Will Bachman: Hello, Greg. Welcome to the show.
Greg Albertyn: Hello there. Thanks for having me.
Will Bachman: Greg, tell me a little bit about GDPR and why independent consultants should care about it, and what we need to know about it.
Greg Albertyn: So, GDPR I think has many have heard something about it, in a nutshell is a stiff change in how Europe has decided to regulate the use of personal data. Why it is important today for not only European practitioners, professionals, and organizations, but also for those primarily in the US, but really anywhere around the globe, is that the provisions of the GDPR have made it extra-territorial. That is one of the big changes from the previous regulation, 9546, which was what was in place before May 25th of 2018. What that means is, is that many more organizations in the US, that previously weren’t covered or connected to the previous privacy regulations, are today directly covered by GDPR and have to directly comply to a great or lesser extent, with these regulations. Regardless of whether they are physically established, or have any legal entity or business in Europe.
Greg Albertyn: It’s much broader than it was before, and so consequently, it’s much more important than I think the privacy regulations were before.
Will Bachman: Okay, so even American listeners that don’t have an LLC or business in Europe, we need to comply. If you’re in Asia, Australia, wherever you are. So, tell me some of the most common things that an independent consultant, or someone who maybe does sales, or reaches out to people, needs to know about. Maybe start with emailing people. I have a vague understanding of this, there’s some rules about who you’re allowed to email. Talk to me about that a little bit.
Greg Albertyn: So the first main complexity, or area of confusion is around consent. Particularly in the US, my US clients, I often hear a lot of talk about consent, and the need for consent to be able to contact people. It’s very important that that sort of myth is debunked. It is not necessary, under GDPR, to gain a person’s consent to market to them. [inaudible 00:02:52] we’re talking here about unsolicited marketing, provided you have a legitimate interest, you’re doing lawful things to gather business or garner additional business, you have come by their contact detail, be it an email address or whatever it is, in a legitimate way, in a lawful way, it is fine for you to reach out to them and market your products.
Greg Albertyn: This is succinctly said in Recital 47 of the GDPR, which says marketing is within the legitimate interests of the business. Now, it doesn’t mean that you can go willy-nilly and send out emails to anybody you want, as often as you want, and your hands are completely untied. In addition to you having that legitimate, lawful access to the information, and legitimate interest to market to them, you also need to ensure that you give to them appropriate information. What is the information that you’re collecting about them, if you’re going to be collecting information, where did you get this information from, what is your organization? Who are you? How, most importantly, how can this individual respond back or connect with you to change their preferences or opt-out?
Greg Albertyn: Opt out is called the right to, is one of the rights, one of the individual subject access rights of the GDPR. And that is the right to object to processing. I have the right to object to you processing my data in this way. I have the right to object to you sending me marketing emails. So consequently you have to give them that information to be able to respond to you to either say send me less emails or stop emailing me at all or forget you ever knew me and get rid of all my data because I have no relationship with you, etc, etc. So that’s one, I think, of the key points of confusion. You do not need, necessarily, consent.
Greg Albertyn: In certain respects you do need consent, though. So if you are engaging with them for particular purposes that may be of a particularly sensitive nature. You’re talking to them about perhaps health data or health … or disease states or some other type of health-related data. Then you will probably need to definitely give that information. Also something like an example might be you gather contact information through your … through the normal course of business, but it is in relation to a service you’re providing to a physician or a health organization or healthcare provider. You gather that information. Now you have information that you could only have gotten had you had access to people’s medical records. Now you’re going to need consent to be able to reach out to them because the question is how did you get this information? And if you did get it, then you are using my sensitive personal information.
Greg Albertyn: So you need to be a little bit careful in some respects, but generally speaking this whole fallacy of oh my God I can’t touch any information because I need their consent, that’s out.
Will Bachman: That is kind of maybe a myth that I had a vague thought of, because I just never had really had studied it or spoken to someone like yourself who really understands it, thinking that you can’t reach out to someone. But then how in the world do you get their consent of you can’t reach out to them? So it’s a little circular. If you get somebody’s email and it’s legitimate, you have a real reason that they might want to do business with you and maybe you’re connected on LinkedIn, so you have their email address or you can just figure out their email address because it’s like first name dot last name at company or something, you’re allowed to reach out to somebody as long as there’s a way for them to unsubscribe. And this is a little bit technical, but do you actually have to have a unsubscribe button or is it okay just to say hey if you don’t want to hear from me again just let me know and I’ll take you off my list? How explicit does the button?
Greg Albertyn: So it has to be simple and it’s gotta be free. So the, let’s say the policy in the strict text of the GDPR says that you … suggest that you could say yeah reach out to me if you don’t want to be contacted by me, but in practice, in order for that to seem legitimate and for you to demonstrate that you really do care about this, it would be … it’s definitely you need to have some sort of unsubscribe link.
Greg Albertyn: The other thing that clients and organizations should think about is how do you actually convey your own integrity and your trustworthiness in a way that makes these people feel like they can trust you and that you’re going to do the right thing. If you don’t have that unsubscribe link, that’s immediately going to give them a sense of well are you making it unreasonably difficult or trying to avoid me reaching out? If you were to say hey, I respect your privacy, if you don’t want to hear from me, click this link or drop me a note and I’ll not respond, or I’ll take you off the list, that’s fine except let’s think about this from the perspective of the recipient. They’re getting hundreds of spam emails every day. Can you imagine how much time it would incrementally take of their day if they were to have to spin up an email, write a note, do something, multiple clicks worth of things in order to get taken off a list every time.
Greg Albertyn: So practically, you want to give them the sense of you know what? All I’ve got to do is click this one link and it’s gone. The other thing to think about, and again on the more practical side, is be careful. A lot of folks are getting smarter and more sophisticated in how they operate online. You will very often have folks setting up alias email addresses when they give their email or when they register for services or buy products online, or whatever the case may be. You then gather that information, those email addresses from a retailer or whatever it might be, that service provider. And you then market to them.
Greg Albertyn: Be careful about how you set up your preference management response strategy. If you are responding only to the email address that sent that unsubscribe and they actually subscribed or are subscribed in your database under an alias, that could be a bit of [inaudible 00:10:07] frustrating for them and could be a bit of a privacy fail on your part because you’re then going to be getting these complaints going out to the FTC other others saying I’ve unsubscribed from these people 40,000 times and they keep sending me emails. What the hell? If that starts to happen, obviously a trending amount of time, the FTC is going to start to take notice. Just be careful about how you set up those response strategies as well.
Will Bachman: Okay. You were about to go into the myth number two, what’s the second big misconception?
Greg Albertyn: The other big one is the scope and coverage. There’s a lot of concern, we talked about before the fact that this GDPR thing, this is extra-territorial. So now a lot of people are saying well am I covered? Is a mom and pop shop in the US covered? Are we covered by this regulation, do we have to comply? So the things to keep in mind and the simple way to think about it, and what I like to say often, is the GDPR does not apply to EU citizens, and the reason why I say that is we in the privacy community use the word citizenship or citizens loosely, but it’s dangerous to do that. Because that then says to organizations that you’re attaching the GDPR coverage and obligations to the individual. And so then you end up in these wild and crazy scenarios of where organizations are monitoring the regional IP address of someone who’s logging onto their website to determine whether they are “a European resident” or a “European citizen” in order to apply all this GDPR application, which isn’t actually what they’re trying to do at all.
Greg Albertyn: The GDPR scope is covered under Article Three and it has two pieces two it, piece number one, If you are an entity established in the Union, that means you have a physical or legal presence, a building, or however you want to say it, a legal entity in the Union, you are then covered by GDPR and anything you do with personal data, wherever you do it, you must comply with the GDPR. The second piece is if you are offering goods and services within the EU. So that then brings in your US service providers who are providing services to European organizations or customers or organizations with business and entities in the EU. So they become covered, because I’m offering these … I’m supporting and offering the services and goods in the EU. I might be entirely and only established as an entity in the US, but because I am now offering services and supporting services in the EU, I should now … I have to be [inaudible 00:13:27] covered. I am what they call in GDPR a processor. I am the service provider to a controller, so the business that is responsible for gathering the information or determining what information is required. So that’s your customer.
Greg Albertyn: They go, they say I want this kind of information from my customers, this is what I’m going to do, this is the services I’m going to sell, this is why I need this information. I then go to my supplier, my processor, my SaaS provider, or my logistics operation and I say to them this is the information that my customers are going to give me, I want you to process this information, I want to you dispatch the products, I want you to send the emails. And you are now using a service provider to do that. That service provider now is going to be processing the information pursuant to offering a service or a good in the EU. That service provider now is this US entity that has no physical presence in the EU but because they now will be receiving and processing personal information about or in order to give a service in the EU, they are now covered.
Greg Albertyn: It has nothing to do, and this is the important myth we need to bust, it has nothing to do with the individual designation of those people. It doesn’t matter whether they are a European resident, European citizens, European nationals. It doesn’t matter about the personal designation of the individual. It matters about the entities or the businesses that are using their information. And that’s a little bit … it’s a strange thing you have to get your head around, but once you understand that it becomes a lot clearer. It also then becomes a lot simpler for organizations in how they establish their operations. Where they understand whether they’re covered or not.
Will Bachman: All right. Great. So that’s a couple myths. What are some of the key things that we do need to know that it really … so particularly for, let’s say in an independent consultant or someone running a boutique firm, we talked about if we reached out to people, have an unsubscribe, what about handling data if we’re working with a client that maybe does business in Europe, what do we need to know about GDPR in terms of handling data for a client? Maybe they’re a retailer, maybe they have information on customers, what are some of the key things that we should be aware of?
Greg Albertyn: Couple of things, one is the good news is that the requirements in terms of physically or logically working with and processing personal data is not very different. In fact, entirely across the GDPR there’s nothing brand new. All of the stuff they’re asking us to do is stuff we’re probably doing in a slightly different way already today. So you’re not going to be having to do something brand new or wildly different. For instance, cybersecurity, securing your information, making sure that it’s adequately secured, is something we’re doing today and they are not really asking for anything significantly greater.
Greg Albertyn: They are saying, though, that you do need to establish a mechanism or a framework for assessing the risk of their personal data. So if it’s health data or sensitive financial information or things like that, the regulators would expect to see more robust security and handling and identity access management, access control, and access minimization for that kind of data than they would for something more benign like oh it’s a name and an email address. There’s less trouble and risk around that type of data than there is around health data [inaudible 00:17:27]. So you need to be securing and managing this information according to a well-thought-out risk assessment.
Greg Albertyn: The other thing that they need to think about is are they able to respond to a data breach in a very crisp way? You will get and many [inaudible 00:17:51] clients will have probably been through the wars already on the contract updates from their clients. The clients [inaudible 00:18:01] be sending them these GDPR amendments to contracts. And it’ll have a bunch of new language in it essentially saying you are going to follow my instructions, you will put the right security in place, all these different things, and one of the key things there is you will advise or alert me to a breach of data, a data breach, as quickly as possible because, the really important thing here, is your client has to respond or report to a supervisory authority or a data protection authority in Europe where they’re established within 72 hours if that’s feasible.
Greg Albertyn: It’ll be difficult in a lot of cases for a business, for a organization to say I can’t report something to you within 72 hours, because then you’re not doing your job. They’ll be rare instances where you can say I couldn’t report to you in 72 hours, but 99% of the time they should be able to respond in 72 hours. Now the really important one here, and [inaudible 00:19:14] another one of these miscommunications and this unfortunate advice comes from, is they then roll that down and they say hey, service provider, you need to respond to me and tell me about a data breach in like 24 hours. And we all know, especially in the US, that there’s a myriad different things that are happening at the time of a data breach, especially a significant one.
Greg Albertyn: In the first instance, there’s a good likelihood that the FBI just told you you got breached and therefore are telling you what you can and can’t do. So immediately, you’re responding to them, they’re asking you for a bunch of information, they’re telling you you got to take the following actions. So there’s no way that anybody can actually get a coherent sentence out to their clients within 24 hours. It’s unreasonable.
Greg Albertyn: The other thing where clients push … customers can push back from service providers is very clearly, the regulators have clarified their guidance on the GDPR and have been very clear. The 72 hour time clock only starts to tick when that controller, that client entity, is told about the service provider’s data breach. The 72 hours does not start ticking when the service provider understands or realizes they’ve had a data breach. It only starts to tick once that service provider tells their client they’ve had a data breach. Then that client has 72 hours before they have to report to a regulator. So it’s really important to make that clear. There’s a lot of service provider organizations are stuck in the situation where, well, in order to keep this business I have to sign up to or commit to do something I can’t reasonably do. I’m likely to breach this contract the very first time this thing happens. So everyone should be really clear that the GDPR requires that a service provider report a data breach “Without undue delay,” that is in quotes, “Without undue delay.” [inaudible 00:21:30].
Greg Albertyn: Because they understand and realize that there’s a lot of complexity when you have to report a data breach. So you need to do it quickly and ethically, you need to do it as quickly as you possibly can, but without undue delay. And so that’s one thing to really think about is can you actually commit to these, under these time frames, that you care about?
Greg Albertyn: The other thing that clients need to be thinking about is that if you’re covered by GDPR, there’s certain documentation you need to have in place. One of them, and most importantly, is a data inventory, a report on your processing activities. And sometimes it’s referred to as a ROPA, report of processing activities. It is defined or required under Article 30 of the GDPR and that’s why it’s often referred to as an Article 30 daily inventory. And all that is is what is the information that you are collecting? Who might see that information? How is it being processed? i.e., is that in house, external, [inaudible 00:22:35]? How long are you keeping it for and what sort of security measures have you got in place? And this data inventory obviously or usually be broken down by the different business processors. So it’s HR, it’s finance and payroll, it’s marketing, sales, it’s logistics, whatever the case may be. And within those bands, within those business processors, you will then document the kind of data you collect, what types of data subjects or individuals are we talking about? How do I protect this and how long do I keep it for? And who might see this, how many third-parties do I share with and then why do I need to do that?
Greg Albertyn: As long as you’re keeping that up-to-date, you are a long way towards the documentation you need, because creating that Article 30 inventory actually requires that you align and straighten out a number of different pieces of your operations. So in order to just keep that up-to-date, you need to start to become a lot more aware of how you’re processing your information, who gets access to it, how did you collect it, where is it store, etc, etc? So actually is … there is a lot of value to keeping that inventory, but it’s literally the first thing, or one of the first things that a regulator will ask for in any inspection.
Greg Albertyn: The second thing they’re going to ask for, they’ll ask for two things, they’ll ask for your inventory and then they’ll ask you for a documentation of your governance process. That is who is responsible within your organization for making sure that you use this data in compliance with GDPR. So you have to have an individual at least with a title that is responsible for making sure that this works. That’s not a data protection officer. Most organizations, especially in the US, will probably not require a data protection officer, a statutory-appointed data protection officer. You probably will not require one. If you do, you will know it. So it’s just that, separate from a data protection officer, you need to have some way of showing or making the regulators comfortable that you are keeping an eye on this and that all the different stakeholders within the organization are well-aligned to know what they’re supposed to do and when they’re supposed to do it. They’re making sure that you have this data protection or privacy governance program in place with the right people and resources is the [inaudible 00:25:05] of an important thing. It’s the daily inventory and this daily governance program is absolutely critical.
Will Bachman: Okay, fantastic. Is there a … have you ever seen a good for a smaller firm, for a independent professional, or for a boutique firm, have you ever seen a good checklist if you want to make sure you got all your bases covered with this that’s kind of in plain language that a human can understand?
Greg Albertyn: There are a number of different publications with greater and lesser degrees of validity, complexity, and completeness. There is unfortunately a lot of misunderstanding and miscommunication out there that is often dressed up as well-meaning communication as well. The IAPP, or the International Association of Privacy Professionals, puts out some very, very excellent guidance and for the most part is very accessible to the common man. And they’re continually improving and enhancing the education and knowledge out there. It’s a non-profit organization, they’re not trying to get anything out of this, they’re just trying to enhance the privacy profession and professional in general, and so they put out some very good guidance on that. In particular they have a series of the … a ten part series of the operational impact of GDPR on organizations.
Greg Albertyn: Again, unfortunately, no publication is going to do it in a way that really gels it down to the basic understanding of every small organization out there, so you do still need, you probably will still need a couple of goes at it to get it. But definitely those, those series and publications out there from IAPP definitely get you understanding what are the key areas and factors and information you need to think about and then you probably will seek professional help with okay, I get what I’m supposed to be thinking about, I think I can probably cover all of that stuff, but I’m going to need help on the nitty-gritty how does this actually affect me? Because unfortunately a lot of this guidance, any guidance is going to be a one-size-fits-all approach, so it’s going to sound like your mom and pop shop is going to require a massively complicated and sophisticated privacy program which is necessary for a large multinational organization, when actually they don’t. They probably need to get a handful of things in place that cover those key areas of the GDPR in an appropriate way for their size organization.
Greg Albertyn: You’re still going to need perhaps some guidance, but those publications certainly get you to understanding what everyone’s talking about and what needs to be thought about.
Will Bachman: Fantastic. Let’s talk about your business, Greg, tell us a little bit about services that your firm provides.
Greg Albertyn: So we, at it’s core, what we are trying to do is optimize how organizations are complying with various regulations and legal requirements. For the most part, it is centered around cybersecurity, data privacy, and data governance. So it’s all the things that we’re talking about now. We help organizations, number one, understand do we have a risk for exposure? Where might that risk be within our organization? And then we work with them to establish a program to comply in the most sustainable and cost-effective way. We are not avoiding compliance but there’s also a number of different was that an organization can comply based on their individual context that allows them to do it in a sustainable, cost-effective way and still meet the bar. That’s what we do with organizations.
Will Bachman: What sort of organizations do you work with?
Greg Albertyn: We work really across the board. Financial services, we do a lot of work with healthcare, we do a lot of work also in education, and also retail, retail organizations and industrial shops as well. We’ve also had some very good interactions as well. So we run across most of the regulated sectors.
Will Bachman: Walk me through what your diagnostic phase of one of your projects might look like. How do you go about identifying the risks that a company is facing? Do you have some templates and standard questionnaires? Walk me through what would happen if you came into … when you come into a client and do that first phase?
Greg Albertyn: Yeah. I would say it’s sort of template plus, there are some basic grounding questions [inaudible 00:30:34] understanding we need together, which is … there’s the basics, how big are you? What’s your client base or customer base? How many individuals we talking about? What type of data are we talking about? We also think about or look at what is your support strategy? Are you all sort of moving towards a cloud-based mechanism or platform or are you all in house or are you still on legacy architecture, or are you a bit of both? What does that look like? What is your support infrastructure and ecosystem look like? Because that of course goes to the risk that poses to the data. What does your organization’s internal programs and capabilities look like? Do you have the sophistication yet to have dedicated individuals looking at things like risk management or data governance at all? Or is that something that is going to be a building program, sort of building that capability out there?
Greg Albertyn: We look at where are you established, were are your operations, how widely are they spread, is it purely domestic? Is it regional? Is it global? International? And what types of partner arrangements do you have? Because again, where you get the information, who you partner with and share information with becomes a question around their security. Of course the internal operations such as your security posture and that type of thing is also important for us to look at.
Greg Albertyn: Based on that, we are then able to say you are sitting in a higher risk or lower risk situation and then we look at what types of policies, procedures, capabilities, and structures do you already have in place. Maybe you perhaps already have a pretty robust privacy or cybersecurity or information security program in place which just requires some meaningful tweaks or updates, or are you still at a very emergent level where that stuff has to be defined and documented? Obviously in that type of situation, if you’re calling us in and we’re talking about a GDPR covered type of [inaudible 00:32:55] or operation, then there’s going to be some pretty urgent attention that we might need to pay to some of the basic blocking and tackling for you to be able to operate compliantly. Whereas if you’re in a more advanced phase, then that’s perhaps not as urgent and it’s just more about making sure that the things that you are doing already today you’re doing, calling them the right things or doing them slightly differently than you were doing yesterday.
Will Bachman: Could you talk about when your firm would get called in and who typically is raising the … is it the board? Is it the CFO? Is it the CEO? Talk about when and who.
Greg Albertyn: Typically, it would be in the compliance or risk side of the business, the legal team might do their own investigation, exploration of the market, just making sure they’re aware of their due diligence and [inaudible 00:33:56] requirements will realize, oh, hold on a second, I think we might be covered by this GDPR thing, how do we do that? Oftentimes we are already helping perhaps with another question, another matter. It might be that we’re working with them on perhaps enhancing their cybersecurity posture with their organization or it might be something like they are [inaudible 00:34:25] up new operations in Massachusetts and they’re realizing that they have to comply with Mass privacy. We start to talk about that and they realize well actually it’s not only Mass privacy, do you realize you probably are covered by GDPR as well? And they realize like wow this is going to be a much bigger nut than we thought to crack. And so we have an extended conversation about that.
Greg Albertyn: It’s various different ways. There are often also conversations that I have with some of the marketing executives who come from the uninformed posture of oh we need consent and wow, our European program is really being disrupted because we don’t have consent from all these people and the conversation goes well hold on a second, you don’t need consent. And they’re like oh my God, thank you for saying that. What does that actually mean? Let’s talk more. It depends a little bit on where that conversation starts.
Will Bachman: So marketing execs, the legal team, how did you get started in this whole compliance base?
Greg Albertyn: Through a weaving route. I started out working with [inaudible 00:35:35] many years ago in their cybersecurity information risk management teams where, at that time, it was much more on the technology and the technical controls that were necessary to guard and protect information and it was more about the systems than the data itself. I then, through the evolution of the conversations we were having with the clients and the evolution of the market became more interested and much more aware of more of the privacy and data risk dynamic rather than the systems themselves. And then began to morph more into the data protection and privacy space and understanding what was necessary. And of course at the time you’re also becoming more aware yourself in terms of the different ways that we interact socially and technically and online and how that information is becoming so much more important and so much more … it’s of so much greater value but also of so much greater risk and how are we able to protect the value of data and value of the relationships we have with our customers in order to build this … build out our … ensure that our customers view us as having integrity, of being trustworthy with their information as customers become more sensitive to how their information is being used.
Greg Albertyn: And that was really interesting to me. And so consequently got more involved in the privacy and regulatory space.
Will Bachman: What do you do to raise your visibility, relating to business development, how do you kind of get known as an expert in this so people will reach out to you?
Greg Albertyn: I do publish from time to time opinions, particularly online in places like LinkedIn and those types of areas. I am engaged and stay actively engaged with the industry associations like Osaka and the IAPP. And also I look for opportunities for training, for education, and information development. Speaking at those types of conferences is also an important way or strategy for keeping your visibility up as well.
Will Bachman: Where can people learn more about your firm or get in touch with you?
Greg Albertyn: They can reach out to me, I’m on LinkedIn and other online networking as well as, as I said, as you do more investigation into some of the industry associations, then I will certainly be a part of that as well.
Will Bachman: Fantastic. Any personal productivity habits or tips that have really worked well for you that you’d like to share? I’m always interested in what successful people do to have a successful day or during the week.
Greg Albertyn: My approach is usually just the basics of set goals, always set goals for the week, what is it that I want to have achieved by Friday? You’re not always going to hit it. And be aggressive with that, that you’re not always going to hit them but always have that goal, those goals set otherwise your week tends to get away from you very, very quickly. Because that also establishes priority. And then start early. In a lot of times, what I see, some of my acquaintances and colleagues tend to do is, if there’s something I have to do tomorrow, let’s do it tomorrow. Whereas as we see just how things, or how quickly things are moving, how quickly things change within organizations and within the market in general, you realize that the chances are that things are not going to work out quite as planned and so starting whatever tasks you have as quickly as you can allows you that ability to change direction if you need to as things change and things get … the objective begins to change or evolve in front of you.
Will Bachman: Fantastic. Well, Greg, this has been a fantastic discussion. The dispelling some of the myths around GDPR is super helpful and for those of us who want to learn more, you’ve given us some good direction in terms of the IAPP and I just want to thank you for coming on the show.
Greg Albertyn: Fantastic. Thank you.