ll have personal data on the suppliers that you use, your own clients, employees, freelancers, whatever personal data you hold in your business, then you need to get that down onto a spreadsheet and have a really good overview as to where you got it from, what was your lawful ground of processing, how long you keep it for, etc. |
|
I’ve put this pack together of pretty much all the documents that I think people will need to comply with GDPR, and a data inventory is one of those documents in that pack. If you’re trying to guess what that looks like, then you can just go and have a look-see at my pack if you want to. Number three is, really think hard about your lawful ground for processing that data. You’ve pulled together all your data, you’ve got your spreadsheet where you’ve pulled together all your data and you’ve written down line items of the data that you hold, and then the difficult part is thinking, okay, well, what is my lawful ground of processing? That’s really key, so don’t be tempted to skip that bit, because that’s really vital to do that properly. |
|
Then, if you need to get fresh consent for sending marketing emails to your customer list, then you need to start thinking about doing that before the 25th of May, or you kind of missed the boat. So, you need to be thinking about what’s a re-engagement campaign. If you’re thinking about Facebook retargeting for that so that if you’re already going into the spam of people, because they’ve not opened your last five emails, then think about how can you get in front of those people so that they can opt-in before the 25th of May? I’d be thinking of some really super valuable freebie, opt-in, and doing some Facebook retargeting on those people, so that you’re going to capture those people before you might not have a lawful ground of processing post the 25th of May. You need to be thinking about that pretty much now because we’ve only got a month to go. |
|
Then, think about whether you need to add any tick boxes to your website. Look at all your points of data collection, so that you’re probably going to have some kind of form on your website. If you do something like Leadpages where you’ve got separate standalone opt-in pages, then look at those pages, including all your historic ones, and think, okay, well, do I need to pull that down? Do I need to put a new one up? Do I need tick boxes? Do I need to do an audit thereof where you’ve been collecting your data? |
|
Put a system in place for storing records of consent, so if you’re using something like Infusionsoft, then obviously that does it already for you. I don’t know about the other email marketing systems, but make sure that you are recording those consents. You need to get a new privacy notice. Now, the easiest thing to do if you need one is go and get my pack, because there’s a quite a few in there, depending on what you need it for. You choose the most appropriate one and then fill in the blanks. You can, obviously, go and consult a lawyer one-to-one, but it’s going to cost you 10 times that amount, if not more, to do that. |
|
You need to redo your privacy notice, and again, that’s why it’s so key that you really get a good view on that data inventory of all the data that you hold and what the purpose is and what your lawful ground is, because all of that goes into your privacy notice, and if you get that wrong, and there are complaints later on, then you’re storing up problems for yourself. That’s a really key stage of doing all of this. And cookie policy, as well, as we’ve said. If you’re using things like Facebook Pixel or even Google Analytics, then you’ll need a cookie policy. That’s just for people in the EU. |
|
Yeah, if you’re transferring personal data outside of the EEA, so for example to an email service provider like MailChimp or a hosting company or a cloud provider, then understand the basis on which you’re transferring that data, so I don’t think we’ve got time to go into that now and people’s brains are probably already full what I’ve already said, but if people want to go into my Facebook group, there are lots of videos there on data transfers outside of the EEA. |
|
Then, one thing that we haven’t really touched on is, data subjects have got enhanced rights, so for example, as people become more knowledgeable about this area, what could happen is that they could write to you and say, “I want to know what data you hold on me,” and you’ve got to reply to that within a certain period of time. You’ve got a month to reply to that. And you can’t charge anymore. You can’t just sit on that and reply three months later because then they could report you to a supervisory authority, and you would get questions asked. I’m not saying you’d get fined, but you don’t want the hassle, do you, of being investigated by a regulatory authority? |
|
So, do become familiar with the enhanced rights of data subjects. There are, again, videos about that in my group. If you’ve got employees, then make sure you’re training them up on GDPR and the things that they need to be doing. I think that’s pretty much it. I’ve got a much more extensive free checklist that people can get hold of. |
Garrett Holmes: |
Okay, that’d be great. |
Suzanne Dibble: |
It walks people through the types of issues that they need to consider, and if you do want all of those documents that I’ve mentioned, there’s a link to it in my Facebook group, so if it’s going to be handy for people, they can get it. If they don’t want it, that’s absolutely cool, just come into the Facebook group and enjoy the discussion and the free content there. |
Garrett Holmes: |
Definitely. We’ll throw a link to the Facebook group there, but what is the name of it, and how can people find it? |
Suzanne Dibble: |
It’s called GDPR for Online Entrepreneurs, and then it’s got brackets, it’s UK, US, CA, and AU. So basically just trying to make the point that it’s not just for people in the EU. |
Garrett Holmes: |
Right, right, definitely. Awesome. Well, thank you so much for taking the time to talk through all of this with us. I know this is something, personally, that I haven’t had much experience with, and so now I feel much clearer on all of these issues and ready to handle all of this before the 25th. But yeah, we’ll- |
Suzanne Dibble: |
It could be something, you know, digital marketer could do a little freebie opt-in with a bit of a campaign around it to help people with their re-engagement campaign, for example. |
Garrett Holmes: |
Yep, yeah. |
Suzanne Dibble: |
That would be certainly, as one of your customers, that’s something that I would value. |
Garrett Holmes: |
Definitely. |
Suzanne Dibble: |
Yeah, you could maybe help people out that way. |
Garrett Holmes: |
Not a bad idea at all. Awesome. Well, again- |
Suzanne Dibble: |
Pass it up to the boss. |
Garrett Holmes: |
That’s right, that’s right, awesome. Well, thanks again, Suzanne. I hope you have a great rest of the day. I know you’ve had a lot of talks today, so go get some rest and relaxation for the rest of the afternoon. |
Suzanne Dibble: |
Thank you. Thanks for that. |
Garrett Holmes: |
All right, yeah, bye now. |