Right?

Well, as part of the conversation around these questions, MEF in partnership with CLX convened a special webinar. 

The speakers were:

• Professor Daniel Solove – GDPR expert, TeachPrivacy
• Rob Malcolm – VP Marketing & Online Sales, CLX Communications
• Lee Suker – Market Development Director, Data Protection Officer, XConnect

Here are the highlights of the discussion.

What is personal data? It’s not straightforward…

“It can be any info that’s identifiable to a person. But it is also anything that can be linked and combined with other info to identify them. That can include combinations of information. You can use gender, post code and birthdate to identify a high number of individuals.” Daniel Solove

How will GDPR change things in enterprise messaging?

“We’re moving from world where enterprises would basically do whatever they desired with personal data. Obviously many have lost control and that’s led to fraud and identity theft. GDPR is a response to that. The aim is to improve trust and stop people digitally disengaging.

“There is a part of the law called joint and several liability, so if anyone on the chain cases a link, the whole chain has to figure out whose fault it was. If you’re a supplier to a large organisation, you can be on the hook for four per cent of their turnover.” Lee Suker

Why is GDPR a positive?

“It means enterprises can put trust front and centre. They now have a choice.” Lee Suker

“GDPR will remind enterprises that getting the cheapest message is not a good idea for lots of reasons. But under GDPR trust will be at the forefront of that decision.” Rob Malcolm

What kind of breaches will be punished?

“There will be grey areas. We will learn a lot every day. It’s a risk continuum – can you punish someone who acted in good faith, for example? It remains to be seen.” Daniel Solove

How can consumers pursue complaints?

“Typically there should be a privacy notice, and an individual named for handling complaints or concerns.” Daniel Solove

What have you done to minimise risk?

“We have a board and a cyber team with a risk-based methodology to ensure the data is acquired lawfully…We want to give our suppliers confidence that their data is only used for certain purposes, and control measures to ensure our customers can only use our data for certain activities. That’s backed up in our contracts.” Lee Suker

Is it feasible to eradicate risk when so many parties are ‘touching’ the data?

“No one will be 100 per cent compliant, so it comes down to contracts. You have to make sure you’re not taking on ridiculous liabilities, and make sure in your governance process that you’re addressing the biggest risks on a regular basis. But there’s lots of great help and advice out there.” Lee Suker

How does the CPaaS model increase the risk of infringing GDPR?

“When you’re storing logs of communications things become more risky. Before, it was  data controllers that had most of the liability. But now under GDPR we’e all responsible for our actions. Storing data without consent is a murky area, and individuals can seek damages. So you could argue that in a world of spam, there is some risk that wasn’t there before.” Rob Malcolm

How will the law be tested?

“When the public brings a complaint, then we will see how this law will be enforced. It’s a really big question: how aggressive will the law be, and how might it differ from one authority to the next. There is a big risk of lawsuits – some will be legitimate and some will just abuse the system – but it’s all speculation at this moment.” Daniel Solove

How will new rich comms like RCS affect complying with the law?

“If communications are rich and complex, and you are doing more than supplying the method and the means, then you might become a controller. And you have many more responsibilities and costs as a result.”