GDPR is just weeks away. It will affect every enterprise with customers in Europe. And it will ask specific questions of the enterprise messaging community. In a CLX Communications & MEF Connects Digital panel, three experts wrestled those questions…
Is GDPR the best thing ever to happen to enterprise messaging?
The companies knee deep in compliance workshops, internal training schemes, cyber security consultations and contract reviews may not think so.
But if the end-result of all that effort is that business moves from unscrupulous firms to responsible ones then everyone (the enterprises, the intermediaries and the public) will be better off.
Watch the MEF Connects Digital panel in full
Well, as part of the conversation around these questions, MEF in partnership with CLX convened a special webinar.
The speakers were:
- Professor Daniel Solove – GDPR expert, TeachPrivacy
- Rob Malcolm – VP Marketing & Online Sales, CLX Communications
- Lee Suker – Market Development Director, Data Protection Officer, XConnect
Here are the highlights of the discussion.
What is personal data? It’s not straightforward…
“It can be any info that’s identifiable to a person. But it is also anything that can be linked and combined with other info to identify them. That can include combinations of information. You can use gender, post code and birthdate to identify a high number of individuals.” Daniel Solove
How will GDPR change things in enterprise messaging?
“We’re moving from world where enterprises would basically do whatever they desired with personal data. Obviously many have lost control and that’s led to fraud and identity theft. GDPR is a response to that. The aim is to improve trust and stop people digitally disengaging.
“There is a part of the law called joint and several liability, so if anyone on the chain cases a link, the whole chain has to figure out whose fault it was. If you’re a supplier to a large organisation, you can be on the hook for four per cent of their turnover.” Lee Suker
Why is GDPR a positive?
“It means enterprises can put trust front and centre. They now have a choice.” Lee Suker
“GDPR will remind enterprises that getting the cheapest message is not a good idea for lots of reasons. But under GDPR trust will be at the forefront of that decision.” Rob Malcolm
What kind of breaches will be punished?
“There will be grey areas. We will learn a lot every day. It’s a risk continuum – can you punish someone who acted in good faith, for example? It remains to be seen.” Daniel Solove
How can consumers pursue complaints?
“Typically there should be a privacy notice, and an individual named for handling complaints or concerns.” Daniel Solove
What have you done to minimise risk?
“We have a board and a cyber team with a risk-based methodology to ensure the data is acquired lawfully…We want to give our suppliers confidence that their data is only used for certain purposes, and control measures to ensure our customers can only use our data for certain activities. That’s backed up in our contracts.” Lee Suker
Is it feasible to eradicate risk when so many parties are ‘touching’ the data?
“No one will be 100 per cent compliant, so it comes down to contracts. You have to make sure you’re not taking on ridiculous liabilities, and make sure in your governance process that you’re addressing the biggest risks on a regular basis. But there’s lots of great help and advice out there.” Lee Suker
How does the CPaaS model increase the risk of infringing GDPR?
“When you’re storing logs of communications things become more risky. Before, it was data controllers that had most of the liability. But now under GDPR we’e all responsible for our actions. Storing data without consent is a murky area, and individuals can seek damages. So you could argue that in a world of spam, there is some risk that wasn’t there before.” Rob Malcolm
How will the law be tested?
“When the public brings a complaint, then we will see how this law will be enforced. It’s a really big question: how aggressive will the law be, and how might it differ from one authority to the next. There is a big risk of lawsuits – some will be legitimate and some will just abuse the system – but it’s all speculation at this moment.” Daniel Solove
How will new rich comms like RCS affect complying with the law?
“If communications are rich and complex, and you are doing more than supplying the method and the means, then you might become a controller. And you have many more responsibilities and costs as a result.”
“But I don’t see too much changing with RCS. All the same issues that exist on SMS will apply to it. The notion of who is a controller, a processor and a sub processor wont change materially.” Rob Malcolm
How important is internal training?
“Training teams is fundamental. People sharing files, uploading them to SaaS partners and so on – it all becomes a lot more risky if you don’t educate your team.” Lee Suker
Do you have to get comms channel-specific consent from users?
“My understanding is that you need a legal basis to store a telephone number under GDPR. Which channel you use is covered by e-privacy legislation, not GDPR. Under that law you do need consent per channel, so technically speaking I could text you but not call you for example.” Rob Malcolm