GDPR Implications For Facebook Advertisers – Interview With Business Lawyer Suzanne Dibble

Okay everybody it's Andrew Hubbard here And today I'm jumping on to talk about GDP

So I'm sure by now that anybody who is running a small business online has heard about GDPR I know that I've had questions from a lot of you about GDPR, and particularly the impact that it has in terms of running Facebook ads for your business or in terms of running Facebook ads for your clients So today I've got something pretty special for everybody I'm here talking with us Suzanne Dibble Now Suzanne is a multi-award winning business lawyer in the U

K She's an absolute wealth of knowledge when it comes to GDPR Susanne has worked with a lot of big companies all around the world, but in particular she's worked with Richard Branson's Virgin Group to help them with their data protection data protection and privacy efforts, as well as running one of the largest, if not, I think the largest and most active Facebook groups focused on GDPR That group is GDPR for Online Eentrepreneurs (UK, US, CA, AU) So you'll see that if you search for it

You can also just go to https://andrewhubbardco/gdprgroup And that will direct you straight to Suzanne's group on Facebook If you want to learn more about Suzanne you can find her at SuzanneDibblecom As well So Suzanne great to be chatting with you and welcome! Thanks for having me

Delighted to be reaching new international audiences I'm actually quite surprised in a way that international audiences particularly the US are actually taking notice GDPR I think initially the reaction was oh what's this European legislation got to do with us

But now I've seen definitely over the past few weeks that international businesses that have an audience in the year really started to take notice of it Yeah absolutely I've noticed that with my own audience and students It's kind of been barely mentioned and then over the last three or four weeks particularly the US

cohort have really started coming and saying 'look we're running Facebook ads, what do we need to do to get up to scratch on this?' And I'm sure you've seen this as well – there are so many different sources of information out there many of them Let's just say aren't entirely accurate

Oh yeah I mean this is the whole reason that I set up my Facebook group I was merrily consulting with multinational's on it I mean my audience actually is very much a small business an online particularly online business community But because, you know, basically data protection lawyers at the moment are very hard to come by

So I was consulting with multinationals and actually what prompted me to set up the Facebook group with the fact that there was so much misinformation out there and you tend to find particularly marketers are very prone to make blanket – they don't really understand the law and then they're very prone to make blanket statements about what you can and can't do So I really set up the group in response to my frustration in seeing this misinformation being carried out and the confusion that that was causing So yes, so I set it up on the twenty eighth of February I think And in 25 months we've grown to just under 30000 people in there

And it is a hugely active group And I'm as a lawyer you know I'm delighted that people are actually interested in an area of law because it doesn't happen very often you know So yeah But but yeah you're right there's a lot of misinformation out there and I'm just here really to bring the sensible balanced approach because what there also is as well as the misinformation, is there is a lot scaremongering going on with the headline fines of 20 million euros or 4 percent of your global turnover I worked out that if Facebook were to be fined the maximum amount for the Cambridge Analytica scandal, they'd be face a fine of 109 billion dollars

Based on their 2017 turnover So you know, this legislation has got a lot of teeth But saying that you know I've got very small businesses in my group like one man bands who are thinking if they're not a hundred percent compliant on the 25th of May they're going to get fined 20 million Now of course that is absolutely not the case But I think the the level of the increased sanctions

The fact that customers can now take you to court as well as opposed to it just being the regulatory authorities This increased regulatory environment and also the potential for people seeming gay means that people are taking it a lot more seriously But in reality, you know, if you just follow a few simple steps you can be okay as a small business owner as an online business owner What you can't do is stick your head in the sand and ignore it That would not be a winning strategy

But, goodness the panic levels have risen to all time highs because they've realized there's a week and a bit to go until it comes into force So many have only just heard about GDP You know it's not like the UK government and the EU government has been writing to small businesses and saying this is the law that is coming into force

Here's what you need to do They're just finding out about it through networking groups or talking to people, and online forums So that's the first thing to say is if you're new to this don't panic The fact that you aren't a hundred percent compliant by the 25th that may when it comes into force A large guillotine it's not going to fall from the sky and yeah you're going to be in all kinds of trouble It's really a case of – Okay great, you know what GDP is all about how do I take what are actually quite simple steps towards compliance and that's really what my facebook group is all about Sensible balanced approach that gives you those few simple steps that you need to take in order to comply Yeah that is fantastic

It's it's great to hear you that because that's the exact impression I got when I joined the group I mean I've been looking around for a long time I heard you speak somewhere else I went and joined the group and it was such a breath of fresh air to get to find a community where it was active, for one, and there was also great advice And it was it was practical and it's all presented in a way that's actually something that small business owners can understand and manage

It's not too complex That's what I see my I see that as my job really is translating what is a complex regulation from legislators in Europe who frankly haven't heard of a lead magnet before you know we're trying to take back that legislation and translate that into okay what is the reality for online business owners And yet we have to remember that the intention of this regulation is a very good one If we think of ourselves as data subjects and how we would like organisations to respect our privacy and look after our data it's coming from a very good place It's just that the difficulty is in translating it from what the legislators we're thinking about to the practicalities of what opt in box do we need for our lead Mackinder etc

Yeah exactly Exactly So look let's let's jump in for anybody who's watching who isn't sure exactly what Jerry PR is or what the intent of GDP is or if it affects them Can you give us a bit of a rundown on what the picture looks like

Sure Well in the EU certainly we've had data protection laws for many years now But alas law came into effect net 20 years ago And of course data has really changed since then The Economist stated recently that data is the world's most valuable assets and the way that we're processing data has changed hugely over the last 20 years

So it's only right that the law catches up with what we're actually dealing with dates are and how important it is but ultimately it's all about protecting personal data So what personal data Well it's anything that identifies or is capable of identifying a living individual and that includes if you've got various different bits of information if you put that all together if you can identify someone then you're dealing with personal data and this applies It talks about talking about processing personal data Some people have said to me but I'm many storing those emails and naming names and addresses

So surely this doesn't apply to me it's no good list it's just sitting there I'm not doing anything with it Well no because the definition of processing is really why it includes storing it includes using it includes making it available So it is a very wide definition of processing but ultimately there are six principles six data protection principles that we need to adhere to I'll run through those very briefly in a minute and then we need to have a law foregrounds of processing Now the main thing to say about that is that people get really hung up on the fence okay everyone thinks GDP equals consignment

It doesn't It's just one of six grounds of lawful processing and a Ganassi a little bit more about the bit that's what it's all about making sure the data is secure making sure you're being really upfront with people about what you gonna be using that data for And just really giving the data subjects the person who is about who the data is you know that you know a data subjective data you know it's the kind of if you'll given your information to somebody else you are the data subject So and so it's really about treating the data respectfully being upfront with them and keeping that secure In a nutshell

Now in terms of whether it's working out whether this rule applies here or not Now obviously if you are established in the EU it applies to a full stop and it applies to you in the totality of the data that you process Okay so if you are at the moment thinking do I need to get my list to be opt in and I'm sure took a little bit more and a bit then you need to get everyone to be opted whether they are in the States Australia Canada or wherever outside of the EU See in the if you established in the EU then it applies to everything here Now if you are published outside of the EU and you do certain things which took the internet then it only applies to your data subjects within a year

So if you work out but you guys need to get fresh consent then you only need to get it from the people within the EU not people outside of the EU Now this applies to businesses outside of the EU where your processing activities relate to offering goods or services irrespective of whether a payment is required So it could be free goods and services to people within the EU or the monitoring of their behaviour within the EU So certainly if you're delivering based acads to people within the EU then that would be covered under the second limit that 19th of offering goods and services I think initially some people thought that if you had a website that was available around the world you didn't geo block people in the EU

That was sufficient to trigger this application of cheap PR But actually in the guidance too it's it's really about the intense to offer goods and services So they they mention a number of things that would give you a good indication that you were intending to offer goods and services to that jurisdiction And that's things like if you've got a page in French on your Web site then well actually maybe it Kaitlin's but I mean if you've got a page in German on your website and clearly you're intending to offer goods and services to people in Germany if you have if you sell impounds then clearly you're anticipating solid people in Britain etc So things like that which are really obvious indicators

Now if you have you know if you've got irae maybe people have got 20 percent of people that are in the EU on their list and they are regularly emailing that list with their goods and services and they're going to they intending to offer goods and services to those people yes Now this is a grey area if you had one or two people who just slipped from your list and you I don't know how that might happen but yeah for one or two people chances are you know even if the letter of the law said that you need to comply Chances are I mean I will take the commercial risk confi I'm just not bothering you know but certainly if you've got a 10 20 percent something like that on your list then that might be thinking okay I need to take this pretty seriously So that's the application of it So Ben just on the principles which I'll run through really quickly is about lawfulness fairness transparency and really being up front about what you're telling people you're going to be dealing with that day

It's all about giving them genuine choice and control So if you have your opt in box then at that point you need to be saying okay well opt in for my free video and you're going to get this follow on sequence of even more amazing stuff You'll have a separate tick box for if you want to receive marketing communications and you also have a link to your privacy policy which is the document that tells people in more detail what it what exactly you're doing with that data where it comes from what type of data is what you're doing with that data what's the purpose of the process saying if you're sending it any recipients which can be people like MailChimp or infusion software a payment processor or whoever is it of all talk about things like if you're transferring data outside of the EPA what safeguards in place which is an area that should come onto it because that's an area that often doesn't get talked about and it's quite key But really if people keep in mind it's just really informing the data subject what you're going to be doing with that data Fair enough if you think about it on the other side of the fence that's what I want to know as the data subjects Exactly

We all we we all want to know where is it going What are you doing after we give you a name email address and phone number or whatever it is definitely Exactly In fact they say when then the next thing it's all about purpose limitation which is really just collecting the data that is necessary for data minimization collecting the data that is necessary for the purpose that you've told people that you can use it for So that means if you've got a tick box and people are uprising then what that means is you know what I've gone opt in form you need them email address you need that name so that you can summon that what you don't need is their marital status their insides like measurement what religion they are you know blah blah

So you basically only collect the data that you made for the purposes that you've told them Now if you told them that actually we're going to be collecting this data and we're going to be selling it to this survey a company and they give you that data that's fine you can ask about marital status and now inside management whatever else But the point is that you can only collect the data for the purpose that you've told them about Yeah Got it

That's really interesting because particularly from Facebook advertising perspective right So I think of the type of learning pages we often send people to and often So let's say we have a lead magnet right Something that's free We you know they give us their name and e-mail and we give them a PDF or something in exchange

Now I can think of several enterprise level software companies that I use and I know that when you opt into their freebies they will ask you in exchange for this business you know email pedia checklist enter your name email them and we'll have your company size it will have you know all the different information about you and your business and the company So it's really interesting to hear this because I'm hearing that while that might not be Gedeh PR compliant necessarily what they are now are they support a yes What they should be day and if they should be still sending me whatever they've signed up for and then having a separate data entry which is you know if you would like to get in touch with the ADA talk about products and services please fill in the following and say that we know you know who to hate to call you or which brochure to send you or what you know etc or it might be that you know another example might be if you want to segment your audience so that you can send them relevant content You could have that

You could absolutely say you know we'd love to tailor our content to send you relevant content so it be great if you would let us know the following about your business And then if people fill it in a map basis that's fine Yeah You just got really good What's the purpose of collecting that data

And it's got to be necessary for the Pippins Yeah That makes total sense It's not a bet It's all about them restricting what we can collect

It's about us being upfront and very clear and this is what we're collecting and this is why and this is how we use it right It's it's all about the communication between exactly the collector and the data subject Yeah that's exactly it So the NetSpend principle and I'm actually doing the wrong way round but the next one is pipis limitation which is really what we've just been talking about which is you can't get collect the data for one purpose and then say oh now I'm going to go and do this with that data Okay

That is a principle in its own right Accuracy you've got to try and keep the data as accurate as possible And you know what There isn't really guidance on what that looks like But you know I think that certainly when you are in the ISEF guidance is that you would need to go back to your list at least every two years to get fresh opt in for consent for marketing and things like that

So I think fairly regularly maybe every six months you might email people and say here's the data we've got on you Is this still accurate Or you let them have access to you know some kind of way that they can get access to their own data to go and update it Now you know again it's a bit of a grey area Some people just have it in their privacy policy

It's really important that we keep accurate So let us know by e-mail in X If there's a change and that's probably sufficient But you know if if you wanted to take it to the next level then I'm sure a bigger businesses will do that Storage limitation so you can only keep it for as long as that is necessary for the purposes

So again if we think about that lists that people might have really that should all be deleted that shouldn't be sitting there on people's computers or servers or whatever you're not using that data for anything And you've got no other purpose for storing it and delete it And when we say no we're talking about EU data only rather if we've got a list with FULL OF Yaffe US based

Yes Clontz or whatever we can It's not really applying to that It's a pretty hefty portion Yep yep that's right And but also to keep in mind that if you've got customers in the you then even if they are expired customers you might need to keep that data for legal reasons if there's ever any claim or anything like that you'd need to keep some of that data if not old for legal reasons

So yes that in the UK We have a limitation act of six years which means that people can have six years in which to break their contractual claim So people would be keeping that data customer data you typically would be keep in 4 6 6 6 7 years to make sure that you've got that in case there was a contractual claim arise Now about that customer relationship

And then the final point is security And actually this is really key and certainly what I've found my great nothing is nothing's really changed with GDP are from our existing legislation about keeping data secure But obviously what the increased sanctions have done is really focus people's minds on what you need today And I'm amazed at the level of just the way the security of data doesn't really factor in a lot of small businesses and online businesses heads you know And I'll hold my hands up

I was nowhere near as hot on this as I should have been So actually I've interviewed a couple of experts in my Facebook group on security and this couple are great videos and their people need a bit of a refresher on basic things like you know if you go to a coffee shop and you're working remotely and then that Wi-Fi is typically know anyone can anyone who knows what they're doing can hack on TV or Wi-Fi and get get hold of all export all of your data send them phishing emails get hold of their financial year etc And if you if we do discover a data breach now and it's likely to impact on data subjects then you have to notify that your regulatory authority within 72 hours of becoming aware of that breach So and so you know the whole issue around security and data breaches is now a lot more pressing so we need to look into the security side of it more and make sure that we have got back those technical and organizational measures in place you know things like training staff if you've got an A Or just be sensible ourselves not leave in USP on encrypted space sticks lying around and passwords in public places and things like only printing out sensitive data and leaving it on the train is just just commonsense things like we need to have a bit of a reminder about OK

So any questions before I move on to the lawful grounds a process known as one of the other plaids upgrades plastic Zaveri identity much detail here for your guys Do you think a well maybe go to you are really really loving it They've been asking some really in-depth questions This is exactly what people you know be really interesting yeah Okay cool

So the legal grounds process and if you're processing personal data you need to have a lawful grounding process in it or you just can't process it Well you could but you'd be breaking the law and there's chances of you know whatever happens So when so as a side consent it's not the be all and end all Consent is one of the six grounds and consent obviously means where the individual is given you consent to process the data and I'll say it more about what the GDP standard of consent is because certainly in the EU it's a higher level of consent that we previously had to get our say bit more about and a better contract So if the processing is necessary for a contract that you have with an individual or because they've asked you to take specific steps before entering into a contract say for example I asked you for a quote or something like that then you don't need another round of processing

You don't need to go and get consent So a lot of people have said to me Well what about the opt in forms on my website do I need to have a tick box for people to submit a question to me No you don't need consent because you would be replying back to them based on this can contractual ground because they have made inquiries about your goods and services and suddenly feel sorry go ahead sorry about I was going to say no I would shame though if you were to have them take that email address after you answer the question into your newsletter database and start blasting with newsletters that's a different story or it is an argument that in a bit Yes

So with that with the existing clients if you're in a you'll be an everybody who's got existing clients will be storing the clients email address and name maybe physical address or the details about them You don't need to get consent to continue to store and use that data because you would have a contractual ground of using that data and anything that is necessary for the performance of the contracts That's your ground the process and you don't need to go and get separate consent for that And the third brand is legal applications where it's necessary for you to comply with the law So an example of that might be if you are legally required to keep certain records for example that are the personal data of the people then you wouldn't need to go and get the consent for that

Yeah if you've got employees that in the EU and you are obtaining their Social Security information you don't need to get their consent for that because that's a legal requirement to pass on to the tax man Okay so this if you need decent if need to process data by law that's law four grand a process and you don't need to go and get consents about it and there's a couple of ones that aren't particularly relevant to this audience which is vital interest and public tasks But then the final one is legitimate interests which is where the processing is necessary for your legitimate interests or the legitimate interests of the third party unless there's a good reason to protect the individual's personal data which overrides the legitimate interest Now we know that direct marketing is a legitimate interest because the recitals to GDP are tell us that is an organisation's legitimate interest to market its organisation to tell people about what it is and how it can help them etc We know that's legitimate interest but does not mean that you can just rely on this lawful grounds and ignore consent because you have to carry out this balancing test with the legitimate interests of the data subject

So of course what that means is you can't spam them because that would totally be against the Bill of Rights and Freedoms of that individual So what Geda PRSA is is that if people would reasonably expect to receive your communications then that's an indication as to the fact that you would be better able to rely on legitimate interests So what you were asking before about customers So either customers or people who were inquiring about your goods and services then arguably you would have legitimate interest to actually add them to your marketing list and to send them details about goods and services that are related to what they've been asking about Obviously if they're asking about hot tubs and you have a sideline in air balloons or whatever you couldn't send them something completely unrelated

But if you if you are sending them things that are very relevant to what they've they've clearly indicated that they're interested in them you could rely on in GDP our purposes on legitimate interests What you have today The key thing about legitimate and press is making sure that you have carried out a legitimate interest assessment form I can tell you how you can get hold of one of those later But it's really about the documenting of your decision making process and showing that you've considered the risks of not getting the consent from the data subject and that that what you're proposing to do with that data isn't prejudicing them it's not overriding their own rights and freedoms etc

So it's very much on us to consider all of that and have that on record so that if there is a complaint or a regulatory investigation you can point to that Now there is this other law called P it's privacy and electronic communications regulations PCR or Paca So people call it And they said the moment only applies to businesses established in the EU but it's being revised and it's likely to be revised next year to have the same territorial scape as GDP So at the moment it just applies within the EU

But as of next year it's likely to apply to people outside of the EU to the same extent that GDP is and what that say is is that you can't send unsolicited email marketing to individuals and individuals include sole traders partnerships I don't know what the expression might be in the States but anything that's not a corporation basically and there is a certain ground for being able to do so without consent which is called soft opt in which is essentially sending marketing emails to customers or people who have inquired about your products and services if it's something similar So there is this is kind of similar to the legitimate interests You have to have advised them of their right to opt out at the time that you collected the data and you have to advise them of their right to opt out on each subsequent email which most people do because we all have our little and you know opt out things on the board I think so

So for me when I'm thinking about do I need to get my list to reach consensus These two things came through my mind One is have I got a GDP standard of consent All right and the second is can I rely on legitimate interests and the soft opting to not get consent from my customers and existing customers and possibly customers giving back whatever period you think is acceptable for them to for it to be reasonable for you to to contact them If and if they're a customer that is five years old they're probably not expecting you to get in touch with them

That would probably not be okay but if it was six months ago 12 months ago maybe but it's for us to make that judgment in the context of our own business and decide you know whether legitimate interests would apply So if we decide actually legitimate interests would apply to our customers and customers came back 12 months we wouldn't need to get them to reconcile the to marketing emails In and that's it On the legal grounds a process and just quickly on the consent rule before we get into specific questions on Facebook because I know that's where you're trying to get a ADFA But I'm guessing I mean you are your people are still going to need to know about whether they need to get people to re opt into that list because presumably they will have marketing lists that they are sending marketing emails to you

So to fill this high Okay cool So this higher higher standard of consent with GDP are to this list too Two well three things to think about in the new definition of consent and the main one is that there has to be a clear affirmative access I giving that consent

So what that means is no more opt outs Name accrete checkboxes It means clean clear plain language that's really easy to understand It means genuine choices control It means having your privacy policy really up front next to the opt in box

So a link to your privacy policy It means giving them notifying them that they've got the right to opt out at any time And it means giving them where possible separate granular options on what they actually want to opt in to So like what we were talking about before you know if you've got your typical opt in box you know get my free report on whatever it is and then you don't need it might You don't need a tick box to send them the report because that's what they're entering their email address for

That's the affirmative action That's you know because what would you do if if they entered their e-mail address but don't tick the box saying I want they report Then you're like oh okay They entered my address But what I did

So you don't need to tick boxes and report because you said hey you want the report Put the email address in what you would need to have is the tick box underneath that say is if he had lied to me safety tells it my amazing office and service it offers and discounts and promotions and whatever else Click here go Hey Okay So again this is a

That's what the law says I'm sure not everyone's going to do that Is anything really terrible going to happen to him I don't know Actually I think as people get more savvy about it you might start to see people saying hang on a minute you know you've sent me this marketing e-mail and I have it up today and you might get competitors trying to trip you work and causing problems for you

So I think that where we can do that It's a good idea to do that sense And so if we can do that then how granular do we need to be So let's say I'm promoting something and it's it's teaching people how to create better graphics for their Facebook ads Right

And so they click the button they add to their email address You know that's all fine I've got a check box that says you know do you want to receive future marketing emails from me check here Check the box there If all of them want to talk about let's say if something that's related to Facebook ads but not directly so I'm talking about our labor Want to start teaching him about e-mail marketing records

It's kind of related but it's not Would that require a second set of consent or have her specific desire checkbox need to be Yeah I mean you know there isn't a definitive left in either example So it's always a question of judgment really

OK But if you if you're as upfront as you as you can be and I think something like that I'd feel comfortable with that It's all in the realms of marketing and people likely to be interested there If you went off an apron like you know a caravan warehouse or something like that you know not everyone could be interested in that So you know then you would have to do a separately match there and get different opt ins from that demographic who are interested in that

It's really you know it's it's yes it's the lure but it's also just good you know good marketing practice isn't it because you want to be sending people stuff they're actually interested in because otherwise they're going to click on it You can opt out it's going to affect April email to deliverability right So you know if you if you were doing that I think what you would do is hey you know you send an e-mail to your list and you be like hey guys I'm branching out into e-mail marketing click here if you want to know more about Bazza And then they'd go on a separate list that would send it to them Yeah

And that makes perfect sense I think you're exactly right when you say you would see more spam complaints you'd see more everything if you just started to get a different topic That makes sense That was something that a lot of people were asking me was where does legitimate interest start and stop So it's good to sort of get a bit of a feel for that

Yeah it is a real gray area Basically what we're doing is we're taking on the responsibility of protecting the data relay and taking away the data subject's right to do that and we're doing it for them So we have to be really you know actually go through that decision making process and documented Like I say you can't just go Yes Legitimate interests will apply

You have to actually sit down and think okay well is this is this okay I've done a lot of videos on legitimate interest in my Facebook group So if that is an area of interest to people then I'd go and have watch of those perfect picture That's great All right

Also we've covered a little bit about the have it ever consent and that sort of thing so I guess one of the things that that kind of and correct me if you want to go down a different path to the next sort of thing that I'm thinking of you that might be worth discussing is where your responsibilities lie So I know there are these there are these concepts of a process and a control and depending on what your role is that determines what your responsibilities are Yeah Do you talk about those a little bit as well Trust Yes

So like you say the the regulations do distinguish between a controller in a process that now control race as the name suggests someone who controls that data is the person who determines the purposes and means of the processing of the personal data and the processor is somebody who processes personal data on behalf of the controller under their instructions So an example you've got a virtual assistant processor in your arms I know she might be yeah it might give me access to infusion staff to send out some emails She is your processor you're the controller with that date that data she is your processor or infusion socket is a processor in its own right MailChimp etc

and so if people are dead Facebook ads actually if not you said you actually got agencies on here have you It's more than doing it for their own businesses mostly it's it's their own businesses We do have some agencies the majority As I said if you were an agent and you're processing data for the purposes of getting someone else's Facebook had then fit that data you're a processor Yeah yeah

Yeah So for me I often will get my email to export from a client and I'll upload that on their behalf to Facebook to create an audience and in that case I'm simply processing the data or don't have control over that data I'm just processing it Yeah exactly See what processor and what G

DP orders is which isn't a is that it imposes liability on processes So certainly in me you a previous data collection laws that wasn't that same liability for processors so processors are going to have to be a lot more careful about only acting on the documented instructions of the data controller You can't just go on a whim and think oh I'll do this with its data because if there is a data breach then you will be liable to say you have to pay and that the processor has to take a lot of steps now and the process has to be are compliant in their own rights

And in fact if the GPL goes further than that and puts an application on controllers to only use processors who are in effect GDP of compliance and certainly what we're seeing in my at the moment is a bit of a panic around this in that people who are using particularly software providers who aren't yet compliant they're thinking oh my goodness I've got to change my business to a new provider before the 25th of May because 75 isn't yet GDP compliant So I think that you know even if you're if you're a data processor and you're thinking of ignoring GDP because of it Yeah We just don't Yeah I think

I think that people will see an impact on certainly who's got a good customer base in the EU And you're not being GDP compliant then you will see as people become more aware people will meet a white other providers that are GDP compliant

So I think that's a big reason for people outside of the EU to actually become to compliant There's a number of provisions about processes but the main one is that I'll just compare and can opt in a lot more videos on this in the group but the first is that you bet there has to be some contractual terms between the controller and the processor and they are specified in the GDP So what that might look like in reality is either you would have a new processor agreement or you would have process clauses that go in the service agreement between the controller and the processor but you have to have those specific there's 8 things that it says have to be in those contractual terms and B The main thing to mention is that if you have a processor then you have to in effect pass that chain of contractual contractual protection down the line because if you think about it logically there's no point having all of these rules around what the data controller can do with the data and keeping it secure If they can just transfer it to a third party and there's no protection around that then that's their pots can transfer it to someone else and there's no protection around that

You have to kind of pass down less contractual protections through the different processes So if you for example if you're using a software tool directly and if you're a software tool not the clients then that is that that software tool that is it's a processor and you would need to check out that processor its GDP compliant that it has a prescribed process the terms in its terms of business Okay you got a pass chain on Yeah that's really interesting I mean even thinking even thinking about it at a simpler level and thinking more within my team of team members who handle data as well as warmer climates and in M

O is to upload and then I must say to my system hey can you take this and do X Y and Z Yes and then if it's their employees it's their employees that's fine If you're using freelancers then freelance is a separate legal entity And you would in theory need those processor terms with your freelancer

Gotcha Employees are fine because they're part of your organization but freelancers or contractors are a separate legal entity so they would say you would need to process the terms in place Got it And also not just not just the terms but it is it's really important actually to start thinking about okay well what security if they've got Impis you know because if there is a data breach and it's down the line from you it's one of your freelancers you're liable Yeah yeah yeah

Which is scary because I think anybody who's dealt who's worked in the freelance market online will understand how difficult it can be to actually have one there and then any kind of influence over what controls are going to impose It's very very difficult So it's very interesting to see how that impacts sort of on the market there And then the other thing to think about with processes is that this concept of transferring data internationally which means any data that is transferred outside of the EU we have to think about more carefully because the EU thinks that it has the best level of data protection in the world and that there are lots of other countries where there isn't that same level of protection So if you are transferring it it's kind of a tiered approach that you need to take to it

The first is is the country that you're transferring the data to Does it have an adequacy decision That's where the government had basically said Okay there's these 10 or 11 countries which we believe have sufficient data protection laws in place that you can freely transfer the data to now that includes Canada Insofar as we're transferring it's commercial organizations it includes New Zealand It doesn't include the states

It could be pretty random countries other than ambassy Switzerland is in those swaps but pretty random countries like the Faroe Islands and Guernsey and places like this But in terms of the US what the US

has is they have a privacy shield which replaced the safe harbor people might have heard of the safe harbor that was that that was taken to court by Slim and found to be not sufficient So we now have this privacy issue which actually has now also been taken to court and is looking a little bit shaky but at the moment for US companies who want to have free flow of data from Europe that they sign up to the Privacy Shield This is kind of a subset application method and it's a it's regulated by the FCA

But there's only 4000 I can I'm at 4400 companies in the US that is signed up to Privacy Shield which is in the scale of the size of the US in my view is not very many

So if the if the if the company is part of the Privacy Shield then that's great you can freely transfer the data subject to my point that there has to be this processer agreement in place If it's a control a process a relationship Now if you are not in the US and you're not part of the Privacy Shield so you could be in the U

S and not part of the sea shield or anywhere else That doesn't have an adequacy finding Then the next thing is that you need to put in place what's called standard contractual clauses or model clauses and these are contractual terms that the EU has approved in order to protect that flow of data outside as they age So that's the next thing to think about if you haven't and if you're not in a country that's got an adequacy finding if you are not part of the Privacy Shield then you need to put in place a standard that contractual clauses

And again I'll tell you where you can get hold of those and a bit now the kind of tweak to this actually is that it's not tweak it's just a massive problem is that be the standard contractual clauses haven't been reviewed to keep up with GDP So at the moment if you've got a US State Controller who's got motion from EU in a US

data processor or anywhere else in the outside of the EIA that isn't part of Privacy Shield or whatever Apple has an adequacy finding then the contractual standard contractual clauses don't cover that situation because they only up to being an aide to the men I spoke to our regulatory authority about this at the moment You would then be looking to the derogations which is too complex for us to go in to help people I've got videos on it in my wait for people to go and watch them But essentially the main derogating would be you need explicit consent from each day to subject to the transfer of that data So you had if you had a U

S controller transfer in it to a US processor that is not part of the Privacy Shield then you would need If there's no other derogation that applies you would need the explicit consent of every data subject to that transfer

Right So in the case of a 10000 personal e-mail list you need explicit consent from every single one of those 10000 people in that specific scenario Tucker out there or if it's complex let you know I mean we we're getting the intrigue and complexity But it's more than just tick boxes on your opt in form as the yellow siren Yeah Yeah I don't I don't want people sitting on the you know their be taking they had me on my web Is just that in practical terms an unworkable thing

And remember you know the 25th that may say it's not like you know this is it If we're not compliant that's game over but I think this is all pointing towards you I think we're going see lots more US companies become registered under the Privacy Shield

In time we will see solutions from the EU as to Europe They would probably amend the standard contractual clauses to cover debts as long as a reference in GDP are party codes of conduct and other certificated reports But we just don't have them at the moment So what on earth did the regulators expect us today You know and so I did and I did it

But I think you know the risk of what I'm not suggesting is that it's people you know cause their business problems by suddenly SABIC feeling that they have to switch from one processor to another So say you're using a fierceness often patients often isn't part of the Privacy Shield so if you're a US data controller when you're using infusion soft then in theory you should be getting explicit consent from each of your EU data subjects to the transfer of that data to tears and stuff Now of course what I am not advocating is that by the 20th it's that you think you know I've got to transfer that I've got to migrate my entire infusions off to another platform like MailChimp that is DPR compliant apart the Privacy Shield

You know I'm not saying that It's a commercial It's a commercial risk analysis for every business I'm just telling me what the law say is term but you know going forward I think you know there's gonna be a lot more focus on that and as I say I think the mechanics of doing that will just in time catch up with what the legislation say is we actually need to do Yes

Yeah I'm assuming that part of this will be the formation of precedent of legal precedents as well So until we see some prosecutions enthusiasm some legal precedent set then we won't really have a clear picture Yeah I think it will be interesting to see Certainly there's been questions asked about well how can how can that any regulator enforce this with a U

S company And I think they absolutely can We're seeing that with Facebook at the moment So I wouldn't I wouldn't think that you can't

It's obviously on what scale is they the breach if you like What scale is the non-compliance is it going to be worse yeah overseas regulators coming and investigating you So it is all a risk analysis But as I say I think we're still seeing this It's a big paradigm shift in data protection

I think that US regulators are taking a lot more seriously after the Facebook and Cambridge Analytica case that you're going to see much stricter state tax laws from entering the US might take some time and effort into it to try and get through the IRS their Congress

And what that what the Decision-Making palace puts Yeah I mean I think the message is let's try to comply where it is impractical because you know the businesses are just not able physically able to do it Then you take the risk analysis of what's it what's the risk of this actually being an issue and you make your decision on that ground Yes absolutely and I think the important thing there that you kind of alluded to as well is when you're talking about just this is this is complex work There is a high level of complexity but I think the thing that businesses need to be aware of is that you need to understand the legislation enough so as so as you can assess it in in respect to your particular business because everybody seems to be looking for these blanket statements like you need a checkbox senior to do this

A B C D and you're done But everybody needs to look at the legislation in light of their own business and apply it in a very specific way that that works for them and not yet not just are I wrote a blog post that says you checkbox unit privacy policy and you and your cookie policy Right So think about that

That's why it's important to chat about complexity Yeah absolutely and I've had to I have people pasted in my keep on racking up to some extent a video this morning actually because over the last week or five people have been sending e-mails from the larger companies that are asking people to opt out rather than opt in and they're like whoa hang on a minute You know I'm thinking that I need to get these people to opt in No I don't I'm like No this is a different company You don't know what they've done historically

They might have had a if you asked under that consent they might this and it might be e-mails to existing customers They they're relying on legitimate interest You don't know and it's wrong to make assumptions about other businesses and what they're doing They might have taken a commission or an analysis and we've got a hundred million quid in the bank even if we get hit with a fine We're going to carry on

We're not ready to lose those customers This potential customers you just don't know So you know you've got to understand the basics and then apply it in your own business Absolutely Absolutely

So on that look let's let's move on and we could talk for hours about this but I told you when you had half an hour that would be it this time about Tido So let let's let's talk about compliance like hed do as Facebook advertises and as like small business is running ads on Facebook I think we focus there because that's the majority of the audience Square a few ways like the big things that we need to do in order to make sure that we're complying So I think we start let's start at the top must start at Facebook ads themselves like the first thing that we do when we start running Facebook ads as we put tracking on our Web sites so that we can see who is visiting and then we can use that data system and talk about that and I assume that I care We're putting a tracking pixel on our Web site let's let's touch on what our role is in that case

Now my understanding is that if we're pulling that piece of code on our website that then collects data and sends it to Facebook way Facebook is the controller in that situation is that correct Correct So our responsibility there is as the processor yes history is a great story but not quite as straightforward as that Many of the things that we need to think about with pixels is more that you need to think about having your cookie policy in place that is telling people that you're using cookies And there is you know it's not entirely clear what form be if you decide that you need consent which I'll talk about in a bit more

What form that consent would take Because really this software isn't at a stage where you can implement it easily where the consent comes first and then the cookies are blocked or people can opt in to certain types of cookies but not others Well that is but it's coming I think But what I can absolutely say that you need to have is a cookie policy on your Web site that advises people about the cookies that are being used in them Right

She switched them off essentially So at the moment again it's not entirely clear with with GDP coming into force because cookies can be personal data And so if you had a cookie pop up then that would definitely be fine If you see the cookie pop ups that say we're using cookies is that okay Everyone clicks on yes

You know that's great And you have a link It's the cookie policy That's all good If even if you had a sort of a Bamma there isn't a pop up but just an obvious thing on your Web site that might suffice

But you've got to give people notice that you are using using the cookies Now I've read things that say that because we MA with it we've got this base of we need to take an affirmative act for consent to be GDP

our stamp of consent So I've read articles that say that the mere act of continuing to browse the Web site is that affirmative acts Yeah If your cookie notices prominent enough and people continue to use the Web site then that is the affirmative act I have other things say owners and these are typically the software companies that are selling the pop ups say oh no that's not sufficient

What you need is our public attacks This is why few know is that you need a cookie policy on your on your Web site That is obvious You know you need it on each page and it needs to be fairly obvious so I can definitely tell you now KCR

I'm also the regulation I mentioned earlier also does talk about consent for cookies at the moment that only applies within the EU but implied consent is okay for that So if you just say if you've got that cookie policy you're okay for that The thing is that in the privacy policy you need to have a section uses people about and what you're doing with it Okay So that's I mean again I'll tell you how you can get template privacy policy in a bit

And that covers all of that So that's the easy thing to do Now with PCR what is changing is that an acceptable should have to try this before What is changing is that at the moment PCR only talks about email marketing and text marketing but we think that it's going to be extended next year to display advertising so that would cover Facebook ads and Google ads and things like that which would mean that you would need to get GD

P our standard of consents As he feels that it can stand for for that and what that might mean is that you might need a tick box going forward but we're not worried about that just yet Gardner So I'm so on the on the pixel am yet Facebook data controller really I think what you gonna go out on to ask me about customer audiences and things like that but I'll let you ask me about that But the main thing is to remember is the Facebook Pixel have a cookie policy on each page in an obvious place

Garbin and UCR comes into force and we probably need to do something more But for now bisons But that's really good to know because I've heard similar things to what you mentioned I've heard people say that you shouldn't set any cookies or tracking until they quickly Okay button them and it's okay to do so Okay that's really good

So we're going to go with for most cases at least very prominent Kocian with cookies are in use now although the microwave There's a video on the whole cookie thing and Facebook pixels migrate where I go into it a bit more detail about that stuff But the nuts and bolts of it that's about yeah And then as you mentioned for most people they're going to need an updated privacy policy and cookie policy to be forgery PR as well is what you have Absolutely

The gap though and the reason is just more specificity is that yes so in them in the the G in the DPR it now sets out 13 things that you need to tell people in your privacy policy Yes So unless you had amazing fortify and you have a privacy policy that covers all those 13 points then you're going to need to you're going to need to update it So you know I alluded to it but I have a pack of template documents I put it together in response to people in my group saying okay you're telling us we need all this stuff but I do want to go and pay a lawyer you know

Two thousand dollars or whatever it might be to Dreux these for May Can you help us out So I put together a template pack that has lots of detailed notes and videos about what to actually deal with these documents And it's a hundred and eighty seven pounds which hopefully is affordable for most businesses And then obviously you've got all the supporting materials in the grape

So I find that that's that's really help people particularly those who are panicking and thinking Oh my goodness how wrong they will be I get hold of my free checklist They work out what applies to them They watch a couple of Overbey videos that are in my Facebook group What they do daily video is they watch the daily videos that are relevant to bam and then they work 3 pack and often I find that you know they come in in quite panicked about how to get their head around it and how to comply without spending a fortune on traditional legal services and then they come in and clear half a day where x rated videos get the pack fill it in with all the tapes that are there and that kind of done so

So they're living and living that solution you know Oh I bought the pack anyway I'll just be up front about their Firmat invaluable it's been so good The tempo is a fantastic B The worksheets and things are you just doing information right

No words please Yes in my opinion Pretty much everything I think that a business will need it Obviously the process at processor agreement in terms that we were talking about earlier

Yeah it's got lots of great tactless in there If people have got employees and there's a lot of employment documents and there is stuff to use going forward I mean goodness I hope that nobody has a data breach but there's all the documents that you would need if that data breaches things like that So really if every document I can think of that will help people that is in there So yeah And we'll set up a link for anyone watching

Sir Andrew Hubbard doxie Air Force says Judy Here's where we'll have it as well so you can jump on that that'll send you straight there to get it TOM Yeah that's a really good resource for my team They're really great All right so we're we've got to call them or see if some custom you could give us his

We can do that Yeah would so just keep touching before you answer that on our learning page we're sending people over a cookie policy It's showing the whole thing is that privacy policy know these people prominent Correct So it is still having it in the photo which is most Facebook advertises do we need to have it right there next to the button that says submit to his Mongar

Exactly like a link linked to the privacy policy Yes So a little red light in a way will protect your data in accordance with our privacy policy linked the privacy policy Now what you don't need today is lots of people get confused about this You don't need to get people to consent to your privacy policy

It's advisory because in your privacy policy you're going to be telling people that you're processing data for other reasons like contractual grounds legal grounds legitimate interest You don't need consultants for that You're just advising people So it's just a way we process your data in accordance with privacy policy and then link to the privacy policy Got it

Perfect Okay so that pretty much covers from what from what I understand that pretty much covers our limning pages and then optimize what we we get there we notify people very clearly what's happening with their data and on the tracking side Tormenter privacy policy we have a checkbox employs so we can send them subsequent follow up marketing if we want to do that We also read customer leads that we want to star retargeted we have is a few different ways we use custom audiences So first why we you talk about is let's say we've got an e-mail list

We want to run ads and target everybody else So we export our list from confusion soft or MailChimp or whatever and then we take that was uploaded to Facebook and we start showing the brands So how does jili PR affect our way and we form that on a daily basis Okay So I was speaking at the PR conference recently and this insists that up in a roomful of people inside GDP spells the end of Facebook advertising

This is what I mean about marketers who just make blanket exceptions like that without any kind of backing it up or anything like that So I've had they bring it to us and we have this conversation But you know in my privacy policy my template privacy policy that we rely on on legitimate interests for doing that Okay And what I would say about PCR is that this isn't and we need to keep an eye on because as of when it's revised in 2019 and it has that extra territorial scope then if you need consents then you need it under it you could still rely on legitimate interests for jadi

But you would need consent through a PCR purposes And we yet to really know what that looks like So just kind of a name for people to think oh this this thing coming up that might impact on this I kind of keep on top of that at the moment Certainly my privacy policy say is legitimate interests for doing that

And and yes you obviously need to cover that in your privacy policy That's where you advising people of doing that and with legitimate interest you need to tell people what their legitimate interests are Which again is this templates fixing my privacy policy But you also need to give him the right to object to that processing and and really that is your opt out So what people need to be doing is making sure that when you are uploading Custom Audiences obviously it's not including the people who have opted out

Right But then that you are regularly updating that list within Facebook If people who are opting out going forward So you've always got a fairly up to date list of people that you are targeting which may sense you don't want to spend any marketing pounds on people who have opted out and said I'm not interested in your stuff So we just need to make sure that we're doing that more regularly

And we talked about this before we because we started this same recording but Facebook own customer audience terms say you represent and warrant that you have provided appropriate notice to So that's what we say about the privacy policy You know you are providing appropriate notice to them in your privacy policy and you've secured any necessary consent from the data subjects whose data will be used to upload it Blah blah blah So the key word there is necessary

Okay you've got any necessary consent So going forward if legally under PCR you have to get consent for Sherin display ads and Facebook ads and under Facebook its own terms Not only would you obviously need to comply with the law but you need to flip Facebook homes And we we were talking about there's been some discussion in people like Tech Crunch and other online forums like magazines like that But I am lucky to find the article actually say is that they're going to be launching Facebook going to be launching a certification tool that will check in sure that Ma OCTA is rightfully obtained with user consent

Now while I imagine that this will be because if you think about it logically Facebook aren't guaranteeing empires Obligation on people that would be against their commercial interests but they're keen to ensure that people are complying with the law So what I imagine that situation to obey him really just reflecting what that comment tends to say which is where you legally need consent You've got that consent But they might put in a ticket box nearer to the place where you upload it so that it's not sort of hidden away in the terms

I don't know if they did what they did already Remember this magic box anyway There's no text books Okay So I suspect that's what it might be

They'll probably be a little stateman when you upload your custom audience that size if you lately need to get consent and you've got consent I imagine I can't think what more they could do in that sense But Facebook are clearly aware of this issue So we need to keep that line on their own terms and what they're telling us that a name but I really don't think they're going to go any further than what the law requires So and yet the key message there is really in my view at the moment we don't need to get consent for Facebook and Facebook ads and we rely on legitimate interest and JT PR and if PCR applies to ban it it's not relevant anyway because it doesn't this doesn't currently apply Taine Facebook had says just email marketing and text

And then you just need to make sure that you are regularly updating Batz custom ordinance to make sure that any opt outs are being reflected Basically you need to you know maybe every week or something like that you would upload a new custom audience to make sure that people who have opted out aren't getting marked it to look at Yeah got it That's really interesting because I know a lot of marketers who one of their strategies is to actually purposefully upload lists of people who've opted out with the aim of showing them what's so different way magnet or different whatever it is you have to bring them back into the live Straut So yeah for those situations that's a definite clue you can no longer have them which is really interesting

Okay perfect So what about the situation now of course just target them through interests and things like that That's absolutely fine But what you can't do is is use their data anymore because they've told you you can't use it for that Yeah yeah

Though in theory you should probably be deleting that data as well if you don't have any other lawful ground processing then yes you should be deleting it Yeah So what about the scenario where we're not taking an email list but instead we're just relying on the pixel it's pixel ink Visitors to our Web site or even let's go one step further removed and so that people watching our videos on Facebook on our Facebook page and then we're targeting them with ads they are in that scenario there's no real way to get any form of consent So and that's fine because even uploading anything they're having a fee on not the data controller but that's Facebook and Facebook have got that consent through their own terms use terms Yeah

Now it can go onto Facebook privacy settings it tells you that you can opt out of and talk to dads if you're still going to receive ads because their free platform and frankly they can say what they want on it They can't they can't they use data your data to target ads if you don't want them to So I went on and I was like horray I can opt out of all these apps and actually they very cleverly explain that if you opt out you're still going to see the same amount of ads that are going to be targeted And personally I'd rather see targeted ads the number talked to that's so But we don't need to worry about that

That's Facebook is the control our Facebook is thought The relevant consultants etc So it's only really where we're uploading our data to Facebook that we need to be concerned about Perfect Yeah and I just want to clarify that for anybody who is watching and kind of getting worried that you know we're talking about this can symptom an icon staff to share ads and yeah

So it's good to clarify that Nothing to worry about on that side and that kind of leads me into lookalike audiences which is essentially I'm assuming very similar in that yep it's really is Facebook status Yeah Okay great So don't worry about anything on that side of things

All So is there anything else in regards to Facebook ads specifically that you think we should be looking out for you or that we should be addressing As a as a as a priority you have There are the main points that the main point is like and I think the key thing coming up is PCR because and the revision in 2019 because that will have territorial state outside of their aim and it will apply to Facebook advertising So I think that's when we will see a big change in Facebook appetizing

Perfect And the one thing I did just want to quickly revisit on the scene we're running short on time so that was the existing list and the consensus so just to reiterate that if we've got an existing list and they've opted in on the grounds or your youre putting it on the grounds of legitimate interests So they want to be in and Ive been talking to them about Facebook ads via one newsletter for the last twelve months Why as long as I believe there is a continued legitimate interest in emailing them I don't need to go back out and say if existing customers existing existing leads or customers this year so do I need to go back out now and get separate consent

And I know this I know it's not black and white but yeah I think the customers certainly are confident in arguing legitimate interests Yeah prospects it would depend what you have what you have how you obtained that consignment in the first place and what you've told them So that's why you need to look at whether you've got your data your standard of consent for it Yeah and that's that's the crucial part is the GDP our standard of consent

So does your user meet that standard Yes And there is a checklist if you hadn't discovered it yet in my package and you said you put it in my There is a checklist of what if GDPR standard of consignment and I can look at lots of videos and I thought I might as well migrate Yeah definitely

Okay great Well Suzanne thank you so much I've got no doubt that my audience You see you've actually enjoyed this interview I didn't think you would actually ever enjoy an interview about TDP

But I reckon you put it there I seriously have the other 50 different things that I could ask you but you know we have to wrap it up at a restricted time right I have and it's something that yeah it's it's interesting it's something that you know we've all got to deal with Yeah Yeah Again if we can sort of do it in a way that benefits our businesses well then why don't get it

So yeah I think they like it Like I said thank you so much again for your time I'm sure the audience is you know my phones is going absolutely love this If I want to find if if you guys who are watching want to find out more about CES and make sure you join a group so the groupism may look at my notes JPR for online entrepreneurs U

S UK USACA a you or you can just go to my my short link Andrew Hubbard Dongseo forward slash GPA group and if you want to get that pack that Suzanne mentioned which like I said I've got it I use it my team going through now what you throw everything

It's a steal I think at 197 pounds because just save so much time you can grow up that as well Indra Hubbert forward slash chivvy I think it's actually left for people outside of faith because that includes that if you're outside of the AA it's like a hundred and fifty or something like that because that's an inclusive price So it's actually even even less than that That explains it because I went through Braudel and I got through to the actual payment and I was like 150 pounds or something

So yeah I don't know what that is but I'll take it Keep going Betsy thanks again Scissored really appreciate you taking the time today and I'm sure this is going to help everybody watching you through a bit more comfortable and more confident that we ought to get up to scratch with GDPR All Alright thank you

Talk to you soon Bye

Source: Youtube

Like it? Share with your friends!


Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Voting to make decisions or determine opinions
Formatted Text with Embeds and Visuals
The Classic Internet Listicles
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Upload your own images to make custom memes
Youtube, Vimeo or Vine Embeds
Soundcloud or Mixcloud Embeds
Photo or GIF
GIF format