Event Recording

Tim Maiorino - GDPR is coming, what is it and why does it affect me anyway?

Log in and watch the full video!

As if Data Protection wasn't regulated to the bone already, Europe has come up with a new set of rules introducing a new level of regulation – in terms of detail, scope and in terms of applicability. The new rules have significant impact on how business are required to structure their internal processes, how they allocate responsibilities and – in general – how they focus on personal information.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
The next speaker is interesting. So he's a lawyer, you are a lawyer, right? Yeah. And, and he's in one of the most prestigious offices in the world for legal advice. And he's interesting because what I like a lot, he doesn't have and like that. Exactly. So this is your chance for the people we're trying to figure out what, on words and why supposed to do this for you? Data protection law. That's the guy who should your question. So
Thank you very much. Thank you for this must be the most positive introduction for data protection, lawyer from Germany that I can think of. And as I said, I'm a lawyer. I do not have emotional videos. I don't have slides. I'm just gonna speak until you're so tired. You can't even stand up and cross your arms. Okay. So hang on.
What did I just do? And I don't mean capturing this moment to show, offering Facebook like that. I guess 20 something years ago, we've probably have said that someone for some reason took a picture of himself in front of other people. But I guess today we'd have to say I just collected personal information of about a hundred people. And by doing so on my smartphone, I opened the door to just as many options to process, to store and to transfer this information. So what I'm trying to say with this poor excuse for taking a picture in front of the audience is that data protection in the last 20 something years has become so much more relevant, that it has turned from a paper tiger at best to dominating everything that's happening in the digital space, at least in Europe. And the next chapter data protections world domination project is Europe's general data protection regulation known as GDPR and coming into falls on 25th of May, 2018.
Now you may or may not wonder why would some piece of European regulation affect me in my business GDP. I is entirely new and there are some aspects about it that make us make it much more relevant than any other European regulation in the feet of data protection. Before, as long as you do business in Europe, first of all, as opposed to the other type of regulation, you can imagine in Europe, which is called the directive, it applies directly. It does not require an implementation law in every country in order to be enforceable or applicable. The good thing about these implementation laws is that they always gave a lot of room to argue for the countries and for companies to say, we comply with it. In this context, we comply with it in tech context. Countries may not even have implemented all of these things in directives, the regulation.
However, it applies directly. It applies and is enforceable for everyone who is affected by it and who is affected by it. That's new as well for the first time, such piece of European regulation does not only apply to the collection and handling of personal information within Europe, GDPR, GOs, almost any and all collection and handling of personal information of European citizens, regardless of whether such collection and handling does actually take place in the EU. So it basically applies to every business that does business with European consumers and collects and handles their data regardless of where this happening. So this is one of the key aspects of GDPR and what's new to it and the changes it brings, but what does it actually say? What the European regulator has created in terms of data protection is the full package from top to bottom, from start to finish.
And it starts out with detailed requirements as to internal processes, structures and responsibilities in terms of how a company can collect and store data. I'll give you couple of examples for that. Privacy by design is the term you've will all have come across. But what it actually means is that very much unlike data protection has been handled so far, which means it has been ignored basically when a new product or a new service has been designed has been structured. That's not going to be possible anymore. Up to date, a service has been structured based on a lot of criteria. Usability. Does it look nice? Is it scalable? You name it. You, you are experts in that. I'm I'm, I'm not so, but data protection was the last thing someone was thinking about when building a new product and privacy by design and privacy by default are going to turn this around completely because what GDPR requires is that the fundamental data protection principles need to be taken into account.
When a product is designed a product or a service may not be designed in a way that does not take such data protection principles into account. And one of these principles, one that developers or product designers are probably not going to like is the principle of data minimization, which means you may only collect those data that you absolutely need to provide the service or the product. So in a world of big data in a world where we want to know as much as possible about a consumer, the principle of data minimization in the structure of a product may be a bit difficult. Another example would be the data protection officer, which needs to be appointed by every company that is basically on an operational basis. Dealing with the collection and handling of personal information is a good example for how responsibilities need to be structured.
It's a function. It's a position in a company that basically doesn't exist in non German companies, but it's an employee with an entirely new role who will benefit on an employment law basis because they can't be fired for doing their job for telling the management that the way this product is structured, the way this sector are collected is not in language. GDPR is not something you can kick him up for. And he's completely free of directions from the management, which is kind of a bit of a contradiction to the general picture of an employee. Who's supposed to act according to the directions he's getting detective protection officer is completely free of directions when doing his job. And the third example for how detailed requirements as to collection of data is, is consent. Now, there have always been different ways of obtaining consent from the consumer for what we do, but what GDPR is expressly not permitting is implementing some kind of consent language somewhere in the general terms and conditions.
And by having the user accept to the general terms and conditions at the same time, giving consent to data collection we've, and I'm gonna keep repeating this throughout the next days. We've felt this in Germany for a long time consent needs to be given freely informed and expressly, which means it can't be some legally somewhere in the terms of use. It needs to be a separate declaration actively given, which is mainly executed, at least in the online business by way of separate checkbox, somewhere in the registration process, for example. So these are just a few examples on how detailed the requirements are and how significantly they impact the design of products or the processes that, that are implemented into products.
The requirements that DPO GDPR sets are gone. There are detailed regular desk, detailed regulation as to the data subjects rights. So the consumer's rights to, for example, to have to be informed about the data that are collected, which means at any point of time, a consumer can send you an email and request a full and complete overview of person information collected about him or her. I've heard about a statistic that 80% of all CIOs or CTOs, I guess in Europe, do not have any idea which data are stored, where in this system in how many databases, which data these actually are, and if that's where we are right now, it's pretty difficult to answer such request.
So this, this shows you as well, how, how much you need to structure processes. You need to be fully aware at any point of time, which data you have or which specific consumer you need to be able to respond to that request within a reasonable period of time, which is probably not five or six months. So, and what does it all end with? It's something you'll all have heard about what GDPR, it ends with the authorities being entitled to find a non-compliant business with up to 4% of its annual global turnover or 20 20 million euros. Whichever is higher. Of course. So when data protection used to be a paper tiger, there was, there was regulation. There might have been authorities even, but they basically didn't do anything. They sent out a letter and say, can you give us information on why you're doing this and that if they were lucky, the company responded, but that was about it.
With these fines, everyone will be a lot more aware and authorities will automatically have a lot more financial means to start their enforcement as well. They would benefit from all these fights. That would be their financing. So GDPR is going to have a lot of significant impacts on, on many, many levels financially in terms of processes, in terms of structures. But the good news is, and I'm not here to work with your fear as lawyers usually do, life goes on and business goes on, and I can tell you that as a German data protection lawyer, because GDPR is mainly modeled after and based on German data protection law, as it has been implemented for many, many years now, I mentioned the data protection officer, the DPO has been implemented to German data protection law in 1998. And companies do get along in Germany. It's, it's formalistic.
It requires efforts, but it's possible. You just need to be, be careful and aware of what you do. And there's one major aspect that I would like to point out. And it's a positive one. I guess GDPR also brings significant potential in terms of turning the, all these compliance requirements into a strong marketing tool. Because from my perspective and lots of, of other non-legal experts as well, there's, there's not going to be an alternative to being compliant. There's just not GDPR has already increased and we're continue increasing the awareness for data protection. Not only consumers are very sensitive about it. Authorities are obviously as well, but also our competitors and being compliant can turn into a strong marketing tool with which you can prove or can create trust on the consumer side. If you can demonstrate that you are compliant, that will definitely distinguish your company from others while, until now being compliant has more been a competitive disadvantage due to the restrictions and limitations.
It brings, I'm convinced this were entirely turned around compliant. Companies will be far ahead of, of other businesses who will treat data protection that has been treated so far, which is more or less like a like burden that you need to deal with. But only if someone expressly requests, this will entirely turn around and GDPR brings significant potential to, to help compliant companies get a competitive advantage. And I guess we're going to see and credits go to that bloom for this term, a survival of the fittest in the data protection context, because they were clearly distinguish non-compliant for compliant companies and with the positive outlook I'm actually done already. And I say, thank you. And I take happy to take questions,
A question. The thing is, okay, so we always data protection officers. How does that now apply? Suppose either the Amazon or Microsoft, where do they're also work in Europe? So is the data protection officer there, or is he in the us? Where does, where does he belong to the, you know, you have these legal entities and all these companies, I was easy, the data protection office and my best friend, he was working at Adam. We didn't have anyone in Freightliner. Yeah. But how is this now for a company like Amazon? Where is the data protection officer gonna sit?
Well, the companies, well, the data protect protection officer does not necessarily have to be in the country, but for companies not having a presence in the EU, they need to have a representative there. And it basically makes sense then to appoint this person as DPO, because he will, one of the, of the main tasks of the DPO is to communicate with authorities and communicate with the data subjects requesting information. So it makes a lot of sense. For example, if they speak German data protection authorities in Germany, they may be able to watch their favorite TV show in English, but they're not very happy to communicate on a, on a business level in English. So it might make sense to have someone on the ground who speaks to
Question yes, to that, to that point, I believe I read that the DPO does not have to be an employee of the company. So we may see just as when Burton group years ago hired its first European employees, we did it through an agency in Europe that actually employed these employees. Yeah.
We have a service like that in our company where they do that. Yeah. That makes sense for smaller, especially for the smaller yeah. Right. Because they can't afford that in Europe either.
No, they're 250 people or more. That's pretty small.
Yeah. Yeah. The DPO doesn't have to be an employee can be an external service provider, but I mean that won't restrict you in terms of employment law, but it will definitely be costs all is offering this service as well. Now I'm just
Run that fast
Gentlemen in the blue, in the blue show. Yeah.
Hi. So getting back to your positive message about how privacy can be a differentiator in terms of marketing to your customer. In when I was with the federal government, we set up levels of assurance for trust. Do you see in Europe with GDPR levels of privacy protection as a, as a company, when looking at some of these regulations where I can differentiate myself as, Hey, I'm doing an amazing job goal
Job that is happening because I am, I was in such a company. I did the trust based model for this company. We went, I wanted to, the examples you gave. So this is a trust model I developed actually for this company. Other automotive are also already using them. The point was then we had the official announcement three years ago, say we do privacy by design and gave some examples. And so yes, you need a framework and it's obviously different worse. Now he's out here. Ryan is Ryan here. Ryan was talking about an insurance level, which is not high enough for me coming from Ghana. We had a van that's okay. But with automated cars, I need a much higher have a higher risk because they can kill themselves. And one, that person is too much. Yeah. So that's why this assurance level has to go up higher. And that's, that's sort frameworks there, there they're coming. And with, you know, like in automotive, obviously it sounds awful, but the journals are in front because we always have the same protection board. Yeah.
And, and from a, from a pure regulatory perspective, it's, it's not necessarily question of levels. It's, it's a black or white thing. You either comply or you don't, there will be such thing as compliance certificates, GDPR seals, and that stuff be coming. But if you, if you want to take real extra value, you need to, you don't need to confirm just GDPR compliance to, to, to add extra value. You need to be working on, on these kind of trust things. But from a regulatory perspective, it's black or white. It's not, Hey, we're 80% compliant or something like that.
So on the one hand, you're saying non-compliance no longer an option, but then you're saying that compliance is a competitive advantage. Those two statements seem a bit contradictory. I mean, unless where you're going is what you said before. The survival of FITT. Yeah. The competitive advantage will allow you to simply survive. Yeah.
That's, that's basically what I'm saying because non-compliant companies who will no longer gain sufficient trust in consumers and customers for them to use their product and service. And it will basically erase them from the market.
How long do you see that we process taking place?
That's really hard to predict that very much depends on the enforcement efforts that authorities will take. We, we are really excited to see whether they will start sending out the first letters on 26th of May requesting information and whether they will be going for the big ones in the market to set an example or whether they will just shoot 'em everything that moves that. But it will mainly depend on the efforts of enforcement, how quickly that goes
Last Cofax if that happened in Germany after the, the deadline, what would, what would happen? What would the response be?
What, what, what exactly from what, what was it?
The big casual facts?
The, the us,
Yeah, here in the us hundred and some million people would have their data exposed. Those three,
If they weren't going for apple. Anyway, as one of the first ones, if they choose to kind of go for the big ones for us, there would definitely be an invitation for them to, to come along. And there will, there will then lead to investigations definitely really quickly.
So I remember in the nineties, when I would download software to say enable HEBs for our website, I had this check a box and stir that I was not a citizen of Olivia Iran or Iraq. If I'm a business where most of my customers in the United States and not in Europe, what's my reason not to put up that box and refuse customers, even if they're say tourists or people in the United States kind of work permit because the cost and risk of compliance and the global jurisdiction has been asserted by an EU. And this makes it simply not worth. Even having 5% of my customers potentially be European citizens.
There will always be room to argue as to whether you are actually actively targeting the, the, or the European market. Obviously you won't be obliged to keep European customers away from your website, from your product. And as long as you don't actively target the market, there, there will be room for argumentation. All of this, all of these, these aspects still haven't been in final details, been determined by the authorities, but obviously there won't, there can't be an obligation for, for non or for, for, for businesses who don't want to be with European customers to kind of take technical measures, to keep Europeans up. That can't be the case. So there must always be kind of the, the argument, whether you are actively targeting the, the European market. And we have this situation in other fields of law, for example, consumer protection, which is similarly strict to data protection, where you would have a couple of criteria in order to determine whether you actually target the markets. It's a matter of language. Do you offer the service or the website in German? Do you offer payment by Europe? Do, do you ship to Europe? So all of these aspects can be used as arguments, but we do not. I do not. I'm not aware of a, a final statement of the authorities as to how this is basically supposed to be distinguished, whether it's applicable or not.
Yeah. This is our last question. Okay.
Hi. So there's a component of GDPR that is specific to minors here in the us. We have kapa, we're gonna talk about it later, which has some of these situations, right? You can't just block children. If you're marketing to them, what do you think the age will be in Germany? 15, 14, 13, 12. What is the age that you believe Germany will choose? And who do you think? Who, who are you confident will choose the lower age of 12 in the member states?
I would imagine for most of the countries to stick with 13 currently Germany it's 14, but I would assume that we're going to 13, whether anyone is going below that for reasons of safety I've I have no idea. It wouldn't surprise me if the Germans did, because we always try to overachieve requirements, but I don't have insights on who's actually planning on doing this.
It's it's my understanding 1200 is the minimum, but some countries can set the at 15 and order in order to obtain parental consent. Yes. Thank you,
James. Thank you. Just one last question, perhaps, or it's your, yeah,
It's great. I'll be around all day today and tomorrow. So please, please step by and
Client lawyer. So I'm pretty exactly. Anyway, just a little bit of an anecdote. I mean, just a few, few weeks ago, I changed my profile picture on a social network. I'm not gonna name what it is into how I look right now, which is without hair. Yeah. The previous one I was wearing ahead or something. So a day after that I saw she, I started seeing feet of a hair dirty, but I was very excited to see it's quite useful. The question really is, has that social level broken the law? Let's say it right. My question is, I mean, it's just purely for my personal interest. I mean, do you see this?
Unless you have expressly consented into their use of your personal information for marketing purposes, it would've been a breach because the general principles you're allowed to use personal information.
What sort of money am I getting now? So the government is going find them or whatever. So my photo was used wagon buy.
No, unfortunately not, unfortunately not. So generally you allowed to use personal information for contractual purposes, unless you have consent. And for anything else with a few exemptions, you're gonna need consent, which you actually need to do with the tick box. So that was basically a breach. Okay. You're gonna be around. Yes. I'm gonna be around all day today and tomorrow
Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00