This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Can codes of conduct save GDPR?’. To listen to the full episode, click here. We apologise for any errors.
Jane McCallion
Hi, I'm Jane McCallion.
Adam Shepherd
And I'm Adam Shepherd.
Jane
And you're listening to the IT Pro Podcast where this week we're taking another look at GDPR.
Adam
The DCMS is currently consulting on proposed changes to the UK's data protection regulation, with a stated goal of increasing clarity around how the rules should be applied, and making it easier for organisations to remain compliant without adding unnecessary burdens or stifling innovation.
Jane
The proposed changes include scrapping the need for data protection impact assessments, and changing the rules around when businesses have to employ data protection officers, as well as significantly restructuring the Information Commissioner's Office.
Adam
The government has said that it is planning to build on the existing GDPR and data protection acts rather than watering them down. But privacy campaigners have nonetheless expressed a certain degree of apprehension about what these changes could mean for the UK data protection landscape.
Jane
There are some however, who feel that rather than the GDPR rules themselves, it's the way they've been interpreted that has caused problems. Today we're speaking to Chris Combemale, CEO of the Data and Marketing Association, who argues that instituting GDPR codes of conduct can enable the government to achieve its goals without rewriting the data protection rulebook. Chris, welcome to the show.
Chris Combemale
Thank you.
Adam
So Chris, just to kick off today's conversation, can you tell us a little bit about what the DMA does?
Chris
Sure; the Data and Marketing Association is the industry association that really represents the use of, of customer data, customer information, to find and keep customers. So really, that's an activity, a normal business activity that's existed throughout the centuries, that every business needs. And of course, in the data driven era, there's many more ways to maintain loyal, long term customer relationships. So we really, dating back to our original incarnation close to 100 years ago, as the British Direct Marketing Association, have always been focused on the issue of how do you properly collect and use data for customer relationships. And now really, that includes just about every channel, from traditional postal channels, telephone, email, text messaging, social media, an increasingly data driven TV, digital radio, and so on. So in that sense, when we approach legislation like GDPR, it's with the context of ensuring the frameworks are right, to protect the customer. But that's not in contrast to a business's objectives, which is to ensure that customers trust them, and want to do business with them over time.
Jane
So how do you feel about the government's current proposals to amend the UK data protection legislation?
Chris
Yeah, I think the, the proposals are interesting in the sense that they build on the frameworks of GDPR, and also cover a little bit of amendment to the privacy and electronic communications regulation. So there are multiple legislations that that govern the use of, of data for for one to one communications. And I think what they've said and supporting the national data strategy, is the revisions they're looking to are to enable innovation and growth in business and clarify certain aspects of GDPR that may have become confused in implementation. And I think it's important in assessing the proposals to go back and remember that GDPR itself as written by the EU, with UK involvement in the drafting is a risk based legislation that balances different rights in different risks, but does it make one right overwhelmingly more important than another right. So if you start out from from what's written in recital four of GDPR. It says the processing of personal data should be designed to serve mankind. But the right to the protection of personal data is not an absolute right. It must be considered in relation to its function in society. And then it goes on to say this regulation respects all fundamental rights, including the right to conduct their business. So in and what we're really talking about is greater clarity, in that balance between essential data protection, that is important for people to trust the uses of data that's taking place, whether that be commercially or through public services, or in scientific research, or medical research, or in say, finding solutions to a global pandemic, like the COVID pandemic, none of it works unless people are confident that their data is being collected in a correct way, kept safe, and so on. But it's not a legislation that says the right to data protection is absolute, and trumps all other rights, or all of the things going on in society. And in that context, the government's proposals are completely consistent with both GDPR and privacy and electronic communications regulation, and in fact, build on those core principles and keep essentially most of the legislation as is but with some clarification, and some refinements, most of which we think are reasonably okay.
Jane
Yeah. And this is actually something that I've heard around, that a lot of businesses, when they reacted to GDPR, they got very tunnel vision on the data protection, and the fact that people can ask for their information to be erased and all that, rather than also taking into account the legitimate interest side of things. And, and yeah, that seems to kind of play into what what you're saying.
Chris
Yeah, I think, you know, our members - who are probably the most experienced data driven marketers in the UK, both both established businesses that have been using data for communications for a long time, and newer businesses in the ecommerce and digital channel era - have have always, I think, understood how to get the balance right. And certainly, if you have customers that no longer want to do business with you, for whatever the reason, it's not actually efficient for that company to continue to communicate to you. It's not productive use of resources, and what companies are trying to do when they're collecting insight about their customers, and understanding what their customers buy, they're trying to find those customers that really do want to have a long term relationship and do want to buy from you frequently and do want to benefit from the things loyalty offers. And that's where companies want to invest their money, because that's what's profitable. So philosophically, then, there is no contradiction between what GDPR asks and what companies are trying to do. And actually, our members started from the perspective that they were very concerned about GDPR. And by the time implementation was done, mostly, you know, 70, 80% had concluded it had been good for their business, you know, because it required certain things, like knowing what data you hold on a customer and being able to look at it in the round and know why you held it, and what you were going to do with it. And many established companies would have had data in many different places, you know, from a promotional marketing database to a CRM database to a different and bringing it together. So that you knew what you held actually has a very good hygiene requirement and normal business, and really should have been done from the history of marketing.
Adam
Yeah, something that we heard a lot when GDPR first came into force was that it encouraged a lot of, a lot of companies and a lot of organisations to shake off some of the bad habits that they'd built up with regards to data in terms of just hoarding data that they didn't necessarily know if they needed, just because it might come in handy at some point. And I think that's a good habit to, to get out of, you know, with any kind of data driven operation, whether it's for marketing, or, you know, even if it's just like application data, and and that kind of stuff. So then moving on slightly. In your view, what are the main problems with how GDPR is implemented today?
Chris
Yeah, I think what we've seen GDPR presents six bases, for data processing, one of which is getting consent from your customer, there's probably you could use for the purpose of fulfilling a contract, you could use the basis of legitimate interest. There are six and they're equal. And what has happened in the implementation is through sort of muddled confusion, and I think, legal advice that's difficult, and the way data protection authorities across Europe have slightly confused things, there has been a tendency to believe or come to believe that consent is the only basis of processing customer information no matter what the purpose is, and what the communication that's going to resolve. Whereas in fact, recital 47, of GDPR says that direct marketing, in other words, the use of data to communicate to your customers, may be and is a legitimate interest. But many members have not wanted to do that. Now, having said that, there are safeguards, so sensitive personal data, requires consent. And there's other things that are specifically requiring of consent. But much communication could be done under legitimate interest, according to the way GDPR is written. So one of the proposals that the government is making, is to move some recitals into the main text to give them further, you know, because a recital is like an example. Whereas if you move it into the main text, it becomes factual. And they're proposing having a defined list of areas where legitimate interest might apply to give that clarity, so that you know that it really is one of six equal basis in the legislation. And I'll give you another example of the kind of clarification that's proposed that that we think is a good thing. Under privacy and electronic communications legislation. You can communicate to your existing customers by email, unless they unsubscribe, it's called the soft opt in. So you need consent for cold emails. But within your existing customers, you have the soft opt in, but the way the legislation is written through we think just an aberration is that that soft-in doesn't apply to charities and other type of organisations, where you have, again, very loyal customers. So someone who's passionate about saving dogs or saving birds, or disaster relief, or, or preventing harm from children, and donates regularly and volunteers their time to that organisation, there's no reason why that soft opt-in shouldn't extend to charity communications, and especially given the challenges they face financially in the current environment. And the fact that data driven marketing is the primary communication methods that not for profit use to raise money from from their donor base. So there's no reason that a loyal donor is different to a loyal customer of Tesco in terms of the depth of the relationship. And in fact, perhaps even more so because people are really passionate about the causes they support, and really want that relationship. So again, there's no reason why in PECR or GDPR, why a charity's donors should be considered different to a customer of Tesco or Sainsbury's or a bank or an insurance company. So what what the proposal the government has made does is it proposes to extend the soft opt in for email to definitively include charities and other types of organisations. And that just seems like sensible clarification and nothing to get overly excited about.
Adam
Yeah, cuz it's been three and a half years since GDPR came into force, and there's still a huge lack of, of clarity and lack of kind of awareness within business as to what they're allowed to do. And I think that's led a lot of businesses to err on the side of caution, particularly given the high potential fines that GDPR brought with it. I think that scared a lot of organisations into really playing it as safe as possible, often on the advice of legal departments and legal teams trying to minimise risk. But it's it has led to a lot of organisations being very conservative in their approach to data.
Chris
No, that's absolutely correct. And I think that's inherently the issue that some of the proposals the government is making is trying to clarify. And we believe those proposals are consistent with the intent of GDPR. And, you know, there's two things our members are concerned about. First, they have just gone through this major implementation change. So given the challenges of the pandemic, the challenges of Brexit, and other changes that are going through the structure of the UK, ideally, this change is in some ways good. Although the issue, you identify that and I think, absolutely, we need a bit of sense of clarity, so that businesses are not always taking the most risk free approach. You cannot innovate or create a modern economy, if you take a zero risk approach to everything. So there are problems in the way, in that overly conservative approach to GDPR because it prevents some activities that would be beneficial from taking place. So I think that's really important. And the second thing, our members, especially those who with international businesses, do not want to risk the recent data adequacy decision with the EU, because 40% of international data flows and exports, or thereabouts, go between the UK and the EU. And if that for whatever reason, became more restrictive, it would make it even more difficult to manage customers that are on the continent. And we all know the issues that already exist around the supply chain management, availability of labour and so on. So business just doesn't need another challenge between the UK and the EU in terms of doing business. But we don't think necessarily that a lot of the changes should pose that risk. So again, coming back to legitimate interest. Legitimate interest is an established legal basis for data processing going back decades in the EU. And the Dutch Data Protection Authority tried to limit its application and fine a company called Football TV for using legitimate interest as the basis which we think they were correct in doing so. The Dutch courts, not only strongly supported Football TV against the DPA but quoted European Court of Justice precedents, in particular, a precedent on a case called fashion ID, where the Advocate General Bobek said it was absolutely a legitimate interest to be able to advertise in the best possible way. And so European judicial precedents, support the clarifications that the government is making in terms of legitimate interest depending on how that final exhaustive list of when you can use legitimate interest. And so in that particular example, I don't see how that could risk adequacy, because what the government is proposing is completely consistent with the balancing of risks that GDPR expresses and with EU legal precedent.
Jane
And I know that the DMA has suggested that Defining codes of practice for GDPR would be one way to make sure that people truly understand, or companies rather, truly understand what they should be doing. Does the government's proposals kind of fall in line with what you had in mind for that? Or are they something else?
Chris
Yeah, the government's proposals don't make changes necessarily to that side of things. So GDPR contains articles 40 and 41, which established codes of conduct for the interpretation of GDPR. So, clause 40, basically says, industry associations should be responsible for articulating how the legislation should be applied to their industry sector, and outlines specifically in the context of legitimate interest, that it should be the industry association that puts forward the codes of conduct, and then those are approved by the Data Protection Authority. So in the UK, that's the Information Commissioner's Office. And article 41 establishes independent monitoring bodies, also, which requires approval from the Information Commissioner's Office. So what GDPR and the way it was drafted in the EU and then transposed into UK law is a notion that industry experts who understand the processing that's taking place, that those experts who understand what the processing that's happening, would interpret how best to apply GDPR with the collaboration with the Information Commissioner's Office. And what that does is it establishes a form of co-regulation, where for companies who passed audit, under those codes of conduct would have complaints against them for that particular activity passed to the industry monitoring body to handle the complaint. So in essence, it becomes a whitelist of the good actors in an industry who have earned the right through passing the audit. And what it does for the ICO is it shifts a huge amount of low level complaints that are not causing harm from the ICO's investigative team to different industry monitoring bodies. But with escalation procedures, where if somebody goes off the rails, you can pass it back to the ICO. So we think that's really sensible. We've been working hard to get a code of conduct approved. There have been some approved in Europe, but UK is moving a little bit slowly. Now, what does create some confusion is the UK Data Protection Act in 2018, also establishes a requirement for the ICO to publish codes of practice, as distinct from codes of conduct. And one of the codes that they have to create as a code of practice is direct marketing, which overlaps with with our code of conduct. And it creates real confusion. So one of the proposals in chapter five of the government consultation that they're making is that when the ICO creates a code of practice, there should be a body of industry experts overseeing that code of practice. But that amounts to the same thing as the Industry Association, creating the code of conduct. So my view is we don't need both, we should just have the code of conduct. And there's no point to having a code of conduct and an industry monitoring body, and then a separate direct marketing code of practice, overseen by the same industry experts that arrives at the same conclusions. So I think there's a little bit of tension there, but the government is keeping articles 40 and 41 in their proposals, and they are adjusting the development of codes of practice so that they are more similar and recognise the industry expertise in the development of that code of practice. So we're kind of all on the same page. But it makes quite good sense for companies that treat their customers really, really well and have built trusted relationships and who have passed an audit for complaints that might arise through misunderstanding or error or something that goes a bit wrong one day, that that can be handled in a low level, informal way to resolve the issues rather than tying up investigative resources.
Adam
Yeah, absolutely. And one of the big complaints that's been levied against the ICO by kind of privacy campaigners in recent years, is the speed with which it processes investigations, you know, major investigations into things like the use of data by the big tech giants, Facebook, Google, etc. And, you know, investigations into like major serious data breaches, they take years to roll around and complete in for judgement and a fine if it's applicable to be issued. Do you think that offloading some of the more minor stuff from the ICO to this kind of self regulating industry body would free up more resources to help speed up those kind of major top level ICO investigations?
Chris
I think certainly it would. And I think the ICO's in favour of that whole part of the system based on the conversations we've had and would like to spend their time focused on the big issues, I think what you do have in an investigation is all kinds of opportunities to appeal and escalate beyond the ICO themselves.
Adam
I mean, it's always going to take a certain length of time.
Chris
Yeah, I think those big companies can hire armies of the types of lawyers that can tie the ICO in knots so there's a tendency to be very cautious. But I would say, through the pandemic, maybe because they focused on helping the government, you know, with some of the apps that that tracked and traced and so on. But the Ico investigations are quite slow at the moment, it is a problem, especially for smaller businesses. And sometimes where in the process, the business is given the opportunity to respond to the complaint, our members find that the response is often not adequately taken into account in arriving. And so we have examples where the final notification is identical to the draft notification with not even a minor change based on the response of the company. So I do think there are issues there of timeliness and issues of fairness. But I also understand that, you know, like the big Cambridge Analytica Facebook case, they have to move with a certain amount of caution if they want to end at an outcome that's verifiable, because they are up against, you know, companies that will use every procedural issue to their benefit to try to get the issue to go away. So and I think that's why sometimes they've had to agree some reductions in some of the bigger fines they've they've issued and so on. It is an issue for sure. And I think some of the proposals in chapter five should make it speedier. And I think if lower level complaints that don't pose major harm, so I handle that will help the ICO focus on where the biggest risk to people exists.
Adam
So you mentioned that one of the issues with GDPR's current implementation is that national data protection authorities often interpret the regulations differently. How would you ensure that the same thing doesn't happen with codes of conduct?
Chris
Okay, that's a really good question. Because, you know, when GDPR came into force, one of the main objectives of GDPR was turning the previous data protection legislation from 1998 from a directive, which gave each country the opportunity to have some flexibility, to a regulation, which theoretically means less flexibility nationally, although there are some carve outs, but in actual fact, every Data Protection Authority across the remaining 27 countries of the EU is interpreting and applying GDPR in a different way. And that is creating huge inconsistency and confusion. So one of the things we're doing, I chair FEDMA, which is the Federation of European DMAs, 21 DMAs from the 27 states. That's based in Brussels doing the lobbying, we are trying to create a network of national codes of conduct that harmonise the interpretation in the ways we think are consistent and I think, you know, if you have enough precedents from approved codes of conduct, whether they're an EU wide code of conduct that covers the 27 countries, or it's one in Austria and one in Poland. And they're covering similar topics and arrive at the same consensus, then you start to create that basis for business. But right now you have, you know, everything from Austria, who has approved a direct marketing code of conduct, specifically for postal third party data, and postal communications, which is consistent with what the government is proposing in their revisions to legislation. And then you have those Dutch, which I mentioned, who believe no business interest can be a legitimate interest. But as I said, the Dutch have lost in their own courts based on EU precedents. But the DPA is, and we say this all the time, the data protection authorities have to apply the legislation in the way it's written, they cannot apply the legislation with their own political biases in mind. You know, and the legislation is quite clear, in terms of the six bases and the balance and proportionate approach to different rights, because there are many rights always in every circumstance that need to be balanced with each other.
Jane
So the government's consultation aims to increase innovation and growth, do you think that these current proposals will actually achieve this goal?
Chris
I think in terms of the areas that we are particularly focused on, as the data and Marketing Association, and in particular, some of the examples that I've given around clarification of legitimate interest, clarification of the soft opt in for email, in those areas that will absolutely help companies in going about the day to day business, of communicating with their customers, and at the same time, not pose any increased risk to those customers in terms of inappropriate behaviours, and so on. There is a whole other section that I haven't studied as much around changes to enable scientific research to be more easily conducted and, and data to be shared and reused. And I know there's applications that will make medical research a bit easier. So that we can get those insights about how be how diseases behave and find cures for those diseases. But I haven't really studied those but but my understanding is the intent of what's being proposed is to make it a little bit easier, because in the way that GDPR is written, anytime you're going to process data, you have to choose the basis, and then write a case for the basis. So if you're doing medical research, you have to go through the same experience. And so if certain things are clearly defined as being legitimate interests for medical research, and the changes and accountability that was put in place means that you don't have to, you know, what basis you're going to use, it's clear in law. And you don't have to write that little document that defines all your reasons why you're going to do it that way. And why you've made that choice. I think it does reduce an administrative burden, and makes it easier just to get on and do the important thing, which is designing new products, designing new cures, for diseases, and so on. But of course, that's balanced against, you know, the ethical approach to medical research as well. So if you're combining, you know, insight into how everybody has responded to a certain drug that's treating a certain disease and trying to find out why some people's body reacts in a different way, and so on. Obviously, it's quite sensitive. So again, there is a lot of work in the proposals around anonymization of data to ensure that you can conduct that research in a way that doesn't risk any individuals individual cases being put at harm. So I think the the intent is along the right lines. I think much of what we've seen is fairly pragmatic. I don't see much that should really get the privacy activists up in arms. Although often the privacy activists believe that the right to privacy takes priority over everything else. But I really don't think there's a huge amount that I think would pose harms to citizens and customers. In what's been proposed, it seems to us to be more in the form of clarification and pragmatic common sense.
Adam
Well, I'm afraid that's all we have time for this week. But thank you once again to Chris Combemale from the Data and Marketing Association for joining us.
Jane
You can find links to all of the topics we've spoken about today in the show notes and even more on our website, itpro.co.uk.
Adam
You can also follow us on Twitter at @ITPro, as well as Facebook, LinkedIn, and YouTube.
Jane
Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts to never miss an episode. And if you're enjoying the show, leave us a rating and a review.
Adam
We'll be back next week with more from the world of IT but until then, goodbye.
Jane
Bye.
