Enrico Schaefer - May 14, 2019 - GDPR Data Privacy
The General Data Protection Regulation is a law on data protection and privacy in the European Union. GDPR includes the right to: information about the processing of your personal data; obtain access to the personal data held about you; ask for incorrect, inaccurate or incomplete personal data to be corrected; request that personal data be erased when it’s no longer needed or if processing it is unlawful; object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation; request the restriction of the processing of your personal data in specific cases; receive your personal data in a machine-readable format and send it to another controller (‘data portability’); request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.Enrico Schaefer, GDPR & Data Protection Attorney
Welcome to Traverse Legal Radio. The Tech Lawyer Podcast. A show dedicated to helping entrepreneurs, CEOs and founders navigate legal issues, grow revenue and increase their valuation. This podcast is sponsored by the IP and Litigation Attorneys at Traverse Legal PLC. Visit TraverseLegal.com to learn how Traverse Legal attorneys are changing the way the law is practiced. Now, here is your host Trial Attorney Enrico Schaefer.
ENRICO: Welcome to the show. Today, we have Yair Cohen who is an internet and social media lawyer based in the UK. He is the author of the book “The Net is Closing: Birth of the E-Police.” He is a frequent contributor on a variety of different media outlets, and he is a partner at Cohen Davis Solicitors. Yair is definitely up to his eyeballs in GDPR and GDPR clients. He and I have worked together on a variety different GDPR issues. I wanted to bring Yair on the phone today and do this podcast because he has this really interesting view of data, big data and GDPR. Welcome to the show Yair.
YAIR: Hello Enrico.
ENRICO: I wanted to just go over some of the things you and I have been talking about. I think they are really interesting in terms of the way companies need to think about their data. Since you are so immersed in GDPR and you have these GDPR issues and clients that you are working with directly from the UK, you have an interesting perspective. Give our listeners your big picture view of how they should be looking at data issues and GDPR.
YAIR: GDPR is a scary word. The way we look at it, GDPR is not really about GDPR. A GDPR is about giving companies and company directors an opportunity to rediscover the business because it forces you to look in to every system and every processing the business. If the business is well-established, then it would be a great deal of processes and the ways of doing things that management is not really aware of. GDPR is forcing us to map the data, understanding exactly how things are being done; where the eggs are coming from; where the eggs are going. When you ask your secretary to bring you documents from 3, 4, 5 years ago, you don’t really care how she does it. You just want to see the documents. What GDPR does, it forces us to really understand what all the people on the ground are actually doing. By doing this, we can discover what risk might be in the business, how to deal with the risk, what opportunities we have, how we can use data in different ways, in safest ways and of course how we can look into the future doing those things and develop a business even farther using that data, it is not really about GDPR, it is about business, it’s about business development, business for discovery; elimination of phrase, a good balance of risk and benefit.
ENRICO: It is really interesting because people are scared of GDPR and they don’t understand compliance and they are getting all these different answers off the internet and from their GDPR counsel and consultants about what they need to do. There is no question that GDPR is a process and it’s not a one-time event. Most companies do look at it as this burden, as this risk. What you are saying is that there are also a lot of opportunity in GDPR compliance and really understanding data assets: what they are, where are they located, and who has access to them which then gives you the opportunity to actually leverage that intangible asset or to make that intangible asset tangible which can help you on any sort of valuation, any sort of exit and certainly provides you with a benefit that most companies don’t have today which is actually understanding where the data is.
YAIR: Yes. GDPR is forcing us to map and document our processes all the way down to the basics. The marketing team, the IT team, the sales progression team and within each team, to each and every individual what they do; how do they do it; how do they communicate and interact with each other; how do they communicate, interact with the rest of the organization and with the rest of the world. What happens to their work after they have passed it on to the next person or to the next department? It really is an opportunity to look at the business from above.
ENRICO: Really the way I explain it to my clients is imagine having this asset that is worth all this money in your business but you don’t even know where it is located, you don’t even know what exactly it is; that is the opportunity of doing a deep dive into your data assets and documenting them, understanding what, where and how and why. GDRP has thrown data on its head, instead of this; especially in the US where our companies here have always thought of data as big data, this great big opportunity where users come on to the web or come in to an app or start registering for a website and the click rep that says oh by the way the company can do basically whatever it wants with your data and now they got this incredible asset that they–you can give the data to affiliates, partners and leverage that data in all sorts of way which makes your company money. GDRP turns all that on its heads because now the data always belongs to the person and that person can shut down data access down from their end, they can ask for the data to be deleted, they can ask for the data to be given to them, they can ask where all the data lives, so big data in the US under GDPR is no longer what people anticipated it would be in terms of an asset. So that is the bad news. The good news is if your company that really understands the opportunity here, yes your rights in data may be more limited and coming from the person whose data it is, but you still can leverage that data asset as long as you understand where the data is, what your rights are as the company, is there a business purpose to the data that allows you to use it for other purposes? And then what I think is really going to happen which is, people are going to go back to these users and say hey if you let us or this other third party use your data in this particular way, you are going to get this benefit. The app is going to understand you better, etc. It is going to be going back to the person that owns the data and saying do you want us to use the data for this purpose so that you get this benefit. So help us understand that piece of the puzzle.
YAIR: The key is clarity. What we all want to achieve is clarity. When it comes to data, and data can be very unclear. We will try to make data clear so you can put it in spreadsheets, you can put it this and that. But what the clarity allows us to do is almost magically creates maps of data and data location, and data usage and have a look at it and achieve this feeling of clarity that we know exactly what we have, what information we possess and start evaluating the information and the benefits in the information. It might be just some rubbish that we don’t even want so we can get rid of it. There might be some information or some processes that we are not even aware we have. What GDPR does, if you do the data marking correctly, you achieve a sense of clarity and you see exactly what you have? And then you can say ok let’s work out how we are going to use this particular data in a way that helps our organization to move to the next level. That’s what it’s about. It’s about doing things in a systematic way, understanding what we have and understanding what we do. It is really an opportunity to rediscover the old process, the old organization, the old ways of doing things and only then can we start thinking about the next level. If you don’t have what you have or if don’t have complete clarity about your possession it becomes very difficult to think about the next step; becomes difficult to think about what am I going to do with it; how can I modernize it; I can I use it all sorts of way that. After mapping the data, you say oh look there is another way I can use this data; something completely different, something else I can do with this data that you never think about before. I think clarity is the key to all this.
ENRICO: Until you can see, until you get through that first piece of the puzzle which is to map it and to go through what we have traditionally thought of as GDPR compliance where someone literally comes in to your organization, interviews all the people, looks at where all the data is store, understanding how the data is being used. And kind of maps all that out, and really the next step is the more important step. I heard you use the word process a couple dozen times already in this interview, and that really is the key. Mapping the data is just step one, the opportunity piece comes from then building a business model on top of that mapping and rethinking your business model on top of what you now can see as an asset. That is what GDPR hoped to accomplish is to get companies to rethink their business. The business of data and that is really where the opportunity is. As you are working with your client and get through this first piece of understanding where the data lives, talk a bit about how that translates into potentially a new business process, a new business opportunity.
YAIR: You could save a great deal of money, different levels of the possession of data because suddenly you understand the data does not necessarily have to go through 5, 6 different stages before it could be used. Actually, I don’t really need steps 3, 4, 5 and I can refine steps 1 and 2 and get access to the data much quicker, in a much cost-effective way. Once you done that, instead of concentrating your assets and resources on the process itself, you can reallocate the resources in redeveloping the way you are going to be doing things with the data.
ENRICO: Yes, that is the key and every business is different and every business opportunities could be different but understanding where the data lives then will help you get to the next point. One of the fascinating things that I think about true GDPR compliances as oppose to GDPR risk reduction where people change their privacy agreement, they are super official compliance where they are appearing, they comply. When people actually do the compliance that is a much bigger project. It is not a single event, it is not a month-long effort, that is not only substantial quarterly or maybe two quarter effort, but then it is a continual effort. Talk a little about how one of these projects really should roll out for a 20 or 50 or 100 million gross revenue company that is really serious about GDPR, how do you go about doing the compliance piece and then the next piece of understanding the opportunity.
YAIR: The first phase is going in and start mapping the data. We will be mapping the data by first understanding the organization so we are going to speak to the key people within the organization, but we are also probably going to be talking to the cleaner and the coffee maker and all sorts of people in the organization who might quite likely to be able give us the information that otherwise you would never have an opportunity to learn.
Once we do that then we create a colorful map, that map will tell us precisely where things are. Now we need to know where things are because later on where individuals in the US will soon be able to have better access to the data. When someone approaches a bank, and I would like to be able to open the data folder you hold on me. If the bank is obliged to provide this individual with the data, where are they going to find it? It is probably sitting all different places, all different branches, different departments, and all different files. So what we do, we create an easily managed process where the person in charge of compliance in the organization will be able to point out all the different locations where the data is being stored. Now once we have done that, we might be able to then say “you know there is data here 5, 6, 10 different places” we don’t really need that. We only need data to be sitting in two different places. In case of a bank, so you have an application for a mortgage, or you have a loan, or a person has a business, you can start by looking at the data, some will be too old, some inaccurate, our marketing company spending a lot of money sending all sorts of marketing materials to an older address that no longer exists, so that is the stopping point. Once we do that, then we sit with the management and produce the reports. The reports will first highlight the state of affairs. The reports will not necessarily talk about data or a bunch of GDPR. The reports will talk about the processes; about the way things are being done. We will highlight all those risks, financial risks, and process related risks. Things that are happening within the organization, disasters waiting to happen; just waiting to be discovered. We will highlight all those issues and that would be the second stage. We will also produce a report just for the CEO or the board of the organization to highlight other risks that needs to be addressed as a matter of urgency. Perhaps it has to do with certain individuals in the organization who has access too much data or they might be misusing the data. Once we map the data, and then we produce all those reports, the next stage is to sit down and how can we fix this and make it better. Then we start looking at the organization, other compliance issues, whether it is financial or legal compliance. Everything becomes so much easier because you already understand the data flow. If you understand the data flow, it becomes so much easier. A financial organization for a bank to comply with financial regulations. Then all the sudden financial regulations becomes very easy. Now once we get to this stage, the business looking at itself effectively in the mirror will say: looking good; then there are all those different opportunity for us; we look handsome; we go through the folders fast, we do things in a smart way; we increased efficiency because we introduced all those tools, previously we had 5 or 6 different programs, computer programs for doing things and now we only have two and they all talk to each other. Now it is slim and ready to go to the next stage. That is what an organization is very likely attract other similar organization who is looking for slim, handsome, well-fed company to do business with; perhaps to acquire, perhaps to develop new products, new processes. The process has to start with the discovery.
ENRICO: It really makes a lot of sense here; and I know you and I have started to work on some things together for our US based clients who have business in the UK. I love the way you approach GDPR and it really turns it on its head from something that is a burden, something that is scary, to something much more understandable to a company, this is just good business. This is the future and you really need to do this, but you should also be embracing.
YAIR: We have a number of things in common, one of them we both like to look at a move to benefits. So whenever we do something, we would like to see more than one benefit coming out of it. I would like my client to spend a little money on compliance with GDPR and all they get in return is a few spreadsheets and instructions to give to people. I want my clients to put the results in GDPR compliance and then in return they get a fully compliance organization but lots of benefits they will get slimmer, they will save money, they will become more efficient, they will become more attractive. They will be become more compliant with any other regulations whether it is money laundering. We don’t want our clients to look at GDPR as a wonderful thing. That is GDPR and that’s it. We want to look at GDPR as an opportunity; it’s not about GDPR, it is about data, it is about processes, it’s about much bigger thing then just filling out forms and putting a few spreadsheets together.
ENRICO: This has been a great Podcast today. Yair Cohen from Cohen Davis Solicitors in the UK talking about data, talking about GDPR. Turning GDPR on its head. That is it for today’s show. We will see you next time and have a great holiday.
You’ve been listening to the Tech Lawyer Podcast. Sponsored by Traverse Legal PLC, a law firm representing clients like you on matters just like yours. You can find the Tech Lawyer podcast on most podcast listening platforms including your home devices. Until next time, remember that good attorneys win for their clients. Great attorneys tell you up front how they are going to do it and how much it will cost!