The original story was about a potentially interesting webinar where the signup form fell short of GDPR requirements because it required two types of consent, both of which were made mandatory.
Nowhere on the form does it say I can withdraw consent which is an absolute requirement under GDPR.
In that story, I attempted to tease out the responsibilities in this case. I said of both supplier Procurious and IBM:
Does Procurious have a responsibility here? Possibly. They’re creating the marketing message on IBM’s behalf and will do all they can to make the proposition as attractive as possible. But I cannot believe that IBM would have approved this campaign without some consideration of GDPR implications. If IBM did let this go as is, then someone at IBM needs a few lessons in GPDR and marketing under this regime.
As I explained:
On the one hand, I’m giving Procurious permission to process data as a data processor. I’m good with that because how else can they register me as an attendee?
But the moment that goes into IBM’s hands for marketing purposes then IBM becomes a data controller. As we’ve previously noted and advised, data controllers have far more responsibilitie under GDPR than data processors.
Someone at IBM misses a vital check but, as noted, it has been rectified. But then I also know IBM takes GDPR topics very seriously so it is no surprise they acted quickly. GDPR is part of their consulting schtick so when something like this happens, they look awful.
It only took IBM a couple of days to find a way of both fixing the problem and contacting me - via LinkedIn, naturally,
I had a polite and useful conversation with an IBM spokesperson who fully acknowledged the issue, (always a good start) explaining that the supplier cited a 'technical glitch' which was subsequently corrected. I'm good with that.
During our conversation, a few things came out, some of which are, perhaps, surprising, others, all too predictable.
According to IBM, I was the only person pointing out the issue.
This tells me that people continue to be unaware of their rights, or, for that matter, what they're really signing up for.
In the alternative, the topic teaser was deemed so good in the eyes of some that even if they know, they're fine with a GDPR compliance permission problem.
IBM has a 'myriad of small suppliers' all of which it endeavors to vet for compliance.
No-one is perfect and even the best of us make mistakes, IBM included. But the spokesperson was careful to point out that there are still lessons to be learned and that education in this evolving area continues to be important across departments, and especially those engaged in marketing activities. You'll get no argument from me.
US-based suppliers who act as data processors are missing the point.
We have said it before and we will continue to point out that, based on our experience of checking for GDPR compliance from our suppliers, few US-based suppliers truly understand the implications for us as their EU-based customers that act as data controllers.
In every case where I have raised this issue, vendors think that because they are compliant as data processors then that's OK. That's not the case at all. As I mentioned on the call, when data processors include processes or actions which empower a data controller to obtain private data, then both sides need to be sure that the manner in which that data is collected and used is compliant. IBM was open about the fact that this case was something that was missed in the campaign approval process. It's an honest mistake but now I foresee another tick box item in IBM's marketing campaigning approval process future :-)
As a side note, it is important to remember that companies can be both data processors and controllers at the same time. Wearing both hats at the same time can be tricky.
IBM did the right thing, providing a masterclass in problem resolution.
It openly acknowledged the mistake and ate an appropriate amount of humble pie without groveling unnecessarily. It also explained what happened at the supplier end and got it fixed before calling me up. IBM also acknowledged the difficulty in ensuring that everyone fully understands their responsibilities in managing a piece of compliance that is early in the 'adoption phase.' In short, lessons were learned and will continue to be learned. All good.
As an endnote, I felt bad for the poor person who got the unenviable task of calling me up. That person was on vacation at the time. At the end of our call, I made sure they knew that we're all good and wished the best for what remains of the family vacation. We sometimes forget that real people carry the can and it never hurts to be compassionate for the poor soul who has to clean up the mess.