How can you ensure GDPR compliance for your business? According to Thiébaut Devergranne, businesses should first make sure that their third-party software providers and other solutions that they’re using are in compliance with the new law.
Thiébaut Devergranne is a French legal specialist with a doctorate degree in private law specializing in emerging technology.
He is the author of the book “La propriété informatique,” and worked for six years in the cyber security division (DCSSI) of the Secretariat-General for National Defence and Security for France.
Learn more about Thiébaut on his website: donnéespersonelles.fr
SendinBlue Interview with Thiébaut Devergranne, GDPR expert
Adapted from the original article in French
SendinBlue is actively preparing for the arrival of the GDPR, which enters into effect in May 2018. What major changes do you see in this new legislation in contrast to existing laws?
Essentially, the GDPR is an update from the old laws that includes real consequences.
If you are processing personal data as defined by the new law (a name, a first name, the image of an individual, social security number, etc.) on your computer systems, this new regulation applies to you.
There’s an impression that the law defines broad principles but leaves enterprises in the dark on how to properly comply. How will this law be applied in practice?
That’s actually very normal. In reality, that is the exact purpose of the law. Let’s take an example: the text of the law requires the establishment of adequate security measures when dealing with personal data. But, the law does not define what these measures (antivirus software, strategic defense initiatives) actually should be because that’s not the role of the law.
Therefore, subjects of the law must adapt accordingly to their specific situation. This adaptation normally falls on the in-house lawyers at companies affected by the law, usually with the help of engineers. Their job is to ensure that the proper measures are taken to be in compliance with the law with regard to their particular case.
Concretely, what impact will this law have on small and medium-sized businesses? Isn’t it primarily just providing a legal basis for attacking the large tech companies?
In my personal opinion, large tech companies — like Google, Amazon, Facebook, or Apple — will probably be the least concerned with GDPR compliance. In fact, European companies, and French companies, in particular, will likely be hit the hardest by this legislation.
Contrary to what most believe, these large tech companies have the right culture in place to handle an exercise of compliance at this scale. It’s important to note that the US has 1.3 million practicing lawyers, as opposed to just 50,000 in a European country like France — and unlike in Europe, multi-million dollar fines are relatively common in the US.
So, for these tech giants, GDPR compliance is a normal problem that they’re used to managing.
However, in Europe, the culture is very different — and even more so in France. We are accustomed to being subjected to numerous regulations that ultimately nobody follows — at least until real consequences start arising.
Because of this, many organizations in Europe are taking their time in complying with the new GDPR regulations to wait and see how the penalties will be applied in practice. This is a gross miscalculation that stems from a fundamental misunderstanding of the new law: the GDPR gives multiple actors the power to take legal action (terminated employees, social partners, consumer associations, privacy advocate groups, etc.).
There are sure to be a number of people interested in taking these steps, which is why it’s very important to start working on GDPR compliance now.
The best solution for small and medium-sized businesses is to only use third-party software tools that explicitly state that they are “GDPR compliant,” meaning they have taken the necessary steps to make their tool conform with the new law. This is especially important for email marketing software.
To be in compliance with the GDPR, businesses will be required to keep proof of consent from their customers in order to process their data. What form would this consent likely take? For example, when collecting email addresses, would the logs for an opt-in form suffice as proof of consent in regards to the GDPR?
To answer your question simply, it’s important to understand that proof, in a legal context, does not result from one single element, but rather from a set of concurring elements.
For example, you could create a bailiff’s report stating that users are well informed of their rights at the time of signing up and providing their contact information. But what does this really prove if someone enters their email into your system a day after the report is created? Does this demonstrate that the technical mechanism that ensures proper consent was in place at the time of this user’s action?
It’s always a good idea to take necessary precautions (why not use a bailiff’s report, opt-in logs, consent process, etc.), but the evidence can always be brought before a judge whose role is to determine, in light of the facts presented and discussed, the solution of a dispute such as this.
Software providers can play an important role in this process. For example, they can allow businesses to activate legal notices while keeping records of who saw them. This would let businesses show that they have been showing all new users a legal notice starting from a specific date. This could be used as one element of proof in a legal case.
For businesses who already have a list of opt-in contacts but haven’t kept records of this consent, is it enough to send an email campaign asking for renewed consent from these contacts? How would you be able to show incontestable proof of consent?
This is actually quite complicated.
The regulation (articles 6 and 7) requires that the controller be able to demonstrate that the individual whose data is being processed has consented to this processing. Therefore, you would also have to accumulate elements of proof that demonstrates that the recipient actually consented to this “consent renewal” campaign in the first place.
So I would have to turn the question back to you: what material elements are at your disposal for showing that consent occurred? We have to start from there — but do not strive for incontestable proof, as this does not exist. Instead, you have to collect consistent evidence in as many ways as possible.
What would you recommend to the average business owner or e-commerce merchant who doesn’t have the resources to get help with their GDPR compliance?
I would recommend reaching out to your software providers to make sure they are taking the necessary steps for GDPR compliance because they are more capable of absorbing the costs that come with compliance. Also, only use GDPR compliant solutions (editor’s note: like SendinBlue 😉 ) — that would be a good first step.
As an expert on the subject, are you confident that businesses will be willing and able to comply with this regulation?
I am very confident in the fact that we will see a mass of conflicts arise on the day the laws enters into effect, as there are an enormous amount of actors who have a practical interest in how the law is applied and its ramifications.
But, many companies still don’t understand the gravity and impact of the impending regulation right now.