circle-check-hollow4608FFE1-4420-41C5-B602-FE264E2D6F8D3E3E365B-80E8-4F6E-9288-3AF21C84374F086DDED4-C570-4A30-B5C2-0ACC4288D0B5restoresplit7B3B240D-B907-4145-8670-B2C9BE1E23A21194A048-5BA5-49C7-B176-32DBA6A5315A5990E9EA-4599-4220-A42D-68262CBA3687

Episode 64: Understanding the GDPR

Two attorneys explain what the GDPR is, and provide some tips to help you have the right conversations with your legal counsel about issues related to the GDPR.

Listen to Episode (41:20)

Synopsis

The General Data Protection Regulation (GDPR) takes effect on May 25, 2018. Listen in as Chris Davis, Director of Education at ActiveCampaign, interviews two attorneys to learn what the GDPR is, what to keep in mind when preparing your business for the GDPR deadline, and how to have the right conversations with your legal counsel about issues related to the GDPR.

Gilbert Villaflor and Ananth Iyengar are attorneys at the law firm Perkins Coie LLP. They practice in the firm’s technology transactions and privacy group, and counsel clients in a wide range of commercial areas and industries, with a focus on technology, intellectual property rights, and data protection and privacy.

The information shared in this podcast episode should not be taken as legal advice, or as an endorsement of any particular products or services. It is important that you seek out the right legal counsel to help you understand what your specific obligations are related to the GDPR.

Related: GDPR Compliance

Transcript

Chris Davis: Welcome to another episode of the ActiveCampaign podcast. Today’s podcast is [00:00:30] about the general data protection regulation known as GDPR and what we’ve done here at ActiveCampaign, we’re making steps on our end to make sure that we’re in compliance with this regulation to ensure that your business is protected. And to talk about some of those regulations in terms that are easy for us to understand, us as business users, owners, nonlegal folks, we have [00:01:00] Perkins Coie, LLP. They have been instrumental partners with us here at ActiveCampaign to understand the GDPR and everything that’s involved with it. So I’ve got Gilbert and Ananth from Perskins Coie LLP to discuss exactly what GDPR means for us, the impacts on your business, some of the things that you need to take into account and some of the requests you need to be able to handle. [00:01:30] So it’s all in this episode so sit back, listen, learn and enjoy.

Gilbert and Ananth, welcome to the podcast. How are you two doing?

Gilbert Villaflor: Doing great Chris. Thanks for having us.

Chris Davis: Yeah, this is, first off, thank you for making the time. I know how busy, well I don’t know, I can only imagine how busy you all schedule is. So I really appreciate you being here. Real quick, before we get into the podcast, could you give our listeners [00:02:00] a bit of background about yourselves and your firm?

Gilbert Villaflor: Sure, of course Chris. Well by way of introduction, my name is Gilbert Villaflor and I’m joined with my colleague Ananth Iyengar. And we’re attorneys at the law firm Perkins Coie. Ananth and I practice in our firm’s technology transactions and privacy group and we counsel clients in wide range of commercial areas and industries. Particularly with a focus on technology, intellectual property rights and data protection and privacy.

Chris Davis: [00:02:30] Great, great. Thank you so much. So I’m going to jump right into the content. You two are going to help guide me through these new waters called GDPR which is short for general data protection regulation. In layman’s terms, what is GDPR?

Gilbert Villaflor: You know before we get to that Chris there’s one thing that I want to note at the top of discussion and [00:03:00] as you guess it’s your typical lawyerly type disclaimer. So we’re more than happy to share our views during this podcast but we just want to be clear that it shouldn’t be taken as legal advice or as endorsement of any particular products or services. But later on we’ll share some tips on how you can have the right conservations with your legal counsel about issues relating to the GDPR.

Chris Davis: Great, great, I appreciate that. Thank you so much Gilbert. Yeah, with that being said, we’ve got that out the way, [00:03:30] if you could yes, in layman’s terms, in the simplest terms possible, what is GDPR?

Gilbert Villaflor: The GDPR refers to the general data protection regulation. It’s a law of the European Union that protects the personal data of anyone in the 28 EU member states. This regulation is meant to harmonize and provide one comprehensive data protection law across all of the EU member states. So the GDPR [00:04:00] contains the basic concepts of existing law on data protection but it takes it several steps further. It increases transparency, accountability and enforcement when it comes to the processing of personal data. So the enhanced data protection rights under the GDPR give individuals in the EU direct control over the use, movement and retention of their personal data. So the GDPR really represents an evolution of Europe’s existing data protection [00:04:30] framework. And further brings to the forefront the belief that personal data is a fundamental human right.

Chris Davis: Yeah, that’s powerful. Go ahead.

Gilbert Villaflor: I was going to say, and it’s worth pointing out the GDPR actually became law in May 2016 but it provides for a two year transition period. So beginning on May 25th 2018 the GDPR will start to be enforced. So that’s why it’s important for organizations and businesses to really get a handle on their understanding of the [00:05:00] GDPR and their compliance obligations. If you haven’t marked your calendars already, May 25th is the date to know.

Chris Davis: May 25th. Everybody, please mark that especially if you’re in the service industry as we are where we do house a lot of the data so that you are compliant and people know that it is being protected correctly. And how do we expect GDPR to have a global impact? And I guess more so it’s like, I’m [00:05:30] in the US and I think all of my customers are in the US, does it even matter to me what GDPR going into effect, does it have an impact on me?

Gilbert Villaflor: You know that’s a great question Chris and one that we get a lot from clients trying to understand if they should care about GDPR if they’re not based in Europe. So the GDPR has long arm reach. And what this means is even if you’re a company that doesn’t have a physical presence in the EU, you’re still subject [00:06:00] to the GDPR if you provide goods or services into the EU and you’re processing the personal data of EU data subjects. And it doesn’t matter where the processing takes place. So you can see how this will sweep in a significant number of companies anywhere in the world who have an online presence in the EU. And this will have a great impact on businesses across the globe not only when we talk about the number of obligations businesses need to follow, but also when we talk about the consequences for noncompliance [00:06:30] which could be quite drastic.

On the higher end, fines can be up to 20 million euros or 4% of the company’s global revenues of the previous year. Whichever is higher. It is high. And so for certain types of other violations there’s a lower level of fines but even then it’s still 10 million euros or 2% of the company’s global revenues. So these fines are purposefully high and give the GDPR a lot of teeth. And that’s one of the reasons companies [00:07:00] are paying particularly close attention.

Chris Davis: Yeah.

Gilbert Villaflor: Responses you often get are, “Well if I don’t have a presence in Europe, how are data protection authorities actually going to enforce the GDPR against me?” And so one of the ways the GDPR attempts to obtain jurisdiction over businesses is by requiring organizations that processes EU personal data to have a designated representative in the EU. Whether they have a physical presence there or not. So [00:07:30] while there are narrow exceptions to this, we think this will really force many companies with more than minimal operations in the EU to either maintain a presence in the EU or identify someone to act a representative in the EU.

Chris Davis: Yeah, that makes sense. And honestly Gilbert, it’s so easy to have clients in the EU without knowing. You don’t have to intentionally seek out clients in other countries for that matter because the internet has really just opened [00:08:00] up the commerce and your ability to reach and engage with people so that’s really good advice there to make sure you have at least a representative in the EU on your behalf. Okay, so as far as our users, what should they keep in mind generally when preparing their business for GDPR? I know at the top you mentioned you’ll want to seek legal counsel personally, make sure you’re seeking legal counsel but are there any other things that people should keep in mind [00:08:30] when preparing for GDPR?

Ananth Iyengar: Sure. This is Ananth, I’ll take this one.

Chris Davis: Okay.

Ananth Iyengar: I actually had a chance to meet some of the regulators last week at a large privacy conference and one of the things the regulators, so those are the folks who are going to be enforcing this, put a lot of emphasis on are the principles of accountability and transparency. I’ll step back and kind of explain what I mean by that. We’re talking about accountability here, we mean the organization needs to know what information they’re processing, [00:09:00] how it’s collected, how it’s used, why it’s used, where it’s transferred to, who has access to it, how it’s protected, what’s going to be done with it when their business seems expired. Kind of everything about the information itself. In essence it’s spelled out in article 30 of the GDPR which requires organizations to maintain a formal record of the processing activities they’re undertaking and this kind of differs whether you’re a data controller or a data processor meaning [00:09:30] you’re either the entity who is deciding what’s happening with the information or you’re the entity that’s acting on behalf of a data controller.

This also means having internal policies and controls that are going to designed to protect personal data and ensure that only data which is absolutely necessary for your business purpose is collected and processed and that those controls that are in place to protect that data are aligned with your purposes [00:10:00] and are aligned with the risk. So basically the more documentation you have, the more you can justify, you considered these requirements, the more you can prove you’ve taken the stuff seriously and tried to comply, the better off your compliance posture kind of is. So that kind of on the accountability front.

Now on the transparency front, this is really about being open with your users or data subjects about how you’re processing data. Most often this means being super clear [00:10:30] in your privacy notice or your privacy policy.

Chris Davis: Interesting.

Ananth Iyengar: For instance, article 13 of the GDPR spells out some of the really specific requirements that have to be met in these notices and the kind of specific information that has to be present at every point of data collection. So anywhere on your site or your platform, anywhere where you’re collecting information, users should not be ever confused as to what you’re doing with their information so you should have a link of some sort at each point of data collection. [00:11:00] And these polices when you’re kind of going through them, really need to be clear, easy to understand, accurate. The people reading them should never be confused or surprised and it really shouldn’t be super legalese. And I know we as lawyers often struggle with that because that’s kind of the way we write. This has really forced us to step back and realize that non-lawyers are reading this and these policies and procedures and things really need to be written in a user-friendly way.

I mean as Gilbert has kind of echoed before, [00:11:30] we want to emphasize here again the importance of talking with legal counsel especially in this exercise. Making sure you got someone that really can help you understand how this regulation applies and what’s your public facing disclosures like your privacy policy and notices and things need to have in them. Actually kind of account for what you’re doing with the data. So that’s really valuable.

Chris Davis: Yeah, and I would imagine it would look something similar to of course that person getting legal counsel and looking [00:12:00] and that legal counsel looking at platforms like us that handle the data or pass through the data and extracting the proof that we’re compliant and helping them communicate that on their website and their privacy policy in whatever terms to make sure, like you said, it’s common spoke so when they read it they’re not confused. And on top of that, one of the things that I’ve always echoed on this podcast is responsible marketing. I think that [00:12:30] the impact of GDPR should never be negative on someone who’s already being responsible. Right? You’re being upfront and clear with the information that you capture, how you’re going to be following up and there’s no confusion. You’re not selling people’s information or anything like that. So this just kind of keeps in that same vein of being responsible as a marketer ’cause that is your responsibility is to treat everybody’s data fairly and secretly.

Ananth Iyengar: That’s a great point Chris, [00:13:00] totally agree.

Chris Davis: Yep, yep. I’m no expert, I try, I’ll tell you both, I did try to understand some of the GDPR stuff and some stuff I could grasp but the other stuff I’m glad I have you two on. There was this term affirmative consent. Can you speak to what affirmative consent is?

Gilbert Villaflor: Yeah, sure Chris. I’m glad you bring this up actually. So one thing to understand is that in order to process personal data [00:13:30] lawfully, you need what is known as a lawful basis for processing. If you’re a controller and you don’t have a lawful basis for processing the data then it’s considered unlawful and a violation of the GDPR. And so consent is one of the ways you can process lawfully assuming you do it correctly. The GDPR has stringent requirements when it comes to getting consent from EU data subjects. The consent has to meet several [00:14:00] criteria. It must be specific, affirmative, freely given and clearly distinguishable from other matters. So what this means is, that when you’re processing personal data based on someone’s consent, there must be actual choice on that person’s part and they can’t be forced to give consent as a condition for receiving service.

Chris Davis: Wow.

Gilbert Villaflor: When we say affirmative, the individual must be taking some act to provide this consent. For example, [00:14:30] having a pre-checked consent box will not work under the GDPR. And so this also means that you have to ensure that you’re getting consent for specific processing activities and not getting blanket consent to cover any and all types of use or getting consent for one purpose and using it for another.

Chris Davis: Interesting. Wow.

Gilbert Villaflor: For example, if a data subject consents to your use of his or her data to receive marketing communications and for receiving the service [00:15:00] you can’t later use that consent to perform data analytics or provide that data to a third party for other activities unless you get specific consent to do so.

Chris Davis: Yeah, and that specific consent must be clear, right? They can’t be confused, it can’t be so wordy, they’re like, “Um, I think I know what this means.” Right?

Gilbert Villaflor: That’s correct. It has to be clear so that the end user knows what the data is going to used for. So I think setting the processes [00:15:30] to obtain the consents in the right manner and making a verifiable record is going to be a challenge for many companies in light of the GDPR.

Chris Davis: Yeah. And I’m glad you brought up like pre-checked boxes because a lot of times with progressing profiling for marketers online, it’s easier to collect data once you pre-populate as much as possible. So it’s very, very interesting and I’m glad that you mentioned this that simply pre-populating a check [00:16:00] box is not going to count as affirmative consent. You’ve got to leave that unchecked. Let that person go in and check that box themselves.

Gilbert Villaflor: Yep, that’s right Chris.

Chris Davis: Great, great. Man, this is, I’m torn, in some ways I’m excited for the protections afforded under the GDPR laws but at the same time it’s just like there’s a responsibility. Everybody is going to have [00:16:30] to go back and ensure that they’re meeting these guidelines. The internet provides an amazing opportunity to do business at a much grander scheme or large level, a bigger scale but too much, give as much as required so you gotta be responsible. I’ve kind of been hearing some cringes here and there like, “Oh, GDPR I’m not going to be able market like I used to.” [00:17:00] But it’s like you know what, no. Actually that’s not the case. As I mentioned before, if you’re being responsible you may have some tweaks, get with your legal team, revisit your privacy policy, make sure you’re not pre-populating checkboxes, things of that nature and you’ll be fine. And in that vein, so what if a contact or data subject is I think the term.

Gilbert Villaflor: That’s the term used in the GDPR.

Chris Davis: What if a data subject asks [00:17:30] to see all of their information? What, as a marketer, as a user of a marketing platform like ActiveCampaign, what should I be prepared to share to them? If anything?

Ananth Iyengar: Sure. So this is a topic that’s really freaked people out in the GDPR and it’s one that can actually present kind of a challenge. But the basics are not super complicated. In essence we’ll kind of step back a sec and [00:18:00] this broader topic is called data subject rights. In particular somebody asks you, “Hey, what information do you have on me?” That relates to what’s called the right of access. In essence this right relates to the right of data subjects to ask the data controller to confirm whether they actually process that person’s information and if they do, to give them access to it. In addition they’re providing access, once you kind [00:18:30] of determine that you actually have to comply and you provide them that access there’s some other factors you have to give out as well.

Those factors are things like you gotta be able to let the requester know the purposes of processing. So why you’re processing that information. Then you gotta let them know well what categories of personal data are you actually processing. Is it like contact information? Is it employment information? What different categories? And then you gotta disclose to them who are the recipients? [00:19:00] Or the categories of recipients who are going to be getting this information? And what countries do they sit in? This’ll be things like, we might let people know how this is going to a third party for this purpose. Or this is going to a third party who does this sort of analytics for us and they sit in Mexico. So letting people know not just what you’re doing with the information but where it’s going is really valuable.

On top of that, where possible and we know this is kind of a tough one for a lot of companies, but one of [00:19:30] the requirements here is letting people know through this disclosure process basically the retention period. So how long you actually going to be hanging onto that data for? To the extent you don’t actually know or you don’t have set period or because it’s kind of fluid because it’s based on a lot of different variables, at least let people know well what kind of criteria do you use to figure out how long you hang onto data. And I’ll let you know here we hang onto it as long as we want to is not [00:20:00] the right answer. Tempting though that is. But you gotta come up some criteria for how long you hang onto it. When you do you decide your business need has expired?

On top of that, you gotta let them know too that they have the right to request from the controller to correct or erase their data. They have the right to stop processing in certain instances or to object to certain processing. As kind [00:20:30] of Gilbert was talking about consent before, that’s one of those things where if you’re processing based on consent somebody can withdraw their consent or they can object to your processing based on consent and the data controller typically has to stop unless there’s an applicable exception and that’s kind of where legal counsel comes in because there are some pretty complicated exceptions.

But on top of this I guess, kind of going on with the laundry list here, you have to let people know that they have the right to file a complaint against you [00:21:00] with the supervisory authority. Now obviously this is not terribly comfortable for organizations to do, to proactively let people know, “Hey, by the way, if you want to complain against me you can.” But you have to. The other piece here is now we know that from a marketing context this can sometimes be the case, if you’ve collected personal information from somebody other than the user or the data subject, you have to let them know kind of where you got that from. You’re buying marketing lists or you’re [00:21:30] buying contacts or you’re scraping the internet for stuff. Each of those cases you have to let people know where you got that from because somebody should never be surprised when they request one of these, when the information comes back, they should never say, “Wait, I never gave the company that information, where’d they get it from?”

Right? So it’s all about kind of being transparent with people and the last one here is more of like a new age type of consideration but it’s called automated decision making. To [00:22:00] the extent decisions with legal effects of significant decisions are made about people using some kind of an automated system with no human interaction, people have the right to object to that. I’ll give you an example. From an HR perspective say you’ve got this cool new machine learning functionality in your platform that screens people’s resumes and based on certain criteria, it decides whether certain people can or cannot [00:22:30] get the job or based on a set of behaviors, you got an internal system that decides, hey, based on somebody acts in the workplace that this person should get promoted, this person should not without any human interaction. If you’re doing any of that stuff, that needs to be disclosed as well and people have the right to object to it.

Chris Davis: Wow.

Ananth Iyengar: And the last piece here is as I was saying before where you’re letting people know what’s getting sent to a third country. You not only have to let them know what country it’s going to but also what sort of special [00:23:00] safeguards they call them. What special safeguards are protecting that? So that’s things like hey, if you use the US EU privacy shield certification you have to let them know that. Or if you’re using the EU what’s called the standard contract clauses to protect transfers of information, you have to let them know that as well.

Chris Davis: So as a user of a platform like ActiveCampaign do we refer them to ActiveCampaign’s documentation or [00:23:30] the data processor’s documentation or does each business entity need to have their own?

Ananth Iyengar: That’s a great question. And so this kind of comes down to whether you’re a data controller or a data processor. If you’re the person who’s actually doing the marketing activity, you have the direct relationship with the end users you’re typically, and that’s nuance here because without knowing the situation, it’s always a little complex but typically if you’ve got the direct relationship with the end user and you’re actually [00:24:00] the one doing the marketing, you’re going to be the data controller. In which case you’re the entity that actually has to satisfy these requests.

Now if you’re a processor, meaning you’re working for the marketer, you’re kind of providing them a service, you’re providing them a platform, you’re helping them do something, then you’re typically considered a data processor in which case companies out there who are acting as data processors, if they ever get any of these data subject requests, to the extent it’s a data subject request [00:24:30] for information that they’re processing on behalf of the controller, then they’ll typically want to turn those requests right around to the controller. Don’t try to answer those yourself, you don’t have to. You turn it right back around and let the controller know, “Hey, we got this request, I’ll deal with it what you will.”

Chris Davis: Okay, interesting. All right, all right. There’s some work to be done on all parties.

Ananth Iyengar: No kidding.

Chris Davis: All right man, wow. You kind of touched [00:25:00] on this a little bit Ananth, if someone asks for their information and maybe they want to correct it or delete it entirely, how should we prepare to reply to these types of requests?

Ananth Iyengar: Yeah, sure. And this is another kind of piece of it. What’s called the right to be forgotten or the right to erasure has gotten a lot of publicity recently. [00:25:30] And so that’s kind of one of the rights you’re talking about. You’re talking about the rights to rectification, meaning your right to correct information about you. And the right to erasure which the right to have information about you deleted from somebody’s database. Now what that kind of involves is both of those rights allow a data subject to have the data controller update their information where it’s incomplete or inaccurate or to erase that information subject to certain conditions of course. So for instance, and again, this [00:26:00] is where we always recommend you reach out to legal counsel on some of these exceptions but the right to erasure applies if you have to comply with that request is the information is no longer necessary. So you’re hanging onto it and you really don’t need to anymore or somebody withdraws their consent.

Chris Davis: Interesting.

Ananth Iyengar: Or somebody objects and says, “Oh hey, I don’t want you to process my data anymore.” Or you just terminate the business relationship with them. Now I can give you a couple of tips here. We’ve been answering these questions a lot [00:26:30] and in terms of preparing to respond to these requests, I can give you kind of a list of some factors to take into account. Things like number one, have you done your article 30 data mapping? Do you know where your data is such that if you have to comply with one of these requests, do you even know where it would be? So if you have to delete the information on your backend and your IT systems, do you even know where that information is? That’s kind of step one.

Step two I guess is do you have a process in place that even [00:27:00] lets data subjects make these kind of requests? Can they email you? Could they go on your privacy notice and click a link? Do you have a form that they could fill out and send to you? Is there an easy way for them to do that? Because one of the things data subjects can complain about is that even if they have these rights, you’ve made it so hard for them to exercise those rights, it’s almost like they don’t have them. So you’ve gotta have something in place to do that too.

The third step here is called identity validation. [00:27:30] Meaning, the principle behind this one is making sure that you’re not giving out information to the wrong person. You want to have a process in place to validate somebody’s identity before giving them any information or taking any action on their information. So that’s a good one. For instance if a request comes in and you actually can’t validate that that person is who they say they are, you do not have to comply with their request. Now [00:28:00] that doesn’t mean you should be trying deny a request left and right ’cause you’re like, “Ah you know what? I don’t think you are who you say you are.” You actually have to make a good faith effort but to the extent they’re not able to provide their evidence of their identity that protects both parties.

And then I guess the other point here in terms of working with your legal counsel is making sure you have a process in place to determine whether you even need to comply. Are there exceptions in place? In certain instances good [00:28:30] practice is if you want to be super transparent, you disclose to people what they ask you but in certain situations you know there’s certain information you don’t want to disclose. Either because it’s subject to some kind of a lawsuit or law enforcement or maybe it’s the kind of information that’s proprietary in that if you give up the ghost there you’re going to give up all your IP. Or you give up certain information where it’s closely tied with somebody else’s data so giving out that data would compromise somebody else. Any of those situations you want to figure out, [00:29:00] well do I even have to comply?

And I guess some of the other recordkeeping aspects here are things like do you have a way of notifying data subjects as to your timeline? Typically the timeline’s 30 days. So once one of these requests come in you got 30 days to comply. Typically best practice is to let the individual know that hey I’ve received your request, we’re working on it. And to the extent due to the request being really complicated or difficult or kind of thorny, [00:29:30] you can often ask for an extension. Let people know what’s going on. Let them know, hey, you can extend it out to 60 days but you have to have a really good reason to do that. You can’t ask for these extensions for any old reason. It has to be because the request is particularly complicated.

Chris Davis: Yeah, okay. No, that makes sense. That makes sense. So it’s on platforms like ours, like ActiveCampaign to make these types of things easier for the end user because that’s going to be their responsiblity. [00:30:00] That’s what they’re going to be responsible for if people are requesting, “Hey, forget me.” Essentially like delete my information. Now we have to start enabling people to do that effectively so that they can get processes in place to handle that efficiently.

Ananth Iyengar: That’s right.

Chris Davis: Got it. Makes sense. Well listen, Perkins Coie has been great and a huge resource to us and [00:30:30] me personally right not honestly, understanding GDPR and just making sure that everything is in compliance. What tips can you provide to businesses that want to have the right conversation with their legal team?

Gilbert Villaflor: You know there are some things we would recommend here. What we’ve been sharing today is really a high-level discussion to get folks thinking how the GDPR may impact your businesses. So we encourage taking a look at additional resources [00:31:00] but we found that finding the right legal counsel with expertise in data privacy and the GDPR, that’s really our first tip. There’s a lot of intricacies and nuances about the regulation and consulting someone knowledgeable in the area, it may sound obvious but that’s something that shouldn’t be overlooked.

And secondly we’d recommend getting a basic understanding of whether the GDPR applies to you and how. So for a lot of customers [00:31:30] that will depend on what their business does with the data, how it collects it, how it processes it and how it uses it. You’ll want to sit down and determine with your legal counsel, what are your obligations to that data? Are you a data controller? Are you a data processor? And sometimes you could be both. So understanding that distinction and your relationship to the data is going to be important.

Chris Davis: Got it.

Gilbert Villaflor: Third, we’d recommend conducting, Ananth kind of eluded to earlier, a data mapping exercise. [00:32:00] And that’s going to help you understand what data you’re collecting, who you’re collecting it from, what you’re doing with it, who you’re sending it to and how you’re protecting it and how you justify processing it. A lot of that is sort of the technical and operational aspects of it but understanding that what you’re doing with the data, with your legal counsel, will help you understand what your obligations are under the GDPR.

Ananth Iyengar: Yeah, I’ve got a couple of other tips here too I can drop. I guess I’ll say kind of related [00:32:30] to what Gilbert was just saying, on the backend making sure that you’re evaluating your technical and organizational controls. The stuff you’re actually using to protect the information and making sure you’re protecting data throughout its lifecycle. You’re not leaving stuff unsecured or poorly protected. In addition, I’ll drop a reference to that one in particular because actually securing the information well can be a defense in case you have a data breach. If you’re employing encryption or hashing or [00:33:00] certain forms of anonymization, if the information gets out, if somebody who’s not supposed to have access to it gets access to it, if they can’t actually decipher any of it that’s typically a defense to a lot of these things.

So I can’t plug enough how important it is to make sure your controls are aligned. And the rules around data breach response are really significant. You have to be able to notify regulators within 72 hours of becoming aware which is pretty stringent and we highly encourage [00:33:30] having those conversations with your legal team, with your information security team, with your IT teams, making sure that all the information you have is very carefully protected. On top of that, kind of like what we were saying before, just take another look at your public disclosures. Privacy notice, cookie notice, FAQs, look at all that stuff with your legal counsel. Make sure you’re compliant with those transparency requirements.

And I guess more importantly I’ll say here, make sure your [00:34:00] public disclosures are actually aligned with your actual data processing practices. I can’t tell you how many companies put up a privacy notice that looks really pretty and says all of the right things and it doesn’t actually do what, they don’t actually do any of that stuff. Or they’ll say, “Oh, we never do that or we never do that.” And they actually do. That in and of itself can be considered a false and deceptive practice and the European regulators have very, very little tolerance for that sort of thing. So don’t make commitments you can’t meet.

And I guess the last piece [00:34:30] here I’ll just drop is with vendors. Make sure you got the right agreements with your vendors, your customers, your business partners. GDPR is really forcing a lot of companies to revise their documentation and make sure they got the right protections in place since controllers can actually be held liable for the acts of their processors. Processors can be held liable for the acts of their sub-processors and anybody in the chain can be sued by a data subject. So if you’re a data controller and you want [00:35:00] to make sure you have an agreement with any data processors who are processing your data. That means spelling out those requirements and by the way, these are all called out in GDPR article 28. But you want to spell those out.

If you’re a processor and you’re using third parties to help you process that controller’s data, do the same thing. Make sure you got a data processing addendum in place. Make sure those obligations are called out to protect you because if one of those parties in those chain fails, the last thing you want [00:35:30] to do is for somebody to come after you for something that was really out of your control.

Chris Davis: Wow, and I guess this may be a bit overly basic but what type of lawyers or legal team should they seek out? Are these business attorneys? Are they general attorneys? If somebody’s like, “Oh my gosh I’ve never consulted with a legal team to do anything.” What type of legal team should they be reaching out to?

Ananth Iyengar: [00:36:00] That’s a good question and it’s a question a lot of companies are asking these days. From our perspective obviously we’re a little biased here but we’d put a plug in for making sure you’re finding a lawyer who’s got good expertise with data protection law.

Chris Davis: Okay, very good.

Ananth Iyengar: In particular here when it comes to the EU and the GDPR, you want to make sure you’re retaining somebody who has experience with European privacy since European privacy and American privacy [00:36:30] are fairly different. The Europeans consider it a fundamental right, Americans as you can see from what’s been going on on TV recently, we really don’t. And so I highly recommend making sure you find a lawyer or a trusted advisor who knows the law well, who understands data protection well and who has good insight into what it takes not only comply with the law but comply with the law in a business-friendly way ’cause the last thing you want to do is try to comply in way that ruins your business.

Chris Davis: [00:37:00] Great. Well listen gentlemen, this has been, tremendously insightful, helpful and educational. And I have no doubt that our listeners will have a greater understanding of GDPR. On our end at ActiveCampaign we’re doing everything that we need to ensure we’re compliant and we thank you two for taking the time out of your day for this podcast and all the help and assistance that you’ve provided along [00:37:30] the way.

Gilbert Villaflor: Our pleasure Chris.

Ananth Iyengar: No problem, happy to be here.

Gilbert Villaflor: Yeah, thanks for having us.

Chris Davis: Yes, yes. Thank you, thank you all so much and have a great one.

Ananth Iyengar: You too.

Gilbert Villaflor: Thanks. You too Chris.

Chris Davis: Thank you so much for listening to this episode of the ActiveCampaign podcast. Listen, I know it was a lot and as I was recording or as I was interviewing Gilbert and Ananth I was, trust me, I was doing as much thinking and figuring out. I’m like, [00:38:00] oh my goodness, I need to do this or how am I going to handle this? So I know that there are probably some questions that you have of course as recommended, reach out to your legal team but just rest assured and know that everything that was spoken upon in this podcast has already been on our radar here at ActiveCampaign and we’re taking all the proper measure to ensure that as a user you are equipped to be able to handle these requests when they come and [00:38:30] be in compliance with these regulations as easy and seamless as possible. At the end of the day protecting people’s data is no small feat.

This is a lofty goal that the EU is really spearheading and saying, “Listen, people need to be treating people’s information that they’re collecting with more sensitivity and just being honest in their handling of capturing [00:39:00] and processing data.” I think that the results or the impacts from regulations such as GDPR is going to have a positive impact especially on businesses that are operating responsibly already and it’s going to be a challenge for those who are maybe more in the gray area but either way, know that ActiveCampaign is up to speed, has been on it. This has been on our radar for a long time and we are a platform [00:39:30] that is going to make sure that we do our best to ensure that you are in compliance as well as us so that you have nothing to worry about.

If this is your first time listening to the podcast, let me just say they’re all not as heavy legally as this. Okay? But we have fun. We learn about marketing automation in business and I just invite you to subscribe. Subscribe. Don’t miss the next podcast. We’re in iTunes, Stitcher Radio, Google Play, SoundCloud, anywhere where you [00:40:00] can pull a podcast feed and subscribe we are there. If you have been a listener or you know even if it is your first time, maybe one time’s a charm, go in there and leave us a five-star rating. Leave us a five-star rating and write a review. It helps us get the word out. And you can’t help people enough. Can I get a hand raise. You can’t help people enough when it comes to online business. There is enough moving parts for any responsible business owner or passionate [00:40:30] or driven business owner to get lost.

If you need help, if you’re an ActiveCampaign user or just getting started, you’ve been with us for a while, you need help, we have success team members awaiting your call. Activecampaign.com/training, you can go and sign up for a one on one today and talk to somebody live in person about your business and ActiveCampaign. If you want to take a more self-prescribed approach, read some documentation, some guides, manuals, watch some videos, we have that for you as well. [00:41:00] Activecampaign.com/learn is where you’ll find the education center where you can consume as you need. This is the ActiveCampaign podcast, the small business podcast to help you scale and propel your business with automation. I’ll see you on the next episode.

Follow & Subscribe