Andrew Wisedale gives an expert overview on the General Data Protection Regulation detailing what is coming, its implications for businesses, the misunderstanding that arises concerning this regulation and what is embedded in it.
The Ecommerce Uncovered Podcast is a behind-the-scenes look at what makes ecommerce a success in today’s ever-growing and continually changing online world.
The podcasts look to uncover the secrets of ecommerce success, so you can learn and apply to your own online business.
Brought you by the Co-founders of Core Fulfilment, one of the UK’s leading ecommerce fulfilment service providers, Paul Burns and Jeremy Vernon.
Jeremy Vernon: Hi, it’s Jeremy Vernon here, and welcome to another episode of Ecommerce Uncovered. GDPR is a big subject, that everyone seems to be talking about at the moment. So, I thought what a timely way to cover that in a podcast. So, very grateful for Andrew Wisedale, who’s joining me today, who is a GDPR practitioner. Welcome to the podcast, Andrew.
Andrew Wisedale: Hi, yeah.
Jeremy Vernon: Okay, let’s get into it, because I’m sure there’s a lot to cover here. First and foremost, the general data protection regulation, or known as GDPR. Can you just give us a quick overview of what’s coming, and why it’s such a talking point for businesses at the moment?
Andrew Wisedale: Okay, it’s been in place or available to use, if that’s the right phrase for 2 years. I mean that’s the point. It came in May 16. But it actually applies from May 25th this year. That’s a European wide regulation. So, it’s going to affect all the data subjects in the EU. Our firms are particularly focused on commercial operations, then obviously our firms operating in the EU, and that includes firms based outside the EU, but who obviously sell to EU data subjects.
Jeremy Vernon: My understanding is this is the biggest change in data protection in the last 20 odd years. So, quite a big thing for businesses to take on. What are the major changes that is different to the old data protection rules that we are used to?
Andrew Wisedale: Okay, obviously, we’ve got the data protection at 1998. So, that tells you. Obviously, there that we’re talking something that is 20 years old, very early days of the internet and the likes. So, the world has obviously moved on. The e-commerce in particular, the whole digital world in particular, has moved on whilst it affects all data protection. I think that’s where people’s real concerns are. The thing that I stress to people about this regulation and what it’s embedded, is, the fact that it’s principle based. So, it really slays down as a regulation that you have to proactively manage the data and the data subject in there previously, as opposed to just worrying about, do I need to react in the right way, if something goes wrong. It talks about making the organisational and technical measures of putting those in place. Then whilst it gives you some more detail, that phrase in itself doesn’t give you a lot to go on. It puts the onus on the organisation to put those measures in place, and demonstrate that you have got organisation. You’ve got controls. You’re operating on a legal basis in the first place. So, whilst a lot of the core of the protection at 1998 is still in there, there are various aspects that have been enhanced, strengthen and the likes. But it’s that principle of being proactive, and behaving in what’s called, a principle, more like a principle based regulation, is the main thing that people are grappling with.
Jeremy Vernon: Yeah, there seems certainly from what I’ve seen, there seems to be a huge amount of misunderstanding, of confusion, grey areas about what people are. We would be good to go over a few of the basic definitions I suppose that we hear banding around at the moment. So, there’s 4 here that I think would be worth just clarifying what they actually are. So, a data subject. What’s a data subject?
Andrew Wisedale: Well, a data subject is basically anybody residing within the EU. They don’t have to be a national of the state. So, it could be an American living in Brussels. For that period, they are an individual residing within the EU. Obviously, the rest of us that live here full time, well, by definition, we’re obviously here. We’re data subjects.
Jeremy Vernon: Yeah, personal data. I know it might seem a simple thing to qualify, but what is classed as personal data in the context of GDPR?
Andrew Wisedale: It starts with, does the data identify you as an individual? Your name is obviously, the key identifier. But then there are other identifiers as well, such as your national insurance number, your passport number, your driving license number. Then when it comes to commercial organisations as well, even your account number and your reference number that you might use. Then branch out there and into the information about the person. Their date of birth, their financial information. It’s a whole category of data. that will be of interest, their behaviours that are logged against them as an individual.
Jeremy Vernon: Okay, the final 2, I think are an element of confusion about which sort of camp people fall into here. The 2 are data processes and data controllers. Would you like to just sort of quick overview what the difference between those two are?
Andrew Wisedale: Well, if you start with the controller so the regulation basically says that a controller is somebody, who identifies the purpose and the manner of the processing. Again, one thing to bear in mind I think, is that, people who are controllers are typically processors as well. They may keep all of that in house. Now, having said that, there are people out there who are happy providing services in the commercial world in particular, where they will be processors. So, you might engage with a firm to provide a service. You could very well do that service yourself. They might have the expertise. They might have the economies. That might involve you passing out their personal data for them to actually process. As the controller, you’re making those decisions. The processor is just acting on your behalf.
Jeremy Vernon: Okay, so let’s put it in context of the e-commerce retailer. So, they will collect personal data of the data subjects in various different ways. But the main one is that someone will trade with them. They will buy a product from online. They will supply them with all of the personal details, including delivery address. In that context, they are a data controller of that personal data. Now, if they then, obviously, if they’ve got their own warehouse, if they fulfil that order to their customer, they’re processing that data. So, they are a data processor in that context. Is that correct?
Andrew Wisedale: Yeah.
Jeremy Vernon: If they’ve outsourced that to a fulfilment warehouse like ourselves, where does the sort of responsibility I suppose under GDPR to make sure that data is kept safe, secure with the liability life, making sure that that data throughout the process is safe and secure?
Andrew Wisedale: It predominantly lies with the controller. Having said that, the processors are in scope. The regulator may be unhappy. There may be an issue with the processor, and the regulator could take action against the processor. The regulator may go to the controller and the processor in that case. But predominantly, I mean, this is again, where the regulators putting the onus on the controller. Again, this is the thing I stress to my customers, is, you will do due diligence on somebody providing you with a service of a commercially important nature, particularly obviously, again, if there are sensitivities to that activity in its own right. So, you want to be dealing with firms who passed that due diligence test. There are obviously particular security arrangements around data processing, that uou should be interested in now in particular.
Jeremy Vernon: So, I’m an e-com retailer, I want to outsource my fulfilment to someone, what sort of checks should I make to make sure that that data is going to be as secure as it needs to be to meet the regulation?
Andrew Wisedale: The idea I was given a lot of help there, because there’s actually 8 clauses that they recommend, that go into a contract, as, mandatory clauses. Those clauses are fairly easy to understand. They should only act on written instructions, for example. They should make their staff aware of the importance of data protection, the need to operate when confidentiality is required. They should only operate on a confidential basis. Then those 8 points carry all the way through to particularly, the security arrangements that should be known and documented security arrangements in place.
That’s again, I think where firms need to be aware in particular that it’s fairly easy for lawyers to draw up these standard terms into contracts and the like. What I always encourage, because it’s not a lot of work, but it’s a bit, is that, you typically need an appendix at the back of a contract where the lawyers would have drafted all of the standard terms. The lawyers typically won’t unless you explicitly ask them to get involved in the detailed arrangements, that are pertinent to that particular customer supply relationship, where you would maybe have named people responsible for things. You might have particular security arrangements so that, either you want or have been offered in relation to your particular agreement. That’s the sort of detail. Again, don’t forget, this is all about being proactive. It’s all about putting these things in place that stop data privacy issues arising in the future.
Jeremy Vernon: Certainly, if you’re outsourcing information, a lot of that data will be transmitted via sort of closed systems, via sort of APIs which is internet based. Is it down to the system to provide that level of security to ensure that there’s no breaches, people can’t access information when they are not sort of authorised to do so? Is it down to the system providers, or is it down to the data processors? Where does that responsibility lie?
Andrew Wisedale: The thing about data processing agreement, again, it’s a common question. It’s a joint agreement between the controller and the processor. Depends whether the power, is, it’s almost in the relationship, drawing up the agreement, commercially. If you’re a small firm and you deal with Amazon, you’ve not got a lot of say. But a well written data processing agreement is an agreement. It’s not particularly a contract of, where you provide X to me. It’s a mutual agreement, which will cover whatever needs to be covered to preserve the privacy issues, and deal with the privacy issues on both sides.
Jeremy Vernon: Coming back to e-com, obviously you might have a retailer that is taking obviously that information in the first place. They then pass that data to that same outsourced fulfilment operation. Obviously, they have an agreement. But then, for example obviously, if something is going out in the courier network, there’s a label printed with a significant amount of the personal data of the data subject. That’s then passed through the likes of DHL, DPD, Royal Mail, whoever. How does the relationship between the retailer and the courier then work?
Andrew Wisedale: It’s an interesting one, because I’ve seen a couple of different interpretations of it. Personally, I believe that the courier networks are controllers in their own right. Because, if you want to use a courier, if I want to engage with a courier, I’m not going to dictate to the courier particularly, what information that they need. It’s for them to decide that and tell me that. I might not be happy with that, or I need to probably be aware of it. If there was something spurious in the information that it appeared to need, that you might say, I’m not quite sure why you need that. You might say well, I’m not quite sure why you need that. Make sure it’s fairly self-evident, I would have thought that. The courier would only take the minimum information. They then are ,controllers, because they are going to want to keep their own records. They are going to decide if you rang DPD tomorrow and said, can we delete all the information relating to our deliveries for the last 3 months please? I’m sure they’d say, no. Whereas a typical processor-controller relationship, you would have that sort of authority, if you like, that they can delete the data, and certainly should delete the data, when the end of the agreement comes.
So, that’s sort of test in a way you can apply. As I said, this controller processor labels aren’t necessarily always clear. Because again, I think it’s fairly self-evident, that all the payment processors are controllers in their own right. They are not a processor acting on your behalf in this sense. Whilst we know we’re utilising them. They are processing data. But again, if you spoke to any of the payment gateways and said, do we have total control of all these data that you’re actually holding? The answer is no. The payment gateways all know, that they are working to their own standards, which are then payment industry standards in their own right and the like. So, it’s not necessarily clear in all of these relationships how the land actually lies.
Jeremy Vernon: That’s what I’m sort of seeing people really not understanding certainly, whether they are a processor, whether a controller. I saw I think you mentioned, I think it was a post you put on LinkedIn, it was about 2 delivery companies, which have 2 different views on what they should be. So, obviously very related to e-com. Something you mentioned there about deleting data. I think again, this is another area that, certainly from my understanding, there’s quite a lot of confusion. There’s obviously certain aspects of how long you should keep data for, the process for you to delete it. From a practical point of view, let’s say an e-com retailer’s perspective, in reality, what does it mean?
Andrew Wisedale: I mean, it’s probably very applicable in the digital world. It comes back to the principle of the regulation in the first place. The regulators and the regulation, is, designed to stop the constant accumulation of data. So, therefore they are looking for firms to put in retention policies. Most firms have never considered it. Most firms have data going back from the day that they started, on the day that that particular platform was put in place and started to be used. That’s what the regulations are looking for. The regulations are looking for you to acknowledge, that basically, if that’s all acceptable to just have a never ending accumulation. So, therefore the answer to that is to put in some policy around what you would do with security arrangements in the first place, identifying data subjects probably into categories of live customers, past customers. Maybe you’ve got mixed in there people, who’ve never actually transacted, but you ended up with their details through an abandoned enquiry, or card abandonment, or whatever. So, it’s about where is all this data. Then what management policies have we got around, how long do we keep those.
Now, there are a lot of people who are going a bit trigger happy I think, and telling people, oh, you need to delete everything by May 25th. Again, I would absolutely caution against that, but what you mustn’t have, is, the head in the sand approach of saying, let’s hope this goes away.
Jeremy Vernon: Coming back to an e-commerce retailer. So, they’ve got as you say, probably their system, they’ve had that system a few years. They’ll have all the data from a few years ago and all the customers that’s ever bought, and as you say, abandoned baskets, all that sort of stuff. In terms of length of time, what’s reasonable these days under this new rule? Because a customer might come back once every 2 years. They might come back every month. How long do they keep that data for, within these rules in a reasonable sense?
Andrew Wisedale: I might be accused of docking the issue on this. I think you’ve got to justify the reasonableness. So, yes, somebody might come back in 2 years, but so what? Is that not just okay then? If we’ve deleted the data after 6 months, but they came back after 2 years, then maybe 6 months is the right period. Maybe 3 years is the right period. But I think, if you’ve got the data sat there in your system from somebody who’s inquired 2 years ago, the question to ask yourself, do we really need this data? Why is it sat there other than the fact that they entered it, and we’ve never deleted it?
Jeremy Vernon: Okay, obviously there’s lots of talk about if you are found to be in breach, and the penalties as a result, and they are quite hefty by the sounds of it for non-compliance. I just want to talk little bit about first and foremost, what is considered a breach? Can we put it into scenario, so we really understand what that would be?
Andrew Wisedale: Okay, well, a breach is where the systems have broken down, and data has either been accessed by somebody, who shouldn’t access it, or we’ve found that we actually should have deleted a load of data, that we have actually not deleted. I think the important point, is, you’re expected to keep your internal record of all these issues. What the regulations are looking for there, and it’s a bit like the old quarterly management world of complaints management for example, where you go, well, let’s take the value out of a complaint, by getting to the root cause and trying to put systems in place to stop it happening again. That’s exactly the type of approach that’s been looked for, for breaches themselves.
Now, the regulation then actually though requires, is that, if there’s a significant risk to the individuals, then that’s where you should notify the Information Commissioner, and actually inform them that, that’s actually happened. Now, you need to be well ahead of the game, because their first question back to you would be, what have you done about it. So, it shouldn’t be a case of this has happened, what should we do, Mr. Commissioner? It will be about what have you already done.
Jeremy Vernon: This is basically holding your hand up to your own issues (A) informing them of a breach. Would that then automatically result in a fine?
Andrew Wisedale: No, the fine is splitting into the 2 levels, where the breach is a significant breach, is at the higher level of up to €20 million EURO type level. Lesser infringements of the regulation worth, that’s not necessarily a breach. It’s the €10 million EURO lower level. It’s within the gift of the Commissioners to actually look at the impact, the scale of the issue. The Commissioners themselves have said that it will be about what steps you actually took, going back to this being proactive. So, the big fines will come, where firms have been discovered to have been, either negligent or reckless. They have either done nothing or minimal, or they have known about something significant, and the risk and have not done anything to mitigate it. That’s where fines probably of any type will come in. If you can show that you actually did a lot of work on this principle base of being proactive, then you’re likely to get, shall I say, a more sympathetic hearing from the Commissioner.
Jeremy Vernon: So, just coming back to a real example. So, let’s take our business. We make a policy that we obviously get information from all of our customers. So, we’re given through the systems integrations that we have, personal details of everyone that we would send a parcel to. We make a decision that, for example, we keep our data for a year, just to give an example of timeline. If we do that twice a year, we have a purge of that data twice a year. Would that fall into the reasonable proactive stance of what we do with that data first and foremost?
Andrew Wisedale: Yeah.
Jeremy Vernon: So, if we then on the 6-month kind of anniversary, forget to delete our set of data, that would be considered a breach of the new rules?
Andrew Wisedale: Yep. Well, it’s a breach of your policies, isn’t it, which is…?
Jeremy Vernon: Under that circumstance, we internally discover we haven’t deleted that data on the sort of 6-month anniversary, when we said we would do it. We then need to go to the ICO and tell them that there’s been a breach, and we haven’t followed our own, in effect, our own rules to discover this data. As you say, their first question to us would be, so what have you done about it? We would say, re-access. We’ve deleted the data, and we’ve made sure that we have a more robust reminder system for those 2 dates in the year to access data. In that circumstances, what do you think the ICO would do? Would we potentially get a fine?
Andrew Wisedale: Yeah, it’s a dangerous thing for me to speak on behalf of the Commissioner. I appreciate that. I would imagine, no. It’s a quick shot answer, possibly undertakings. As I said, they would look at what you’ve already done. If they were happy with what you’ve already done, getting that acknowledgement back that says, we’re okay with that providing you made, you now stick with it. If they are unhappy with what you’ve done, they may like you to give more undertakings, whatever it is they’re unhappy with.
Jeremy Vernon: Yeah. Just as new businesses and new way of working, it’s a very self-assessment style sort of way of working. Presuming in the UK, it’s the ICO we go to, what is the incentive for us to phone the ICO and say, actually we’ve been in breached? Because if we rectify that breach internally, for example, how would they ever know we’ve been in breach at any point in time?
Andrew Wisedale: They wouldn’t necessarily. It’s a little bit like the seatbelt law that I quote to people. If I drove home from here without my seatbelt on, could I get away with it? Probably, once. I’m sure over a number of occasions, there will come a time, where I don’t manage to get away with it. So, that’s what they are looking for. I mean, they would regard the non-reporting of something, that should be reporting as recklessness basically, where you’re aware of it, and you’ve not done it. You would get a very difficult reaction from them, just on that basis.
Jeremy Vernon: How is the ICO? What would they be doing sort of after the 25th of May, obviously just in terms of the timing? We’re just over 2 weeks away from that deadline. By the time this actually goes out, and the podcast, would be slightly less than that. As of the 25th of May, what is going to happen? What is going to change for businesses? In terms of, if they put the policies in place. To]hey put their internal processes in place. They follow those. Are the ICO going to come knocking on the door randomly and say, we want to come and check your data protection regulations?
Andrew Wisedale: Well, again, very unlikely. I would imagine, it’s very much like, the FCA, who again, have limited resources in terms of being able to manage the market as a whole. So, the answer typically comes from complaints, from the members of the public. There might be a theme to complaints, where more than one individual has got an issue. It’s obviously a source to them. They may very well do what I’ve got to describe as thematic type reviews, where they might be concerned about a particular sector. They might invite themselves in, or you might get invited to take part in a study, that they are doing on a particular sector.
Jeremy Vernon: What sort of powers are they going to have? Have they got increased powers from sort of now up to the 25th?
Andrew Wisedale: Well, it’s just the application of the regulation. I mean there was this inferiority, wasn’t there at the Cambridge analytical? They had access to search their premises. So, I mean that was still waiting for that under the Data Protection Bill, which is the British legislative equivalent or replacement to A, the DPA 1998, and it also deals with Brexit, and we’ll leave it on the British Statute Book, as a British law. So, it’s more the ICO can enforce GDPR. There are more rules or principles to be broken now within the scope of GDPR and the penalties that are available to them.
Jeremy Vernon: Email seems to be a real common thing at the moment, that this whole sort of concept of consent and opting in and opting out, that sort of stuff. I’m sure everybody is in the same boat at the moment. But we just seen our email inbox just seems to be full of people going, we need you to re-consent, re-opt into our emails to be able to communicate with you after the 25th. Are there some misconceptions and misunderstandings around email at the moment that you’re seeing?
Andrew Wisedale: Well, yes, I think there’s a short answer. It’s difficult to see what’s happening behind the scenes, because I think the point really is what records do these firms actually have. They obviously got your email address to send you the email. I don’t know, whether they’ve got a marker that says what date they’ve had that email address since. I don’t know, whether they’ve got the content of the consent notice that was used on that date.
Jeremy Vernon: So, in a historical consent acceptable under the new rule?
Andrew Wisedale: If it was to the standard of the new rules, then yes. The reason I say that, is that, this has been in place for 2 years. The ICO as our best guidance out for a while. So, if you have been working to those, then yeah, it is highly likely, that your consent is actually good enough. The problem with GDPR, is, you’ve got to be able to show, that you have obtained it in line with the new requirement or the GDPR level requirement, shall we call it?
Jeremy Vernon: Now, does it obviously, there’s business is out there though that will sell data for marketing purposes. So, you called, cold calling list, or a specific data for a specific sort of industry. Now, presumably, they are the data controller in this context. But they might sell you data so you can do some marketing for your own business to try and obviously, build your business. How does all of this affect that type of data that you see sort of people here as the database of e-com retailers, or whoever it may be?
Andrew Wisedale: Well, it comes down really to what I was talking before, about due diligence. What caution that people do, ask some serious questions around the offer of some data on that basis, because you’re going to want to know, where did this data come from? Can you show me maybe the consent wording that was actually used? What’s its origins? I mean, (A) it’s the reputation thing. (B) You would absolutely be in the line of illegal emailing people, that you shouldn’t be emailing basically. If you sent out 100,000 emails just based on the fact, that somebody offered me these email addresses, and they said they were okay. You can’t pass the book, if you like, back to the supplier on that.
Jeremy Vernon: So, the advice there would be to do your own due diligence as you say. Make sure that that has been collected in a way, that would satisfy current regulations, even though it would be on historical data. I mean, there’s Wetherspoons, isn’t it, that of just deleting all of their database, coming off social media altogether. What do you make of that? Is that just a real immediate reaction?
Andrew Wisedale: Well, yeah, all these they use as a marketing employ in this.
Jeremy Vernon: He’s got a lot of press. Are you seeing businesses react like this to a real sort of we don’t know what to do so we’re just going to delete all we’ve got.
Andrew Wisedale: Yeah, I think the problem lies in the databases, that they’ve actually got, and the content of those databases, and their ability to reference back to how that consent was actually applied. Then what the more sophisticated approach, is, all the more proactive approach, which they are adopting is this, where they may be offering subscriber dashboards for people to use for the first time, where you can opt into various types of communications and opt out of others I supposed of just having, are you happy to receive emails type with single box? So, again I mean, a lot of brand driven type segments are moving more and more towards that, particular hospitality sector, for example, all the hotel chains, where, if you’re in the loyalty schemes and the likes of some recruitment agencies are all doing that as well.
Jeremy Vernon: Okay, one of the things I wanted to talk about, is, where people are using software to profile people. So, an example of that would be, albeit called by people that provide the sub-service all the time, but it’s where people obviously go to your website. They will profile them using IP addresses and all such things. So, that person will never certainly consent to give you their details. Now, they may accept your cookies on your website policy. But you obviously, then effectively harvest that data through quite clever means, of where they are coming from and cross referencing various different things. So, you can ultimately find or try to find out who they are. How does that sort of data fall into the new regulation? Because there is no consent there at all from, here’s my email address, please contact me type consent, is there?
Andrew Wisedale: No, one of the rights that a data subject gets, that are amongst a number of others, is, to object to automated decision making and profiling. So, particularly in an online environment, you need to being included in your privacy notice, that you’re intending to do that. You should be making it clear to them, that in non-legalistic language and almost preferably without using the word, profiling, because a lot of people wouldn’t understand what that actually means. The ICO with guidance again, always talks about using user-friendly language in these scenarios. So, with respect to any lawyers listening, it’s almost a bad decision to ask a lawyer to draft some of these notices. But yeah, you get the right to object to that. Now, they could accept the privacy notice at the time, in which case they are accepting, that it will happen. They can then object later down the line, and your privacy notice needs to say, how they go around, go about objecting to it, and whether that’s even possible. I mean, as per the Facebook scenario, there’s going to be some interesting developments and proper court cases over all of that.
Jeremy Vernon: So, take that as an example. So, someone comes on our side, our terms and conditions and our privacy notices on our sites, says we are collecting this data, and we could use this for our own purposes. We decide, we see through one of these sort of analytical type profiling softwaresl that a certain person from a particular company has been on our site, didn’t do anything, didn’t leave any contact details, and then we decide to contact them relatively soon. So, they haven’t come to us and said, they want the right to be forgotten. Are we in breach at that point> Or, because they haven’t requested anything with that data, we’re okay to follow that up?
Andrew Wisedale: You have to look at it a bit more closely.
Jeremy Vernon: But I think there’s lots and lots snarls, isn’t it? What if?
Andrew Wisedale: Yeah, I mean if we’re talking about marketing activity, GDPR particularly highlights marketing, and gives the data subject the right to object to it, remove themselves from it, and the likes, whether that’s through the initial consent in the first place, which is the most typical traditional way of doing it. The whole profiling aspect as we said, is maybe, a bit of a grey area. But yeah, it’s going to be interesting.
Jeremy Vernon: It is. So, just add another scenario, when people fall onto or land onto a website for the first time, under the new rules, are they to be asked certain questions before they sort of continue? Knowing obviously, you usually get these cookies notices or privacy notices actually that come up as a pop up, or a bannerl or something. Has that got to happen so that people have the choice of what can happen with their data at that point on their first visit to a particular site?
Andrew Wisedale: GDPR talks about as you collect the data. They need to be made aware of what that is. That’s where the delivery of the privacy notices comes in. Now, having said that, again I mean, the ICO actually promote this, this ability to have these messages that sort of appear when you hover over the box, and it tells you what the contents of that particular field is going to be used for. Because again, whilst most people are referring to privacy notices in drafting multi hundred, if not thousand word privacy notices…
Jeremy Vernon: Which are hidden somewhere down in the site then.
Andrew Wisedale: They are not user-friendly, are they? People do not, either read all, or certainly some of the important bits of them.
Jeremy Vernon: I mean, the great example probably of that, would be, someone’s mobile number, for example.
Andrew Wisedale: Yep.
Jeremy Vernon: Now, if you, as an e-com retailer, if you’re using a text based tracking service like, DPD, it’s best to obviously collect the data subject’s mobile number. Now, not every courier wants that or needs that information. But if you’re using for example as I said, DPD or even Royal Mail, there are others, you will take that information. Presumably, because that’s not always taken at the point of sale, would you then in that scenario have to say, why you’re collecting a mobile number?
Andrew Wisedale: Yeah, it’s not clear from the example. But yeah, I mean it’s about transparency. This is the point. I think, people are potentially seeing a conflict between the commerce and the transparency. The people who will win on this, will have the complimentary view of the commerce and the transparency. It’s like I said about the profiling. The least you should have on there, is, a message that says, we intend to profile data behaviour. To not even mention it at all, is, totally opaque and nowhere close to transparency.
Now, as to how explicit you have to be and the likes, you’ve got to balance that. People have got a way to understand it. You’ve got to time the delivery of the information like, we just talked about. It’s all judgement calls. There’s a lot of opportunities on creativity around website design, customer journey, and the likes.
Jeremy Vernon: Hugely complex and confusing area. Another thing sort of just as an example for specifically, e-commerce retailers. So, let’s say retailer has a way of signing up to a newsletter, sort of a marketing type data collection. Obviously, they could have the data collection through someone purchasing one of their products. Can those two sets of data be used for the same thing now or not buying a product to the effect? Are you consenting to be able to be marketed to a future date?
Andrew Wisedale: You shouldn’t be. I mean it needs to be clear.
Jeremy Vernon: A tick box of an opting, yes, please.
Andrew Wisedale: Yep.
Jeremy Vernon: You can contact me in the future.
Andrew Wisedale: Consent has got to be freely given, explicit and reversible.
Jeremy Vernon: If people have historic data, where those 2 things are very separate, and they haven’t got clear consent, what are they best doing with that data?
Andrew Wisedale: I won’t say delete it. I was with a customer last week. They had this problem of a database that goes back forever. I said, how old is your oldest record? I said, what’s the open rate on emails to that customer? If the open rate is 0, then do you want to keep them anyway? Yeah.
Jeremy Vernon: Common sense, I suppose from that perspective.
Andrew Wisedale: If that customer is actually opening 25 percent of those emails, let’s have another look at the situation. Do some business analysis on your marketing database in essence. Do a 360 on it. Get a group of people in a room and say, well, what different things could we look at here? I don’t know where the cross reference and against traditional hardcopy post and email shot, and the likes. Some people do that. Some people don’t.
Jeremy Vernon: Okay, I know this is a huge subject. So, we’d probably talk for hours on this and still not even scratch the surface. So, I’m just conscious that to end this. We’ll obviously ask you, if people want to get in contact with you and discuss sort of their particular scenarios with you, then they can get in contact. But from the work that you’ve done so far, and all the different businesses that you’ve spoken to regarding this, what’s the biggest misconception that you’re seeing over GDPR?
Andrew Wisedale: The first thing that happens really, that, we talk about context, and an actual example. With all respect to the ICO, there’s a lot of guidance on the ICO website. But everybody I speak to, you know everybody has read, and still want to work through an example in their world, and how it actually applies to them. Other than that, most people really haven’t really dug into. Most SMEs don’t have the resource probably, at the time to have dug into this. So, they’ve heard of GDPR. But they are unsure where to even start.
Jeremy Vernon: That’s certainly the impression and one of the reasons I wanted to do this podcast today. Thank you very much for giving your time. It’s great. I think it’s a great overview. It certainly reassures hopefully, people that it isn’t the end of the world, isn’t it, from a data perspective?
Andrew Wisedale: No.
Jeremy Vernon: A lot of it is about common sense, and putting as you say, a proactive stance in place. If anyone listening is struggling or needs a bit more clarification of how they are sort of dealing with GDPR. Obviously, this is going to go on for years, isn’t it? This isn’t just the sort of as of 25th of this month, is all in place and everyone forgets about it. Because I guess it’s a continuous improvement type program as well, where they reassess. We’re not good enough, if we’re here. We’ll put this in place. So, if someone wants to know more, or they’ve got a specific problem, and they want to come and ask you about it, and how to engage your services? How can someone get in contact with you?
Andrew Wisedale: Okay, well I’m on LinkedIn, Andrew Wisedale. I’ve got GDPR Journey as my company name. But that is just me at the moment. So, you’ll definitely get me. My email address is firstname.lastname@example.org.
Jeremy Vernon: Once again, thank you very much for joining us.