GDPR - practical lessons from the user front line

Last year, an English football team lost over 97% of its supporters by following bad advice on implementing the EU’s General Data Protection Regulation (GDPR). That’s according to Chris Combemale, CEO of the Direct Marketing Association, who spoke at a recent Westminster eForum event on GDPR.

The unnamed team “in one of the lower divisions” originally had 100,000 people in its database – all loyal and passionate supporters from the local community, said Combemale. But following a lawyer’s instruction to seek a double opt-in under GDPR, that number fell by over 97% to just 2,500 prospects.

Since most of its communications were via email, and much of the original database consisted of engaged supporters, the team may have had an opportunity to conduct a legitimate interest impact assessment, or use a soft opt-in, but these options were never presented to managers by their zealous (or over cautious) lawyer.

A good story? Perhaps, and you might conclude from it that Combemale thinks GDPR has been a disaster, but the opposite is true. While some organisations have doubtless been given bad advice, GDPR has been a boon to most marketers, he said. That’s because it has spurred organizations to modernise and put the tools in place to reach the Holy Grail of all marketing teams: the single customer view.

Positive action

The idea of GDPR being a spur to positive action was shared by the event’s keynote speaker, Jonathan Bamford, Director of Strategic Policy (Domestic) at the UK’s Information Commissioner’s Office (ICO). As I explained in my earlier report, the ICO has seen many organizations get to grips with the basics of data protection for the first time, thanks to GDPR.

The implication is that many had been unaware of their obligations under previous UK laws. However, this belated shift in perception has had an unfortunate side effect. Many decision-makers now believe that data protection is simply about GDPR compliance, and so miss the wider demands of the Data Protection Act 2018 – into which GDPR has been absorbed – as they apparently did with its predecessor, the 1998 Act.

As a result, much of the ICO’s current role is guiding companies through the rudiments of data protection they should have grasped years ago, Bamford suggested, and not just the small print of GDPR itself.

For the public and third sectors, GDPR has had a similar galvanising effect. Zoe Rowland is Head of Data Governance at the UK’s biggest charity in terms of the funds it raises: Cancer Research UK. Since mid-2017, it has been a full opt-in organization, and it prepared well in advance of GDPR to capitalise on the rules/ Rowland told delegates:

We did this because we wanted to put supporters at the heart of what we’re doing. We have millions of people’s details. We don’t have permission to market to all of them, but we do have permission from an awful lot of them. It’s important for us to only talk to them when they want to hear from us.

The charity has 2,500 staff and around 40,000 volunteers, and everyone within the organization itself has been trained in data protection, she said. With its GDPR groundwork done early and strategically, Cancer Research UK is now able to move into a “business as usual” phase, monitoring and auditing compliance.

For this charity’s decision-makers, therefore, GDPR wasn’t simply a legislative tick box; it was an opportunity to ensure that its data processing is ethical, responsible, and appropriate, and so develop a closer relationship with its supporters.

That’s the right approach, not throwing up an ‘I agree to everything!’ window and hoping no one gets angry (they will).

Snake oil salesmen

But not everything is straightforward. According to data governance expert and former nurse Barry Moult, GDPR has also spelled opportunity to “consultants selling snake oil” – a bold statement for him to make as he runs a consultancy himself, BJM IG Privacy, which specialises in data protection training for the NHS.

Implementing GDPR in the health service is complex, he said, with patient data, local sustainability and transformation plans (STPs), multiple agencies, and more, to consider. Despite this, the regulations are “leading us in the right direction”, he told the conference:

Why do I believe GDPR is good? Because I’m now more in control of my data than I have ever been. [...] The industry is having to do more to protect my data. Data Controllers and Data Processors now have their own responsibilities and accountability.

But that’s only part of the story, said Moult.

As a nurse for over 40 years, I believe that we can – and must – share patient data for their future care, but we have a culture of being risk averse.

The last point was interesting. Moult shared an anecdote about a senior police officer, the Chief Constable of Sussex, telling the Information Commissioner that he had one problem with the Data Protection Act: its name. It should be changed to the ‘Data Sharing and Protection Toolkit’, he reportedly said, in order to help end the culture of locking up useful information.

Of course a policeman would want that – and let’s hope the Chief Constable gave his permission to share the story. But either way, GDPR goes some way towards giving decision-makers that toolkit, said Moult, enabling organizations to share information legally and safely. And for the NHS, one eye will be on a future of AI-enabled care and the influx of other technologies, such as robotics.

The quest for trust

But GDPR doesn’t just hold out transformative potential to the community, charity, and public sectors; private companies face exactly the same opportunities and challenges - unified by the search for trust, as Linda NiChualladh, EMEA Head of Privacy (Legal) at investment bank and financial services giant, Citi, put it. NiChualladh could speak with authority on organizations’ common interests, as her CV includes stints in both the public and third sectors.

Data’s profound connection with human beings should be at the core of an ethical and transparent approach to sharing, privacy, and protection, she said:

Data is bits of people. It’s not just numbers, letters, Artificial Intelligence, and so on, it’s people. And that’s why it’s such an emotive topic and, in some ways, why the most rational approach to things doesn’t work. You might have a privacy policy that has absolutely everything in it, but it doesn’t stop [an organization] getting hundreds of complaints and hundreds of queries, because it doesn’t make sense to the person reading it.”

Keep those policies simple, clean, and basic, she said.

For Emily Sheen, Manager of Data Protection Strategy, Legal & Compliance Services, at PwC, the key to implementing GDPR successfully comes from recognising its scope and feeding it into every part of the organization. She said:

There is a risk that organizations think they have ‘done compliance’ rather than embedded it in their infrastructure. The deeper cultural element that some organizations are adopting, building it into their ethical practices and raison d’être… those are the businesses that are really getting data protection and GDPR right.

Using data in a fair and transparent way is vital to maintaining trust and loyalty, she added. With the influx of AI into financial services too, the risk of breeding mistrust and disloyalty is strong. For this reason, embedding ethical data protection and privacy into the organization is vital, making it part of the strategic mission.

That B-word again

This was all well and good, and it was heartening to hear of so much common ground as a result of GDPR. But there is another factor - Brexit (apologies) and that ticking clock.

A point raised by the ICO’s Bamford at the event was that crashing out of the EU with no deal could have a serious impact on any organisation that holds data in Europe, in the absence of an adequacy agreement.

So do the NHS, PwC, Citi, and Cancer Research UK actually know where their data is? And are they concerned about this aspect of data protection? I put this question to them, since Bamford had raised it on the conference stage moments earlier as part of the ICO’s GDPR awareness campaign.

Cancer Research UK has been looking at the implications in recent days, said Rowland. While it doesn’t target people in Europe, she admitted that some data is held on the continent. As things stand, the organization “will probably be in a position where it can send them [Europe] data, but might not be able to get it back”.

Extraordinary. She added that she hoped some of the bigger cloud platform providers, such as Microsoft  are considering what their clients can do in these situations.

PwC’s Sheen confirmed that organizations need to “think about the prospect of a no-deal Brexit, in terms of data flows from the EU into the UK”, but added there was “no need to panic”. They should draw up standard contract clauses for that data transfer, together with a plan for how to implement them.

Apparently speaking for the NHS (his bio says he resigned his post at Colchester Hospital last summer), Moult said:

Do we know where all our data is? We thought so. But then a random email came in and the Processor that we used just happened to mention that they were now, with a contract in place, storing their data in the cloud outside [sic] the EU.

So we thought we knew, but an arrangement had probably been in place for six or eight months, and they didn’t tell us. So there is still a lot of work to be done on ‘where’s our data?’, where it’s stored, and who has access to it.

Indeed: if one part of the NHS doesn’t know where its own data is hosted, this suggests a wider institutional problem of piecemeal contracts, lack of internal communication, and poor data management. Good luck with sorting out the mess in April while patients are waiting for life-saving treatments.

For Citi’s NiChualladh, the Brexit referendum decision coincided with gearing up for GDPR – as it did for everyone, of course. This placed strong emphasis on understanding data flows in a double context – a challenge she admitted had been “very difficult” for the bank.

Global corporations operating in multiple jurisdictions have to consider how to transfer data within their organizations, she added, factoring in affiliates and subsidiaries. This may involve “massive time and massive effort” in working out where their data is.

My take

And there you were thinking that ‘the cloud’ – that great marketing misnomer and confidence trick – allowed you to be more nimble and agile.

If Brexit teaches us anything, it’s that there really is no borderless fog of code in the sky, merely data centres built on land under national and supranational laws. The sooner people stop saying “Yay, my data’s in the cloud” and start saying “Er, my data’s on an industrial estate in Krakow” the better.

Will Microsoft and the rest sort out the mess for you? Actually, that may be your job.