Your Personal Data Inventory Top Tips & Brexit Impact 161220

Privacy Kitchen

17 Dec 202042:23

Summary

TLDRIn this engaging Privacy Kitchen session, experts Tash Whitaker and David Clarke join host Robert Bohr to dissect the complexities of data mapping for privacy governance. They explore the nuances of GDPR compliance, the impact of Brexit on data protection strategies, and share practical advice and war stories from the field. The conversation delves into the importance of understanding data maps, the challenges of maintaining accurate records of processing activities, and the implications of Brexit for cross-border data transfers and marketing practices.

Takeaways

🗺️ The importance of a data map as a cornerstone of privacy governance was highlighted, emphasizing its role in understanding data flows and impacts on privacy.
🤝 Introductions of the panelists, Robert Bohr, Tash Whitaker, and David Clarke, who are experts in privacy management, consultancy, and cyber and data protection, set the stage for a deep-dive discussion.
🔍 The distinction between a data map and an asset register was explored, with the former being a broader concept that includes the latter, which is more about the security and inventory of data assets.
📝 The GDPR's record of processing activities was discussed as a subset of a data map, which is crucial for understanding data processing activities and responding to data subject requests.
🚫 The challenges of questionnaires for data mapping were noted, with panelists preferring interviews to get accurate insights into data processing activities.
🔑 The role of the Data Protection Officer (DPO) in maintaining the record of processing activities was emphasized, as they need a comprehensive understanding of the business to fulfill their role effectively.
📈 The impact of Brexit on data maps was anticipated, with the potential need to revisit and adjust data transfer agreements and the possible requirement for UK companies to appoint EU representatives.
🛑 The potential increase in data subject rights requests due to the removal of PEC Regulation (ePrivacy Directive) was flagged, necessitating a detailed data map to manage these effectively.
📉 The low adoption rate of ISO 27001 was mentioned, with GDPR and other privacy regulations driving a need for more comprehensive data governance practices.
🔄 The dynamic nature of data mapping was underscored, as it needs to evolve with the business and be part of ongoing risk management and compliance activities.
📚 The complexity of managing large-scale data maps was discussed, with the need for robust systems and processes to maintain and update the data map in line with business operations.

Q & A

What is the main focus of the 'Privacy Kitchen Session on Data Maps'?
-The session focuses on understanding data maps as the foundation of privacy governance, discussing what constitutes a data map, the impacts of Brexit on data privacy, and sharing practical advice and war stories related to data privacy management.
Who are the hosts and guests of the Privacy Kitchen Session?
-The session is hosted by Robert Bohr, the founder and CEO of Keepable, and the guests are Tash Whitaker from Whitaker Solutions Limited and David Clarke, who has a background in cyber and data protection.
What is the importance of a data map in the context of GDPR?
-A data map is crucial for GDPR compliance as it helps in creating a personal data inventory, understanding data flows, and ensuring that organizations can fulfill data subject rights and manage data breaches effectively.
What is the difference between a data map and an asset register according to Tash Whitaker?
-Tash Whitaker explains that an asset register is like a map of the street with details of buildings, security, and contents, whereas a data map encompasses everything, including the asset register, record of processing, security measures, and business usage of data.
Why might a company start with an asset register for their data mapping?
-Companies might start with an asset register if they have previously pursued ISO 27001, as it helps them understand what assets they have, including databases and filing cabinets, which is a foundational step in data mapping.
What are some common pitfalls in creating a data map according to David Clarke?
-David Clarke mentions that a common pitfall is confusing a data process map with a business process map, and another is not specifying where the data lives, which is crucial for understanding data flows and security.
How does Brexit impact data maps and the need for a UK GDPR?
-Brexit necessitates the creation of a UK GDPR to replace the EU GDPR for data processing within the UK, and it may require companies to revisit their data maps to account for new data transfer rules and the potential need for EU representatives.
What is the significance of the number of entries in a record of processing activities (ROPA)?
-The number of entries in a ROPA should be substantial enough to provide a clear understanding of data processing activities, but not so overwhelming that it becomes unmanageable. The right balance helps in responding to data subject requests and managing data breaches.
What is the impact of Brexit on marketing practices and how should companies prepare?
-Brexit may require companies to adhere to local data protection laws in EU countries rather than relying on UK regulations. Companies should review their marketing databases to understand the geographic distribution of their data subjects and ensure compliance with local laws.
What are some top tips for managing a data map effectively?
-Some top tips include starting with a basic understanding of data processing activities, verifying information through interviews rather than relying solely on questionnaires, and ensuring that the data map is part of ongoing business as usual rather than a one-time exercise.

Outlines

00:00

😀 Introduction to Privacy Kitchen Session

The session begins with a warm welcome to a privacy-themed discussion led by Robert Bohr, the founder and CEO of Keepable, a privacy management platform. He introduces the guests, Tash Whitaker from Whitaker Solutions Limited, who specializes in data-related consultancy, and David Clarke, with a background in cyber and data protection. The session aims to explore data maps, a fundamental aspect of privacy governance, and to address the impacts of Brexit on data protection. Practical advice and war stories are promised to enrich the conversation.

05:02

📈 Understanding Data Maps and GDPR Compliance

David Clarke initiates a discussion on the concept of data mapping, emphasizing its importance in privacy governance and GDPR compliance. He explains that a comprehensive data map could involve various parallel journeys, including technical, privacy, data, business, and security aspects. The conversation highlights the complexity of creating a data map and the necessity of understanding the context and purpose of the mapping. Tash Whitaker adds that an asset register is like a street map, while a record of processing is akin to the activities happening within the buildings on that map.

10:03

🔍 Delving into Data Mapping Strategies and GDPR Record Keeping

The conversation continues with insights into the practicalities of data mapping. Tash Whitaker discusses the importance of starting with an ISO gap analysis or a basic GDPR record of processing activities. The speakers agree that questionnaires may not be the most effective method for data mapping, with face-to-face interviews being a more reliable approach to understand the actual data processing activities. They also touch upon the challenges of managing large volumes of data and the importance of keeping the data map updated and relevant.

15:03

🤔 Navigating the Complexity of Data Mapping in Enterprises

The speakers discuss the challenges faced by large enterprises in creating and maintaining data maps. Tash Whitaker expresses skepticism about the feasibility of mapping for large companies, while David Clarke shares his experiences with big companies where even after significant efforts, the data mapping was far from complete. They agree that the task is daunting and requires a significant investment of time and resources.

20:04

🛠️ Crafting Effective Data Maps and Avoiding Common Pitfalls

The discussion shifts to tips for creating effective data maps and common errors to avoid. Tash Whitaker emphasizes the importance of granularity in data mapping to identify risks accurately. David Clarke points out that a data map should enable an organization to respond to data breaches and subject rights requests effectively. They both stress the need for a balanced approach that avoids excessive detail that could render the map unmanageable.

25:05

📉 The Impact of Brexit on Data Protection and Mapping

With Brexit on the horizon, the conversation turns to its implications for data protection. The UK GDPR is set to replace the EU GDPR, and the speakers discuss the potential need to revisit data maps to account for new geographic considerations in data transfers and the potential requirement for EU representatives. They anticipate increased complexity and the possibility of stricter enforcement by national regulators within the EU.

30:06

🚫 The Overlooked Aspects of Brexit in Data Protection

The final part of the conversation highlights the overlooked aspects of Brexit, particularly in relation to marketing and the ePrivacy Directive. The speakers predict that UK companies marketing to the EU will need to adhere to local laws, which may vary significantly from the UK's approach. They anticipate potential challenges in identifying the geographic locations of data subjects in marketing databases and the need to ensure compliance with diverse regulatory requirements post-Brexit.

Mindmap

Keywords

💡Data Map

A data map is a comprehensive representation of the data an organization holds, its flow, and how it is processed. It is central to privacy governance and is essential for understanding the data landscape within an organization. In the video, the creation and importance of a data map in the context of GDPR compliance is discussed, highlighting its role in identifying personal data inventories and processing activities.

💡Privacy Governance

Privacy governance refers to the framework of policies, practices, and procedures an organization establishes to manage its data privacy risks. It is the cornerstone for ensuring compliance with data protection regulations. The script emphasizes the importance of privacy governance in creating and maintaining a data map, which is a key component in managing an organization's data privacy obligations.

💡GDPR

GDPR stands for General Data Protection Regulation, a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. The script discusses the implications of GDPR on data mapping and the need for organizations to have a clear record of data processing activities to comply with its stipulations.

💡Brexit

Brexit refers to the United Kingdom's exit from the European Union, which has implications for data protection laws and regulations, including GDPR. The script mentions Brexit's impact on data maps, suggesting that organizations may need to revisit their data processing activities and transfers post-Brexit to ensure compliance with both UK GDPR and EU GDPR.

💡Data Protection Officer (DPO)

A Data Protection Officer is a role designated under GDPR to oversee and monitor an organization's data protection strategy and compliance with data protection regulations. In the script, the DPO's role in maintaining a record of processing activities and ensuring GDPR compliance is highlighted.

💡ISO 27001

ISO 27001 is an international standard that outlines a framework for an information security management system. It is mentioned in the script as a starting point for some companies in their journey towards data privacy and security, indicating its relevance in establishing a foundation for data protection practices.

💡Record of Processing Activities (ROPA)

The Record of Processing Activities (ROPA) is a document that organizations are required to maintain under GDPR to record their data processing activities. The script discusses the importance of ROPA in detailing what data is processed, the purpose of processing, legal basis, and other relevant information for compliance and data subject rights.

💡Data Subject Rights

Data Subject Rights are the rights granted to individuals under GDPR, allowing them to control their personal data. These rights include the right to access, rectify, erase, restrict, and object to the processing of their data. The script emphasizes the importance of understanding these rights in the context of data mapping and processing records.

💡Data Controller

A Data Controller is an entity that determines the purposes and means of processing personal data. The script clarifies misconceptions about the term, noting that it does not refer to a department lead but to the party responsible for compliance with data protection obligations in relation to the data being processed.

💡Data Processor

A Data Processor is an entity that processes personal data on behalf of the Data Controller. The script discusses the distinction between a Data Controller and a Data Processor, which is crucial for understanding responsibilities and obligations in data processing activities.

💡PECR

PECR stands for Privacy and Electronic Communications Regulations, which governs the use of personal data in electronic communications. The script touches on PECR in the context of marketing communications and the potential impact of Brexit on how organizations market to individuals in the EU.

Highlights

Introduction to the privacy kitchen session on data maps, emphasizing the importance of data maps in privacy governance.

Robert Bohr introduces himself as the founder and CEO of Keepable, a privacy management SAS.

Tash Whitaker describes her role in providing consultancy on data-related matters, including data protection officer services.

David Clarke shares his background in cyber and data protection, highlighting the evolution of GDPR's impact on businesses.

Discussion on the different perspectives and components of a data map, including technical, privacy, data, business, and security journeys.

Clarification on the difference between a data map and an asset register, with an analogy to a map of streets and buildings.

Importance of starting with a basic GDPR record of processing to understand what data is being processed and why.

The challenge of managing large-scale data maps in big companies, with the suggestion that smaller companies may find it more manageable.

Tash Whitaker's approach to data mapping, emphasizing granularity to identify risks and the iterative process of verification.

David Clarke's insights on the complexity of data mapping in large organizations and the practical difficulties in keeping such maps updated.

The role of the Data Protection Officer (DPO) in maintaining records of processing activities, as clarified in recent guidance.

Discussion on the practicality of questionnaires for data mapping, with a preference for interviews and verification.

The impact of Brexit on data maps, with considerations for data transfers and the potential need for EU representatives.

The importance of data maps in responding to data subject requests and managing data breaches effectively.

Tash's method of linking data mapping to the creation of privacy notices, ensuring accuracy and compliance.

David's perspective on the balance between the level of detail in data maps and the practicality of managing them over time.

Final thoughts on the challenges of data mapping in the context of Brexit, with a focus on the upcoming changes and preparations needed.

Transcripts

00:04

hello everyone

00:04

and welcome to this fantastic privacy

00:07

kitchen session i'm i'm

00:08

really delighted to be joined by tash

00:10

whitaker and david clarke

00:11

and we'll do introductions just one

00:13

second so um this is a

00:15

privacy kitchen session on data maps

00:17

which is really the cornerstone the

00:20

foundation of your privacy governance so

00:22

it's a really key thing

00:23

we're looking at what is and what isn't

00:25

your data map we look at the impacts of

00:26

brexit the gift that keeps giving

00:28

and we've got some great war stories

00:30

we've got some great practical advice

00:32

so um straight into some introductions

00:35

got a lot to talk about so

00:36

i'm robert bohr i'm the founder and ceo

00:38

of keepable we're privacy management sas

00:40

at a policy pack giving you a framework

00:42

for gdpr and pekka

00:44

um well that's enough about me so so uh

00:46

tash do you want to introduce yourself

00:48

and

00:48

and your business sure i'm tash whitaker

00:51

i run whitaker solutions limited

00:54

we do consultancy to businesses on

00:56

anything data related to be honest

00:58

whether that be

00:59

iso gap analysis data management data

01:03

quality tqm

01:04

but most of the work that we do is

01:06

related to data protection and we offer

01:08

data

01:09

data protection officer as a service to

01:10

a number of clients as well

01:13

fantastic fantastic and david would you

01:16

do the same this

01:17

great yeah david clarke um yeah i've got

01:19

a background in cyber and data

01:21

protection

01:22

all sizes of companies i kind of figured

01:26

um

01:26

gdpr was going to kick off in 2014 i

01:29

think it was kind of two years too early

01:31

um but it's definitely come of age now

01:35

and yeah i i kind of work with companies

01:37

on cyber and data protection

01:40

and it's fantastic having both thank you

01:42

very much being guest chefs and i do

01:44

apologize for not having sent you your

01:46

privacy kitchen mug in advance but uh

01:48

i know david you got your gdpr on there

01:52

so um straight into the questions then

01:55

we've got

01:55

fantastic geographic we can get into

01:57

that one as well that's a fantastic

01:59

segue for later on as well so uh just

02:02

diving straight into the first questions

02:04

then so

02:05

um david can i ask you to enter in to

02:07

introduce

02:08

what a data map is and we can talk about

02:11

what the title of it is be it i mean

02:13

we've just been talking about that

02:14

before this call it'd be great as well

02:16

yeah

02:17

um i think that's kind of a good

02:18

question and and i think to some extent

02:20

it depends on who you're talking to

02:23

because quite often to kind of have a

02:26

full data map

02:27

you may need a number of journeys that

02:29

will run in parallel you may need the

02:30

technical journey the privacy journey

02:32

the data journey where it physically

02:34

goes

02:34

the business journey kind of what we're

02:36

using it for the security journey you

02:38

know

02:39

number of companies when you start

02:40

mapping out the security journey

02:42

you'll find you know easily 10 12

02:44

different security domains

02:46

which kind of means what do you do if

02:47

there's a bridge what do you do if

02:48

there's a problem

02:49

actually you don't really know who to

02:50

call what to do um

02:53

often that will need an overlay of kind

02:54

of visual descriptive so

02:56

it's sort of understandable and actually

02:58

kind of what your outcome is

03:00

so it it kind of really does depend on

03:02

the context

03:03

and who you're doing it for um

03:06

all around the gdpr sort of e-privacy

03:09

because it's not just gdpr is it it's

03:11

on a privacy data map so when i use sort

03:13

of data map in this sense i'm thinking

03:15

about the privacy governance

03:16

uh personal data inventory uh and so we

03:19

were talking about this so so

03:21

uh tax i was gonna ask how is that

03:23

different to say an asset register and

03:25

common parlance or

03:26

a security asset register so asset

03:29

register i

03:30

tend to think of the asset register

03:31

being a little bit like a map of the

03:34

street

03:34

it is the types of buildings that you

03:37

have

03:38

um how they are secured what they

03:40

contain or what they should contain what

03:41

their address is

03:43

that sort of thing the record of

03:45

processing

03:47

is what's actually happening inside so

03:50

if you think of it as a party invite the

03:53

party invite is your asset register

03:55

that's all the facts

03:56

and the regular processing is what goes

03:58

on facebook is what actually happened

04:00

in the real world now your data map to

04:03

me is

04:03

way bigger than all of that data map can

04:06

be a very overwhelming term

04:08

because it can be absolutely everything

04:11

it's your

04:12

asset register it's your record of

04:14

processing for article 30

04:17

it's your security it's everything and

04:20

it is very very overwhelming so i prefer

04:22

to think of it first as

04:24

you know start off with one and then

04:26

build it up and over time you will have

04:28

a holistic view of your data

04:30

and that's what you can call a data map

04:32

but it's not

04:33

a quick job to do and it's not the

04:36

first way of doing it i don't feel

04:39

that's interesting what do you think the

04:40

first way of doing it is

04:43

just start with one or the other a lot

04:44

of companies will have started with

04:45

their asset register

04:47

because they did iso 27001 before they

04:49

started thinking about privacy

04:51

um so for some that's their first step

04:54

for at least

04:55

knowing what assets they have what

04:57

databases they have what filing cabinets

04:59

they have

05:00

whose drawers they've got and so on you

05:02

know others will have started with just

05:04

the basic

05:05

um gdpr record processing um

05:09

you know the ico have done a nice

05:10

template that you can follow for these

05:12

particular data elements they go

05:14

slightly beyond what's in

05:15

the regulations um but if you start with

05:18

what's in the regulations of the things

05:20

that you need to track

05:21

about the data that you're processing so

05:23

what are you processing

05:24

why what's your lawful basis where's it

05:27

stored which then links into your asset

05:29

register if you've got one

05:31

you know who you're transferring it to

05:33

it's the it's the business side of what

05:35

are you doing with your data

05:36

you don't need to be technical to be

05:39

able to answer those questions

05:41

so for some yes register for others we

05:44

start with

05:44

the the basic you know process mapping

05:48

and i think so so before founding people

05:50

was uh general counsel of startups and

05:53

building sort of doing the the sort of

05:55

the role of cut

05:56

our respective customers now and then i

05:58

was a consultant when i was doing them

06:00

hypothesizing around keepable and one of

06:02

the bits on the data mapping exercise

06:04

and i think it's really interesting this

06:05

conversation

06:07

you know what does that actually mean as

06:08

a term so i went to one client and they

06:10

said well

06:11

we've done our data map and it was there

06:13

as you say the twenty seven thousand one

06:15

the security one

06:16

uh i'm not sure if they were 27 but

06:17

they've done a security asset register

06:19

and they said we know where

06:20

all our data is and then that's like

06:22

like you say i love the analogy of the

06:24

the street block and the buildings and

06:26

everything i said great so what's

06:27

actually

06:28

how do you process it what do you

06:29

process it for what about recruiting

06:31

they were like oh

06:32

uh no we know there's a server and we've

06:34

secured it i said yes but

06:36

what's that data used for and and so i

06:39

think the

06:39

the way i look at it is um i totally

06:42

agree a data map can be a very broad

06:44

term

06:44

and it can be a huge a huge area i like

06:47

the way that you sub

06:48

you've both talked about the subsets of

06:50

it i think the security map tends to

06:52

need to be

06:53

driven by the the requirement to find

06:55

your security assets your information

06:57

assets secure them

06:58

secure the more if it's sensitive data

07:00

and the risks to the enterprise

07:02

and then for gdpr you've got the

07:05

um what goes on facebook says what

07:08

happens with all that data

07:10

um the risks the individual gdpr doesn't

07:12

care about your enterprise it cares

07:14

about that individual so

07:15

often we start incapable with the

07:18

activities so

07:19

um you know hr recruiting finance

07:22

payroll and that might hit different

07:23

assets or different locations and what

07:25

have you and as you said david you walk

07:27

it through

07:28

i think that's a really that's a really

07:29

key thing could you actually on so david

07:31

on that bit were you talking about

07:32

building that map and having all those

07:34

different strands

07:36

when you have those conversations you're

07:37

walking it through from from a pricey

07:39

privacy point of view what are the some

07:40

of the sort of top tips on

07:42

and the typical errors on that part of

07:44

it of saying of focusing in

07:45

you might say go to marketing say i know

07:47

you do this or do you just send

07:48

marketing a questionnaire

07:51

um i've got to say i've never found

07:53

questionnaires really work that well

07:54

um they sound really good idea but

07:57

people kind of tend to reply

07:59

with what they think you want to hear or

08:01

help

08:02

i've never really found that work so

08:04

generally

08:05

it it kind of works better by at least

08:08

starting point is by interview

08:10

and then you need to verify what's going

08:12

on after face-to-face because otherwise

08:14

all you're doing is having a discussion

08:16

there's no real evidence there

08:17

and quite often most businesses are way

08:20

more complex than you know

08:22

a kind of normal record of processing

08:24

can manage in a data map you know if

08:25

you've kind of got the

08:26

the ofcom advertising awareness for you

08:28

know age-appropriate

08:30

design and so on so suddenly your your

08:32

data might be okay your security might

08:34

be alright but your messaging

08:35

might be wrong as well so you suddenly

08:37

got to build that layer into it as well

08:39

because now you're dealing with under

08:40

18s under 16s etc etc

08:42

and putting all that together and then

08:44

making it make sense and then getting

08:46

the client to understand it

08:47

uh i saw some of the kind of challenges

08:49

really that you know there's

08:51

an awful lot involved that you know i

08:53

guess no one really worried about to

08:55

you know till recently that's a

08:56

fantastic point i was talking to um

08:59

a consultant yesterday and it was around

09:02

you know when you go into a business

09:04

there's not necessarily the business

09:05

doesn't necessarily have a view of that

09:07

complexity

09:08

um you know they've been dealing with it

09:10

sometimes to a

09:12

more or less superficial level um but

09:15

often the gdpr when you guys go in and

09:17

you're talking to your customers is

09:18

often the first time they've really

09:19

brought it together it's one of those

09:21

aspects

09:22

a benefit of doing a gdpr uh i would say

09:24

gdpr is the privacy

09:27

program do you see that as a big benefit

09:29

when you talk to the clients and what

09:31

other sort of benefits do you see there

09:33

i see definitely so when i go in i

09:36

always start by just

09:37

having conversations i show them the

09:39

excel sheet that i'm

09:40

potentially filling in and after about

09:42

five minutes i just throw it away

09:44

it's like that you know roughly what i'm

09:45

going to be asking you know but let's

09:47

just

09:47

talk and i'd warn them i'm going to ask

09:50

you some really irritating questions

09:52

you're not going to like them because

09:53

i'm going to be

09:54

why what exactly are you doing so

09:57

you're not using it the way you just

09:58

said you where are you you're actually

09:59

doing this with it aren't you

10:01

i said it can be really annoying because

10:03

i've got to get down to exactly what

10:05

you're doing because only then

10:07

can i work out how this fits into record

10:09

processing

10:10

my next step after that is to write it

10:12

up in a word document i don't go near

10:14

the spreadsheet yet

10:15

i say this is what you told me about

10:18

what you do

10:18

written in plain english is this right

10:21

and from that

10:23

i will then retrofit it into irregular

10:26

processing and that's where i notice

10:27

i've got gaps

10:28

and then i go back to them with almost a

10:30

completed one and say i've got a gap

10:31

here what do you do

10:33

can you check this and fill it in and

10:35

that way i avoid questionnaires because

10:37

i'll never get the answer i want from a

10:38

questionnaire

10:39

but also they're sort of bought into it

10:41

because they've read it as a story it's

10:42

like yeah that is what we do or no

10:43

you've missed this

10:44

actually we do that you know so it's a

10:47

a multiple step process and i'm quite

10:49

glad as well there's been clarity around

10:51

the fact that the dpo

10:53

is really supposed to do the record of

10:56

processing

10:56

because that wasn't defined originally

10:59

um but in all the guidance since they've

11:01

suggested that that is a role that the

11:02

dpo should do because that's the only

11:04

way you fully understand the business

11:06

you know when someone starts telling us

11:07

like i'm using this to do that you're

11:09

like well well that's not in your record

11:10

of processing

11:11

back we go yeah yeah yeah

11:15

and whether there's an assessment needed

11:16

and all these sort of gaps as well so

11:18

it's and one of the things i think with

11:19

the you've both said about the

11:21

the the questionnaires and the surveys

11:23

sending them out i had there was a great

11:25

one uh someone said if you ask somebody

11:27

and you send a pro you send a question

11:28

there to say someone in marketing say do

11:30

you process personal data

11:31

no so like you know they won't go any

11:33

further but also we were talking just

11:35

earlier about

11:36

even you know and this is no there's no

11:38

judgement here at all it's like you know

11:39

i don't know

11:40

that much about about sort of the

11:42

technical aspects of of a system i'm

11:44

sort of on the

11:45

sort of legal and compliance side but so

11:47

i'm not expecting people to know that

11:49

much about my area either so

11:50

some you know very skilled security

11:52

people i.t people marketing people hr

11:55

people

11:55

you know they're very skilled in their

11:56

areas there's no reason they're going to

11:58

know

11:59

what a processor is or a controller is

12:00

under gdpr which is

12:02

you know you can't sort of reduce these

12:04

questions down

12:05

to plain english too much you've still

12:07

got to use some jargon do you find that

12:09

as one of the aspects and it also

12:11

depends on the context because they can

12:12

be both in certain circumstances

12:14

so depending on what angle you're

12:16

looking at they could be the processor

12:18

and the controller

12:19

or kind of change role for another part

12:21

of the journey

12:22

and that's you know to some extent some

12:25

of those concepts do kind of fall apart

12:26

especially on big companies you know

12:28

where they've got

12:29

huge amount of entities they own and

12:30

control and one company owns all the

12:32

employees the other company

12:34

kind of owns all the it assets and you

12:36

know which ones control which one's

12:38

processor

12:39

depends on the time of day and what's

12:41

going on

12:43

absolutely and that's an interesting

12:44

it's like scontage

12:46

so you do find yourself asking the

12:48

questions you know are you doing this

12:50

for yourself

12:50

or are you doing it because they told

12:52

you to you know that's the sort of

12:54

the leading question to try and get to

12:56

are you actually the processor in this

12:58

or are you the controller do you get any

12:59

benefit from doing this

13:00

other than you know you get paid to do

13:03

it

13:04

you know it's quite an interesting one

13:06

you start really delving in

13:08

and um and then discovering that yeah

13:10

the processor but they're also doing

13:11

stuff with the data they shouldn't be

13:12

doing and then you're like oh god

13:15

yeah we start off doing it for someone

13:16

else and then we go no stop stop

13:18

absolutely

13:21

and so what's in what's also come out

13:23

here is that we said we've talked about

13:25

for example 27

13:26

0001 and and we did some research at

13:29

keeper which is not capable

13:30

it's on our website that um the actual

13:33

adoption rate of 27

13:34

0001 is tiny it's amazingly tiny so i

13:36

was actually i've got a non-alcoholic

13:38

beer during lockdown and i was looking

13:40

at one that said

13:41

0.5 percent alcohol and it was like

13:44

non-alcoholic i thought okay

13:46

and he left so i got another one it said

13:47

point zero five percent alcohol and

13:49

point zero five percent

13:51

is actually um the adoption rate of

13:54

twenty seven thousand and one in the ea

13:56

30 and the uk combined wow

13:59

we're going up in the uk because the

14:03

i do a lot of work with health tech

14:04

startups and the data protection toolkit

14:08

has now got something in it that says

14:10

that suppliers should have

14:11

iso 27001 or equivalent or something to

14:14

that wording

14:15

which means suddenly a lot of these

14:16

startups which are really still very

14:18

very small

14:19

in order to get their tool kit are

14:22

having to do 27001 as well

14:24

so i'm seeing more demand for that

14:26

amongst smaller businesses than i was

14:28

before

14:29

yeah certainly in those i went in the

14:31

startups i was in as we were growing and

14:33

we were going

14:33

for larger and larger customers i got

14:35

the budget to do 27001 when sales got

14:38

fed up filling in a massive rfp

14:40

um another one was going into the nhs

14:43

and that was a real driver as well

14:45

but it's still the actual although it's

14:46

gone from 2400 certificates in the uk to

14:49

2800 last year

14:51

you know there's 2.78 million

14:55

active enterprises 5 million if you

14:57

include all the sort of smaller

14:59

businesses

15:00

in there so it's still at the uk we're

15:01

still at the point one percent

15:03

um one of only three european countries

15:06

with

15:06

reaching point one germany's at 0.5

15:09

percent too so

15:10

but it does it does sort of flow through

15:12

in in best practices for sure

15:14

um in term just before we move on to the

15:16

next bit so

15:17

this is a really interesting bit about

15:18

the size of companies so how do you see

15:20

the differences with a large company and

15:22

a small company with that process we

15:23

were talking about

15:25

so i tend to stick with the smaller

15:28

companies for exactly that reason

15:30

i can't even begin to imagine trying to

15:32

do

15:33

a full data map on a large organization

15:36

i mean i'm talking largely like a plc or

15:38

something like that

15:39

even when i look at some of the

15:41

solutions that are out there for large

15:43

companies i'm not going to name any

15:45

i'm currently undergoing a process to

15:48

set someone up on one of these

15:49

systems privacy systems they are a very

15:52

small company less than 250 employees

15:55

and i have the expert qualification in

15:59

doing this

16:00

so as my project manager between us

16:02

we're up to about 30 hours of work

16:04

just to get their data map into the

16:06

system

16:07

you know and it how on earth is a large

16:10

plc doing this

16:11

i i just can't imagine it i really can't

16:13

i'd like to think maybe they already had

16:15

a lot of it because

16:16

as everyone says it's a evolution not a

16:19

revolution

16:20

personally i haven't discovered that

16:21

really but you know i'd like

16:23

that some of these big companies were

16:24

already halfway there and maybe it's not

16:26

so bad but

16:27

i i just don't envy them at all

16:30

yeah david what's your thoughts on that

16:32

yeah i agree with tash

16:34

it's really really difficult um you know

16:36

i've done stuff for some really really

16:37

big companies

16:38

don't think you know after nine months

16:40

we even kind of scratched the surface in

16:42

reality of kind of what was going on

16:44

you know you can ask the questions how

16:46

many servers have you got

16:48

well we think we've got three and a half

16:49

thousand servers great

16:51

um they all get patched and everything

16:53

all the usual security questions

16:55

um well at least 750 are patched okay

16:58

which 750 are patched we don't know but

17:01

we know we've done 750.

17:03

so yeah that's kind of where you get

17:05

stuck

17:06

because the volume of stuff and what

17:09

goes on

17:09

is just too complicated and of course

17:11

the next problem you have is even when

17:13

you have done

17:15

i think we got to um well over a million

17:18

data points

17:19

to to kind of put the maps together how

17:22

do you manage that how do you keep it

17:23

going yeah you know you need an army of

17:25

people to actually keep you updated keep

17:27

the changes going

17:29

etc etc is a phenomenal

17:32

task very very difficult i think this is

17:34

also

17:35

really a subject for another privacy

17:37

kitchen but it's

17:38

about the the actual compliance of

17:40

people because when what you're saying

17:42

i totally agree when i'm looking to do

17:44

sort of sales into large large

17:45

enterprises

17:47

very few have have their data map done

17:49

their article 30s or the rope or

17:51

whatever

17:51

whatever we call it they're like you

17:53

know and these are the guys who will

17:54

have 5 000 rows because

17:56

all they've done is they've got each

17:57

company to do something and then put it

18:00

all into one big sheet

18:01

how do you manage a 5 000 row sheet um

18:05

uh and we won't go into the nhs debacle

18:07

of the the

18:08

track and trace excel spreadsheet but so

18:10

it's um

18:11

yeah it's a tough one but let's um on

18:14

while we're sort of we've touched on the

18:15

next bit which i think is really

18:17

people are really interested in which is

18:19

the processing what is a processing

18:21

activity how do you define what a row is

18:23

um so so tash could you sort of you know

18:26

in

18:26

in whatever we call it this this list of

18:28

the

18:29

um the inventory the personal data

18:32

processing

18:33

um what how do you determine what a row

18:35

is what a processing activity is

18:37

i tend to split it down by it's a

18:41

processing activity

18:42

for a unique group of data subjects

18:46

for a unique purpose with one lawful

18:48

basis

18:49

that tends to be my guiding thing so if

18:52

they start talking about direct

18:53

marketing

18:54

i'm like okay well potentially there's

18:55

direct marketing b2b there's also direct

18:58

marketing b2c i would split those out

19:00

for example

19:01

so i do go i mean i'm constantly

19:03

criticized on slack and linkedin because

19:05

i do go very very granular

19:07

because i think it's the only way that

19:08

you can really identify the risks

19:10

there are some solutions out there which

19:12

will actually then bucket stuff up which

19:14

can be useful

19:15

you know depending on how you're then

19:16

trying to display it but i think you do

19:18

have to go to that

19:19

degree to know the business inside out

19:21

um which

19:22

like we said it's not scalable it's not

19:24

scalable and it's not sustainable

19:26

but it works for the size of the

19:27

companies that i work with

19:29

absolutely david what do you what what

19:31

do you think yeah

19:32

i i think one of the things is you know

19:34

what what actually is the kind of

19:36

purpose of gonna

19:37

part of it has got to be is can you

19:39

deliver the day of subject rights and

19:41

can you manage data breach

19:42

with that kind of information and if

19:44

there's too much in one line

19:46

it might be very very difficult to come

19:48

to any real conclusion

19:50

you know said you know if you've got

19:51

multiple legal basis which is

19:53

quite possible on one journey um how do

19:56

you separate it how do you make sure you

19:57

can deliver data subject rights

19:59

um let alone kind of you know any any

20:02

breach issues

20:03

so it's kind of breaking it down so it

20:05

does help you

20:06

but then you come across you know i've

20:08

come across small companies and they've

20:09

done amazingly well you know they've had

20:12

thousands and thousands of record you

20:14

know ropers

20:15

actually it's unmanageable you know

20:17

you're never gonna

20:18

find the right the right area yes you've

20:20

done it you've done a good job but

20:22

actually

20:23

you can't do anything with it it's it's

20:25

very good point it's got to be something

20:26

that's usable and i think that's where

20:28

a lot of people are they've done

20:31

something in the past and they're

20:33

looking they're look they're coming back

20:34

to renew it and they're going

20:36

you know gdpr is about two and a half

20:37

years old now and people are coming back

20:38

and they're renewing their article 30s

20:40

or their ropers or what have you their

20:41

data and they're going actually this

20:42

isn't there's got to be a better way and

20:43

i think

20:43

i totally agree on that there's a

20:45

there's a belgian it's quite hard to

20:47

find

20:48

specific on this but there's a belgian

20:50

example of an article 30 record

20:52

and it separates out the you have a

20:54

different purpose

20:55

or a different legal basis that's their

20:57

trigger to say right so i totally agree

21:00

that marketing b2b marketing b2c and

21:03

whether that's emails or whether it's

21:04

phone calls

21:05

because it also comes back to helping

21:07

you and we'll talk later about pekka

21:09

and eprivacy about about complying with

21:11

it so i think that's a really good one

21:13

and i do think that you can still be

21:16

strategic at that so when you have

21:18

marketing b2c well let's put it this way

21:20

trade shows is the example i always give

21:22

if you always treat trade shows in the

21:23

same way and it's b2b you can go

21:25

marketing b2b trade shows

21:27

handling leads and as long as you deal

21:29

with them in the same way and store it

21:30

all in the same place you can have one

21:32

line

21:33

and i know some people have put every

21:34

single trade show they put a new line in

21:36

their opera and that can just

21:37

you know i think um what david said is

21:40

key

21:41

i'm seeing people starting to finally

21:43

depend on the ropers because before it

21:44

did feel like a bit of a tick box

21:46

exercise because no one ever referred

21:47

back to the roper

21:49

but i'm seeing i don't know whether

21:50

you're getting this as well we are

21:52

getting a ridiculous number of

21:54

sars coming in from a company called

21:55

privacy b which are basic

21:57

fishing exercises but you know at least

22:00

when it comes in we can say okay so

22:02

this would have been this type of data

22:04

subject therefore if we look at the rope

22:06

up

22:06

this is where we've had the data these

22:08

are the rights that apply

22:10

you know this is what what we can do

22:11

with them and it's a lot quicker

22:13

so as much as i hate these fishing

22:15

experts

22:17

i get the words out much as i hate them

22:20

no i am seeing that it's finally showing

22:22

its worth on the roper because they know

22:23

where to go and look

22:25

you know so and i think that's you're

22:27

the benefit of the approach of going to

22:29

that sort of you know different

22:30

and it's the right way the different

22:31

legal basis different purpose and the

22:33

data subjects et cetera is

22:34

it enables you like you both said to

22:36

react to a breach to react to a data

22:38

subject request but also it leads to

22:40

that different um

22:41

uh benefits of you know reducing the

22:44

amount of you know

22:45

data deduplication those 3 000 servers

22:47

maybe they only needed 750 servers so

22:50

it flushes out a lot of that that too um

22:53

so just before we move on

22:55

um to the next book this is a really

22:56

great great part what's what do you

22:58

think then

22:58

i'll just throw it over to both of you

23:00

um we've talked about some numbers what

23:03

do you think is

23:04

like too low someone's not had a proper

23:06

go a decent number of

23:08

entries an average number a totally

23:11

ridiculous

23:11

high number and how that reflects in

23:13

different sizes of the companies

23:16

well i think something sorry yeah i

23:18

think something is better than nothing

23:20

for sure so i'm not sure there's kind of

23:22

uh

23:24

a minimum but uh you know i think there

23:26

should be at least a kind of high level

23:28

robo because you can always kind of put

23:29

that together reasonably quickly it

23:32

may not be that useful but you've got

23:33

something you've got an idea of what's

23:35

going on otherwise you have absolutely

23:37

no idea

23:38

i mean i think kind of as tash said you

23:40

know i've been into companies and you go

23:41

and talk to their accounts department

23:43

and say

23:43

you know the usual question do you have

23:45

any personal data and they go no no no

23:46

we just deal with figures and whatever

23:48

and

23:48

when you do payroll yeah yeah we do

23:50

payroll uh then you do kind of

23:51

reconciliation with each other yeah we

23:53

do that yeah

23:54

don't you kind of do the tests yeah yeah

23:56

so after you've been through all that

23:57

actually you do deal with a lot of

23:59

personal data it's it's really you know

24:02

dragging that out and that can just take

24:04

time because

24:05

we've not had to do that and i think the

24:07

other downside is rit systems have not

24:09

been designed for data protection

24:11

we're still kind of using it systems

24:13

that would although they're very slick

24:15

and smooth they're

24:17

kind of still designed on concepts in

24:18

the 1970s

24:20

and really they haven't really jumped

24:22

ahead and you know what do we need to do

24:23

to manage

24:24

kind of data going forward in the 21st

24:26

century it's it's it's way too difficult

24:29

way to do very true and so

24:33

tash what do you think on the sort of on

24:35

i think i'll throw out some numbers um

24:37

that i've sort of come across in

24:38

different different see what you think

24:40

so

24:40

um i think if someone's got say five

24:44

rows in their inventory they've not done

24:47

enough to sort of really think about

24:49

the activities if they've got say 50

24:51

they're

24:52

in the right to the ballpark if they've

24:55

got say

24:56

200 that's potentially getting a bit

24:58

hard to pick on size of business and how

24:59

they're treating it

25:00

but it's perfectly doable um as you say

25:02

that gets

25:03

manageability is a different thing come

25:05

across people with 2 000

25:06

5000 rows which to me is just ridiculous

25:09

it's just too many

25:10

and they've all gone actually this is

25:11

because we've amalgamated all this and

25:13

it's duplication

25:14

and it's so so what do you think to

25:16

those sort of numbers

25:18

so mine tend to be between i'd say

25:21

50 and 250 lines

25:24

i my take on it is you have to have

25:27

enough in there to be able to write

25:29

an accurate privacy notice because you

25:31

can't write a pro

25:32

just unless you know what you do for

25:34

each type of data subject because all my

25:35

privacy notes

25:36

are written as the data subject so if

25:39

this is your relationship with us

25:40

this is what we hold this is why we hold

25:42

it and i can't do that unless

25:43

it's in the um the rope already so there

25:47

has to be enough in there

25:48

to be able to write the privacy notice

25:50

and that's always a good sanity check

25:51

for me because if i'm halfway through

25:52

writing it

25:53

and realize i don't know the answer is

25:55

because it's not in my roper

25:57

and i need to go back and and so as long

26:00

as those two

26:01

tally up it's generally going to be okay

26:04

it's good i like that it's good it's a

26:06

good rule of thumb as well fantastic no

26:08

those numbers so

26:09

those numbers all seem absolutely um

26:11

spot-on in what i'm hearing as well so

26:13

just on the on the timing um if we just

26:16

move forward onto

26:17

top tips and typical errors we've sort

26:19

of covered a fair few

26:21

but other things in in in sort of war

26:24

stories maybe a couple of war stories be

26:25

good fun about

26:26

some errors on the data map when someone

26:28

thinks they've got it right and they

26:29

haven't or or something

26:31

uh a top tip uh to head off those sort

26:34

of errors before we move on to the

26:35

wonderful topic of brexit

26:39

my biggest error i see on them when i

26:40

first come in and look at what they've

26:42

got is where it says data controller and

26:43

it's got the name of the department lead

26:45

in there

26:46

right no that's not what data controller

26:49

means at all

26:50

so that's the biggest error that i see

26:53

and the other one is is i tend to

26:57

think of it as being a little bit

26:58

evolutionary you know i've got one

27:00

client where i've been working

27:01

for a year and we still haven't finished

27:02

their their record of processing

27:04

but we're working through it and we're

27:06

getting there you know so i i think we

27:08

have to

27:09

understand that this does have to run

27:10

alongside business as usual

27:13

you know you haven't all got loads and

27:15

loads of money to throw at this

27:16

it's got to just be done alongside the

27:18

business and within your own risk as

27:20

well

27:21

your own risk criteria so they're my two

27:25

yeah david yeah i think the the one that

27:28

i come across is you know

27:29

a data process map is not a business

27:32

process map quite often

27:34

they get mixed up and people go oh you

27:36

know when we've done it we'll have a

27:37

whole map of all our business processes

27:39

no you won't they don't really align

27:41

they might be similar they might be

27:42

overlap but it's certainly not the same

27:44

thing

27:44

and the other kind of favorite that i

27:47

kind of see is that i see the record

27:49

processing but it doesn't actually put

27:52

where the data lives

27:53

so actually you don't know where your

27:54

data lives you don't know whether it's

27:56

cloud-based you don't know whether it's

27:57

in a system

27:58

that you've done a record of processing

28:00

you know to some extent that's of

28:02

not very much use other than the

28:03

starting point for a lot more work

28:05

but yeah the the the other side of the

28:08

coin is

28:08

to do the level of detail um you know

28:11

you where do you draw the line

28:12

because it can take weeks and weeks if

28:15

not months and months

28:16

to kind of get this right and by the

28:17

time you've done it it's probably

28:18

changed anyway

28:19

um how do you get that balance right

28:23

there's a there's a question about

28:25

putting the cattle

28:26

um the processing activities article 30

28:28

doesn't mention

28:29

processing activities it says but so if

28:31

i if i just go

28:33

um to article 39 i think one of the one

28:36

of the bits that

28:37

let's always have it on the screen

28:39

pretty well uh so it's each controller

28:41

and where applicable they're

28:42

representative shall maintain a record

28:44

of processing activities

28:45

uh so it's in article 31 and article 32.

28:49

so the record of processing activities

28:51

under its control but i think one of the

28:52

one of the bits that's

28:54

really interesting for me what you said

28:56

there is and it goes back to the earlier

28:57

conversation is

28:59

this is all part of business as usual

29:01

it's also part of all those other risk

29:03

management programs even though the risk

29:05

is about the individual's risk

29:07

for gdpr there's a risk for the entity

29:09

in terms of fines there's a risk of lost

29:12

business

29:12

and and pr this sort of thing so it has

29:15

to sit along so obviously security is a

29:17

big one next to it

29:19

um but you've mentioned other things

29:21

like fca or the nhs or

29:24

they've got a whole range of things to

29:25

think well what how do we do this

29:28

um what can be separate what needs to be

29:31

joined up and how do we join it up and

29:32

it is

29:32

it is it is a big ask it is a big ask on

29:35

businesses so

29:36

um let's let's just go in sorry so in

29:39

the ico accountability framework that's

29:41

just come out there's a section in there

29:42

under the record of processing where it

29:44

actually says they expect the record

29:47

processing activities document to have

29:49

links to

29:50

the breach log links to the legitimate

29:54

interest assessment

29:55

all these different things they expect

29:56

but none of it is in here

29:59

none i mean they're all separate but it

30:00

doesn't say that has to be part of your

30:02

record of processing

30:03

so i think there are so there is so many

30:06

mixed messages of how things should be

30:08

set out

30:09

yeah i just don't envy anyone trying to

30:12

do it as part of business as usual it's

30:14

like

30:14

what do i do you know which is why i was

30:16

saying at the beginning always just

30:17

start with the basics

30:19

yes and then we can fill it up

30:30

you know i totally agree go to the

30:31

source you know it's um

30:33

one of my one of my things on it is

30:35

regulators have been

30:37

massively overstepping the mark i mean

30:38

the regulators have had

30:40

their moments in the sun and some of

30:41

them have got a little bit of sun stroke

30:42

in certain areas

30:44

and you so for example um the edpb when

30:48

they put out the territorial guidelines

30:49

saying the article 27 rap

30:52

was the europea rep was as liable as the

30:55

processor a controller

30:56

well it's ridiculous i mean it that was

30:58

in the early days it was taken out

31:00

it's not in the law there's a sentence

31:03

in the recycles which

31:04

is not law it's interpretive but you can

31:06

only find a controller a processor for

31:08

certain things and it was

31:10

it was removed after the consultation

31:12

period thankfully after the outcry but

31:14

i think there's a lot of regulators

31:15

going i want it to be like this

31:17

but actually as you know from my sort of

31:20

gc bit i would always say with

31:22

regulators

31:23

you get the minimum of what it is that i

31:25

have to give you that you're asking for

31:27

and then anything on top of that i'm

31:29

going to determine from our own purpose

31:31

is that a justifiable request um are you

31:34

entitled to that

31:35

um you know it's and so i can see why

31:38

the ico would like it all linked but

31:40

it's

31:40

it's there's enough already for people

31:42

to do it's like let's focus on

31:44

on that print absolutely matters to the

31:47

data subject let's focus on that first

31:49

because that's

31:50

ultimately that the data subjects at the

31:51

heart of this not

31:53

an excel sheet not a solution you know

31:56

it's

31:56

can we exactly say can we do the rights

31:59

of the data subject

32:00

and that's what the record processing is

32:02

all about it's knowing where stuff is

32:04

and knowing which rights apply for each

32:06

process

32:08

yeah absolutely which talking of data

32:11

subject rights they're about

32:12

to double and we were talking about this

32:14

a bit earlier in in in our pre-session

32:16

it's um

32:17

with brexit now we can open up brexit so

32:20

um

32:24

from the date will take us the first of

32:25

january 2021

32:27

um the uk gdpr will come in the

32:29

transition period will finish

32:31

unless we get an extension of the

32:32

transition period but the

32:35

first of jan 2021 uk gdpr comes in

32:38

eu gdpr is is obviously for the eea

32:42

30 not not for the uk apart from legacy

32:45

european data and you can just unwrap it

32:47

as far as you want to go but

32:49

on the terms of this data map records of

32:51

processing this inventory

32:52

what are your thoughts on the on

32:55

brexit's impact

32:56

in terms of do you have to how far do

32:58

you have to go back and redo everything

33:00

how far is it a massive impact is it a

33:02

small impact

33:03

where do you see the key impact

33:06

um i think it shows the difference

33:09

between having taken the time to do

33:11

extra detail in the rope at the not

33:13

because you know obviously when shrems

33:15

came in it was really easy to say okay

33:17

so where are all our processors outside

33:18

the eea which ones do we need to worry

33:20

about

33:21

now we're starting to get okay where are

33:23

our processors

33:24

who are based in the eu who we're going

33:26

to have to get data back from

33:28

and you know what that's not in my roper

33:30

you know or something like that because

33:32

we didn't need to put it in the rope

33:33

because i've got it on some and i can

33:35

you know i've done my process of due

33:37

diligence i can get it from somewhere

33:39

but not necessarily in the roper

33:41

so i think that forward planning of the

33:43

ones where we did put it in because we

33:44

knew this was going to come

33:46

it's going to save so much time next

33:47

year now and we have to go back and

33:49

start looking at re-papering

33:51

um so that for me is the big one in the

33:54

roper

33:55

yeah david um

33:59

i think if your companies are

34:01

effectively then kind of selling outside

34:03

the uk

34:04

there's a whole tranche of legislation

34:07

you know distance selling

34:09

um you know how is that going to affect

34:12

uh potential kind of that issues if

34:14

you're

34:14

you're selling in europe do you need to

34:16

be registered in

34:18

28 different countries um

34:21

representatives might need to kind of

34:22

kick in um

34:24

i don't know you know each case has to

34:27

kind of be looked at in

34:28

its own an area really

34:32

to me for example pick on a sony year

34:34

again

34:35

um and i'm being kind of a little bit

34:37

loose with the figures here i think they

34:38

have a criteria that you need a dpo if

34:40

you have over 10 000 records or 15 000

34:43

records it's

34:44

quite a low amount in the uk it's if

34:46

you're a big

34:47

as big as a social media company you

34:49

definitely need a dpo

34:51

so you could be in the uk selling to

34:54

estonia and actually find you need a dpo

34:56

whereas you didn't before

34:58

to comply with local regulation um

35:01

so i think there there's there's i don't

35:03

know you know we don't know what's going

35:04

to happen yet but it could be

35:05

could be quite complex and i don't think

35:08

i kind of want to

35:09

have to do that was it 27 european

35:11

countries and what would the other six

35:13

norway liechtenstein

35:19

the privacy kitchen yesterday on uh the

35:22

eu representative that video is coming

35:23

out since

35:24

just in terms of date this is the 16th

35:26

of december so when uh if anyone's

35:28

watching the recording later this is

35:29

why we're talking about brexit in this

35:31

manner at this point um

35:33

so the 16th of december 2020 and the

35:34

transition period finishes at the end of

35:36

december

35:37

you know the eu representative uk

35:38

companies we didn't care about the eu

35:41

representative because we were in the eu

35:42

and we were doing all of this so that

35:44

you know it won't even be a consider

35:46

wouldn't have been considered and the 25

35:47

million

35:48

active enterprises in europe won't have

35:50

thought about a uk one either so that's

35:51

something extra on to the

35:53

the transfers bit i think transfers to

35:56

the

35:56

sorry sorry europa comes in again

35:58

because you only need

36:00

the eu rep if you don't already have a

36:03

little

36:04

location or establishment and

36:07

you're i'm gonna get this right you're

36:09

not doing occasional transfers yeah

36:12

so you it's only really i mean yes

36:14

someone in their gut knows roughly how

36:15

much they're doing but it's through the

36:16

rope you look at us okay so where

36:18

where do we have non-uk data subjects

36:21

what is the processing we're doing is

36:23

that occasional is that high risk

36:25

therefore we do know so if you've

36:27

documented it properly

36:28

it should be an easy decision to make if

36:30

you haven't documented it yet then it's

36:32

going to have to be right get back to

36:33

the business

36:34

let's try and work this out and again

36:35

it's a little bit more work now

36:37

things we hadn't considered before

36:42

representatives and try to tell

36:43

everybody in the world they need one

36:45

which is totally untrue you know and

36:48

it it's scaring companies to think that

36:50

they have to have them when they don't

36:53

yeah well i think there's a there's been

36:54

you know gdpr has always been a bit of

36:56

project fear in some ways

36:57

some people's marketing and and um

37:01

you know people like your good selves

37:03

have always sort of

37:04

not not done project fair which is

37:06

fantastic but there's been a lot of

37:07

people on project fear and selling it's

37:09

been a wild west on gdpr

37:10

and it's very hard to get people who

37:12

really really get it and you can even

37:14

see you know

37:15

i mean it's difficult even privacy

37:17

professionals on linkedin we have all

37:18

these sort of discussions about whether

37:19

someone's a controller or a processor or

37:21

not it's one of the most fundamental

37:22

things

37:23

to the whole lot so how are people meant

37:25

to do it so i do have a bit of sympathy

37:27

a lot of sympathy for businesses on this

37:30

i think that interest

37:31

that's a really interesting comment from

37:32

youtash about the data subjects as well

37:33

and

37:34

the rep because on transfers it's also

37:37

sort of thinking more around the

37:38

transfers but the trends too

37:40

do we know where those are now transfers

37:42

is outside the uk and if you're covered

37:44

by the eu gdpr it's transfers that so

37:46

you've got two different

37:47

geographic locations for transfers

37:49

you've then also got

37:50

where the data subjects are themselves

37:52

so it's you know separate to transfers

37:54

that geographical

37:55

footprint um which may not well have

37:57

been uh captured in that initial data

38:00

mapping

38:01

so that's that's that's a fantastic uh

38:03

fantastic comment

38:05

so um we're into the sort of the q a

38:07

part here and i'll just i'll just um

38:10

i'll just check on the the questions in

38:12

here

38:14

that's why you're looking for trying to

38:16

just mention marketing

38:17

and pekka and brexit because i think

38:20

it's been

38:20

very overlooked unless that's been asked

38:24

as well so so let's do that so

38:26

we were trying to lead us off yeah sure

38:28

because it's something we were talking

38:29

about right before this because it is

38:31

definitely something that's been

38:32

overlooked so

38:32

right now if we are marketing to people

38:36

in europe

38:37

we have been able to pretty much

38:39

slightly dodgy rely

38:41

on the rules of pekka in the uk to say

38:43

that we can use soft

38:45

opt-in here we can market b2b and

38:48

companies like germany

38:49

and austria i think it is who are

38:50

particularly strict uh where they

38:52

like double opt-in consent we've been

38:54

able to say you know what we're part of

38:55

the eu

38:56

we've implemented pekka therefore we're

38:58

okay well when we brexit

39:00

we're not going to do that anymore we're

39:02

going to have to go with the local laws

39:04

and i am starting to think how on earth

39:08

do i know who is in my marketing

39:11

database because that's not part of my

39:12

roper

39:13

you know i just know that i do marketing

39:14

for newsletters i do marketing for this

39:16

i've done b2b

39:17

marketing you know but do does that

39:19

cross border

39:20

where are those data subjects based i

39:21

probably don't even know right now

39:23

you know if they've got a a business

39:25

domain that's dot com

39:27

they could be anywhere so this is

39:28

something we're all going to have to

39:30

look at and i don't know that

39:31

it's ever been part of anyone's rope to

39:33

go down to that level of detail but as

39:35

we've added all this new complexity to

39:37

our lives through brexit we're going to

39:39

have to start adding complexity

39:40

to make sure that we can adhere to the

39:42

local rules because my gut feel

39:44

is that those various countries are

39:46

going to come down hard on us in the uk

39:48

because it serves us right you know so

39:51

why wouldn't they

39:52

um and i think we we could potentially

39:55

be in for a bit of a pasting

39:57

there maybe i think you're right david

40:00

what what do you think on that

40:02

um yeah i i think i think that sounds

40:04

about right really i mean i was amazed

40:07

that we kind of got away with it so far

40:08

even kind of pre-pre-brexit

40:12

and of course you know the cookie

40:13

battles are kind of warming up it was

40:15

only

40:16

october wasn't it where the canal and uh

40:19

island have kind of said you know the

40:20

grace period's over we're going to start

40:22

enforcing

40:23

you know good cookie behavior we see a

40:25

lot of it in europe very little in the

40:27

uk

40:27

so does that mean that you know

40:30

companies trading abroad may get hit

40:32

more on the

40:33

the cookies component a lot more i think

40:36

yeah

40:37

over 200 cases in the pipeline when it

40:40

was

40:41

pecker and the old directive it we could

40:43

sort of get away with

40:44

the pekka jurisdiction aspect but now

40:47

that the director has been replaced by

40:49

gdpr that's got a bit washer and now

40:51

that we're going to be out of

40:52

out of europe at the end of the

40:53

transition period you know national

40:56

regulators are want to want to protect

40:57

their own

40:58

their own citizens i mean france's 7th

41:01

of december came out with two

41:02

big enforcements on google and amazon i

41:05

think definitely you'll

41:06

i agree with you that national

41:08

regulators are going to take this on and

41:10

and we've made our own bed on that on

41:12

that side so that would be a very

41:13

interesting bit

41:15

um and in terms of in terms of the the

41:18

privacy director singer on that there's

41:20

a nice one about

41:22

how your data map a lot of people you

41:23

know we all talk about gdpr and i always

41:25

give the example of an elephant that

41:27

gdpr is most of the elephant of data

41:29

protection law

41:30

and like one big back leg is the privacy

41:33

directive and the trunk is the national

41:35

law

41:36

uh but you know so but a lot of people

41:37

just focus on the gdpr

41:39

and and these data maps um do need to be

41:42

broader

41:42

uh even within the privacy area so

41:44

that's a really good a really good point

41:46

so we're coming up to to the 12 to 12 15

41:49

so i'd just like to

41:50

say thank you very much indeed um both

41:52

tash

41:53

and david this has been a really um

41:56

really fun

41:57

uh rapid run through data protection we

41:59

covered so much ground

42:00

uh and this this will be up on the

42:02

privacy kitchen channel

42:03

um everybody please share it and they

42:05

can come back and look at it later on as

42:07

well we'll see what happens after

42:08

31st december we'll find out soon and

42:11

thank you very much guys

42:14

thanks guys bye

42:21

cheers

Browse More Related Video

Data inventarization according to GDPR

How to Implement GDPR Part 2 :Roadmap for Implementation

How to create a ROPA (Record of processing activity), GDPR Article 30

How to Build a GDPR Implementation Plan

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Keynote: Are You Ready for GDPR? - Michele Appello

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

Data PrivacyGovernanceData MapsBrexitGDPRComplianceExpertsWebinarRegulationSecurity