Dr. Ian Birkby, CEO of AZoNetwork, takes us through the GDPR journey and the responsibility of anyone who processes EU Data.
The AZoNetwork Approach
I suspect you’ve heard a little bit about GDPR, the headaches, the pains, the lawsuits and hopefully some of the good bits, but if you need some more background here’s one of the more balanced articles from The Guardian, which references a health warning for businesses in this article, detailing how;
….national media outlets are getting consumers excited about the ‘once in a lifetime opportunity’ to clear out their inboxes. So GDPR reconfirmation rates are averaging 10% – we’re losing 90% of our potential customers.
The legal action started on GDPR Day 1, with the BBC reporting Google and Facebook being in the sights of Max Schrems, Austrian Lawyer and Privacy Advocate. It will be interesting to see how that plays out over the next decade!
Some AZoNetwork Background
As you’re reading this on AZoNetwork.com you’ve probably some idea of what we do in relation to our mission of “Sharing Science, Technology, Medical and Life Science Information with People who make a difference”.
In short, we give away tons of open access, relevant and timely content to interested parties across the globe. We pay our wages by introducing relevant scientific organisations, equipment manufacturers and service providers into the conversations we have with over 6 million monthly visitors via Articles, Interviews, News, Equipment Reviews, Video and Email Newsletters.
We’re proud of what we do, it’s an honourable way to earn a living and we receive weekly thank you messages from our audience relating to how we’ve helped them with their job, studies, health and interests.
However, being a non-spammy, white hat good guy, doesn’t mean you can contract out of GDPR and those potentially massive fines of up to €20M or 4% of Global Turnover.
For organisations like AZoNetwork, a €20M fine could blow us out of the water, whereas a 4% additional “GDPR tax” on Facebook may not be viewed as a big deal to them. Consequently, we had every reason to take GDPR issues very seriously.
Our GDPR activities started to ramp up to a serious level early 2017, with myself as the CEO (the guy who gets sued) driving the initiative alongside a crack team of GDPR Policy Nerds, Super Coders and some excellent external GDPR Lawyering to help us as and when required.
If you’re in the business of marketing scientific, medical, life science related equipment, goods and services you may use some third parties like us to help you access your target audience. On the back of our experiences I’ve set out the below some of the questions we’re now happy to be asked about our GDPR journey and some of the key issues we feel you should be aware of.
I’ll also share the bad news, warts and all.
Obvious legal disclaimer, these are my personal views from our GDPR experiences, it’s not legal advice, you need your own legal advice in relation to your specific situation.
How to determine if someone has a lawful basis to process EU Data
There are many resources available that can help guide you through this question. The UK’s Information Commissioners Office (ICO) Guide is a good reference point. I’m just going to touch on a few key elements.
You may have a contract with a Media Partner or Agency but probably not with the ultimate audience. To resolve this issue many organisations rely on either GDPR compliant consent or legitimate interest between themselves and the audience member to justify a dialogue with the individual.
However, there is a catch – as mentioned above, having consent to have a dialogue with an EU citizen to answer their specific question or provide a quotation doesn’t necessarily mean you have the right to add them to your Marketing Campaigns. You need to asses your position on that one.
- AZoNetwork has taken the approach that we have always asked for consent to process personally identifiable data (PID), but we have beefed up our processes to be fully GDPR compliant and have adopted a cautious approach by seeking reconsent from any EU citizen who had previously subscribed.
If, on the other hand you’re not that interested in Privacy Policies, here’s a snippet of our somewhat painful Consent Experience in relation to our Email and Newsletter activities.
How we endured the Reconsent Pain
We’re proud of our Newsletters, the unsubscribe rates have always been extremely low, they are very focused and if you’ve told us as a subscriber you’re only interested in Atomic Force Microscopes we only ever send you information related to Atomic Force Microscopes.
Personally, I don’t think we are really the people that GDPR was meant to target, but we were caught up in the collateral damage of the “GDPR bunker buster” being directed at the dodgy underground serial spammers.
Our GDPR compliance exercises coincided with the maelstrom that was Cambridge Analytica, Facebook using us all as the “Product” and a billion reconsent emails from anyone you’ve interacted with in the past decade.
Consequently, we demolished over 80% of our EU subscriber database. This hurt, but as it was 80% of a very big number, thankfully we still had a large number of highly valuable “engaged and remaining” European subscribers. Plus, we’re now able to power ahead confidently rebuilding our quality and GDPR compliant subscriber numbers.
We took this hit on re-consent issues as we adopted a very strict ethical/legal approach to our prior “Subscriber Consent” not being significantly GDPRish.
Glad that’s all behind us, now back to you, hopefully I can help you with suggesting some key questions you should be considering.
10 Example questions to ask of any Media Partners, Agencies or Organisations that supply you with Personally Identifiable Data (PID) from EU Citizens
There are many questions that you could ask of organisations you work with, all of which could be important, so please note these are a few examples, an exhaustive list would be running to “Lord of The Rings” lengths and I appreciate that GDPR ain’t that interesting.
So let’s dive into some of the GDPR nuts and bolts.
1. Legitimate Interest
Has your supplier of PID identified their legitimate interest, can they demonstrate that their processing is necessary to balance the interests of the individual with their legitimate interest? If the interests are not balanced, the individual interests are likely to override the legitimate interests.
- It’s worth asking your vendors whether they use PID in ways that their audience would reasonably expect and with minimal privacy impact?
- Would the processing of the data be classed as necessary to achieve that personal interest?
- Has the vendor completed a ‘legitimate interests assessment’?
- Does the vendor detail their legitimate interests in their privacy information? Do these seem reasonable?
Does your media partner have adequate consent to email their subscriber database on your behalf? If they are relying on existing consents can they prove they are GDPR compliant? Here’s a few snippets from the ICO page.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Be clear and concise.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
3. Recording Consent
How do your Media Partners record consent; can they show you the database tables they use and are they working in real time?
4. Withdrawing Consent
What happens when someone withdraws consent?
- We had to generate the code to query over 60 SQL tables to locate all the Personally Identifiable Information (PID) possibly related to an individual (Data Subject in GDPR speak). We then had to build the code to allow all of this to be extracted and formatted.
5. Data Protection
What have they done in relation to protecting your data and where it is stored?
- Physical security, server threat detection, encryption, HTTPS? Not an easy task adding some of these services without compromising on the speed at which your websites load. We’re happy to share our actions in these areas.
6. Staff Data Loss
What precautions have been adopted re Staff related Data Loss?
- If your Media Partner is subject to the dreaded, “I left my laptop on the train” scenario, what protection mechanisms are in place? Have staff contracts been amended to include GDPR obligations? Have team members who are working on your account been provided with adequate training?
7. Lead Processing
How can you act on the “Leads” you receive?
- We spell out very clearly to our customers what a site visitor has consented to in relation to the specific question they may have asked. For example, a Request for a Quote (RFQ) doesn’t necessarily mean that they can be added to a Generic Direct Marketing Automation List. It does however mean you can answer the specific question.
8. GDPR Policy Manual
Does your Medial Partner have a GDPR Policy and Procedures Manual you can inspect?
- A lot of work went into this, but it made us think deeply about some of our existing data protection policies and led to many areas of improvement in relation to people and systems.
- This is moving into PECR law territory but suffice to say we adopted a global approach re our cookie policies such that a site visitor can control every aspect of their browsing privacy. If you want to get really technical ask questions about when and how a website operator allows the Google Analytics code to load and how is consent being recorded?
Are they registered?
- Pretty obvious one, but can your Media Partner or Agency provide you with a copy of their GDPR related registration with the related competent authority?
Over the course of the last 18 months we have held many discussions on the issues above and many others. We believe we’re in a good position now to really help our clients who are looking to have a GDPR compliant dialogue with EU citizens.
However, GDPR does not have an end point, it’s an ongoing journey that requires constant discussion, testing, checking and awareness.
I’m more than happy to share our experiences in more depth, drop me an email using the form below.
Thanks for reading
Dr. Ian Birkby