Discussing Stupid: GDPR and your website: The Europeans are coming

Discussing Stupid: GDPR and your website: The Europeans are coming
High Monkey profile picture

By High Monkey, Our random thoughts collected

Categories: Learn

During this episode of Discussing Stupid High Monkey’s Virgil Carroll and Kentico’s David Komárek will talk about GDPR - the European Union’s General Data Protection Regulation. When implemented in May 2018, GDPR will redefine how people’s privacy is protected in a global digital world.  This podcast is not an academic discussion . . . Virgil and David talk about how GDPR compliance affects online consent, restrictions on the use of personal data, as well as the ‘right to be forgotten’.  Throughout this episode Virgil and David dig through the ins and outs of GDPR compliance and what some of the good data practices look like for organizations taking their first steps toward GDPR compliance. When asking David where to start regarding GDPR his response is “First, try to learn as much as you can about GDPR . . . use somebody who is informed in GDPR and who can educate your internal staff . . . then look at the data and what you’re doing with it.” This Podcast helps to give you some understanding about what GDPR is all about and what you should do as it rolls out in 2018.

For more Discussing Stupid, follow us on:

Twitter: https://twitter.com/DiscussStupid

Facebook: https://www.facebook.com/discussingstupid/

LinkedIn: https://www.linkedin.com/company/28164784/

And visit our website www.discussingstupid.com

For any questions email me@discussingstupid.com

 

Items Discussed:

https://www.kentico.com/ , https://www.kentico.com/blog , https://www.eugdpr.org/ , https://www.kentico.com/product/resources/whitepapers/gdpr-compliance-and-your-cms/gdpr-compliance-and-your-cms.pdf

Host: Virgil Carroll – Twitter - @vcmonkey

Guest: David Komárek – Twitter - @davidkomarek_cz

Transcript:

Narrator : [00:00:00] Note this podcast does not discuss nor endorse the idea of discussing stupid ideas because we all know there are no stupid ideas. Hello and welcome to discussing stupid, the podcast where we will tackle everything digitally stupid from stupid users and the crazy things they do, to stupid practices and the people who use them. we will explore the stupid things we all do and maybe even come up with a few ideas on how to do things better. And now that I got your attention let's start discussing stupid.

Virgil: [00:00:37] Hello everybody and welcome to this broadcast of the podcast. I'm Virgil Carroll your host and principal human solutions architect at High Monkey. Today's episode is a very exciting topic, well maybe not an exciting topic but a very necessary topic and we're going to talk about the GDPR. If you're not familiar with the GDPR, the GDPR is the General Data Protection Regulation it is getting ready to get implemented here this coming May by the European Union and is going to really redefine how people's privacy are protected in a digital world. So what can be considered a necessary thing but also something that is going to be very paramount here even for U.S. based companies and other countries outside the European Union whether you feel it hits the mark or kind of greatly overreaches in the world of web it's a very important thing and it's important that you know what to do so, today joining me I have Dave Komarek, David is a product owner at Kentico software CMS based out of Bruno Czech Republic. And David and I are going to be talking about how GDPR really affects public websites around the world.

Virgil: [00:01:44] We'll welcome David. Really appreciate you joining us. Can we first start by you telling us a little bit about yourself and kind of what you do at Kentico

David: [00:01:52] First thanks for having me here. So what I'm doing in Kentico, I'm a Product Owner responsible for content management and online marketing. So my main responsibilities are basically to understand the market and our customers, find out what they need what their issues are, what they're facing and then somehow transform it into product features.

Virgil: [00:02:13] Great. So let's just go ahead and get right into it as you and I have talked about before. You know one of the big things with the GDPR obviously is what we do in our public websites and all the different things in there. And to me it's just crazy because when you actually read through the regulations which unfortunately as part of my job I actually had to do, almost needed it take redbull and everything else to try and keep myself awake during it. But overall reading through those. One of the things that I kind of came upon is Wow. As a matter of fact I just provided a report to a client about their Website, and the first question I got back was, Are you kidding? And they thought maybe that I was over exaggerating what it really takes to be compliant with GDPR. So when Kentico decided to start down this path of actually building into their version 11 GDPR compliance. What were some of the things you saw there from your clients in the digital marketing space that you knew you were going to have to deal with upfront to really be successful in meeting all the different nuances of the GDPR.

David: [00:03:22] Yeah well let me start with maybe a little bit more general approach because it's all about you know the actual approach how you're you know what principles you're looking at, how you are working with everything. So what we saw is that many marketers actually focused on gathering you know as much data as possible, so all the names, email addresses, and company details and all the tracking of user actions. You know just in case sometimes without even having a real or verified purpose for such datas, they had no reports for example or maybe they just didn't use them. We therefore decided to map all the data flows in Kentico so that the marketing teams actually understand what data is being captured and they can somehow limit this code to comply with GDPR. You know in regards to the data minimization principle. So that was probably the first thing that we saw. Second we also saw many marketing teams repurposing other data such as email addresses from registrations for example. They basically took them and also used them for various campaigns and newsletters without a legal basis. And this is not OK. Right. And maybe a first thing that I remember we noticed that some marketing teams had actually no idea that a single data subject may actually be represented several times within a system such as being a customer in the online store or at the same time the recipient of a newsletter. So this led together with the re-purposing of other email addresses I mentioned to the fact that certain customers simply couldn't have their data, let's say properly forgotten even when there were no more reasons actually to keep them.

Virgil: [00:05:11] Yeah you know one of the things that I see a lot in the world of digital marketing is and one of the interesting things to me is how broad scoped the GDPR tries to be especially from the Avenue of consents and the right to be forgotten. The right to access and that is it doesn't just stop with your Website. It's what you do with that data, once it's on your Website. So if somebody fills out a form and they have a contact form and they fill it out they're doing it for the said purpose of contact me. You know I'd like to be contacted but organizations take that data and they use it to market, they use it to track, they use it for all these other things. Well it even goes beyond that because you could maybe do all that inside of your Website itself. But then on top of that now what happens if that contact form emailed a person to their e-mail box and that person's information is now in somebody else's e-mail box and that person forwards it onto another individual that now goes to that individual so now it's in their e-mail box. Well maybe most both of those e-mail boxes plus the Website also have backups of data that are going through. And It's just amazing how much it compounds is where you are. But I was talking to you about the recent study I did and one of the things I found was exactly what you said as well which was, most organizations I don't think realize that they actually have multiple data points for the single contact because maybe they've filled out multiple forms or like you said subscribed to a newsletter and also reached a contact maybe you know did something to gain access if it was an e-commerce site to subscribe to be able to purchase something. So that's one of the big things. I really found that Kentico's kind of solution for the consent piece and doing that. Can you talk a little bit about why you guys decided to do kind of that level of integration especially from the content side. Because for me when you start talking about organizations outside the European Union in where they are probably most liable the consent piece is probably one of the bigger spots that there could be issues.

David: [00:07:25] Right. Well when we learned how much work, GDPR posed on our partners and clients actually when trying to comply we decided to address you know at least those areas that are somehow directly related to Kentico's core functionality as a CMS including all the online marketing features. Of course Kentico as a company including our Kentico website faces GDPR as well so it just made sense to share what we learn with our partners and clients through the feature set.

Virgil: [00:07:58] Oh yeah. Well One of the interesting things I find from that and I'd like to talk a little bit more of that because I think that's important from that side is, when you started to go down this path of looking at GDPR compliance did you guys just read the regulations and do it yourself or how did you kind of get to that point where you understood what you needed to do inside Kentico to make it compliant?

David: [00:08:23] Right. Well this was quite a challenging task to do actually because we started this at the same point where everybody else that means basically zero knowledge about the actual GDPR. So we decided to actually cooperate with several consulting and legal companies here as well as in some other countries in order to get as much information. And so we basically had to you know go through the system you know introduce the system and then look what are the main issues that you know websites and e-commerce stores and you know intranets and so on actually have to deal with if they are built on our system and then look for where we can help, what we can address.

Virgil: [00:09:07] And where were some of those areas that you found the most challenging to tackle from that side.

David: [00:09:13] Right, well the most complex part was probably dealing with personal data and consents in regards to online marketing features such as contact tracking, forms, personalization, email marketing, etcetera. For many such activities consents from data subjects may be on public websites and we focus on implementing software for you know the most common scenarios. So these may actually include something like gathering consents on homepages in order to track visitors behavior which can then be used for personalization. Also in our obtaining consents when submitting forms or subscribing to newsletters we also looked into how to make use of such consents when performing let's say segmentation or personalization. And the most important part here we made sure that it's somehow possible to behave according to the visitors wishes, in case Consent is revoked because this is something that GDPR strictly says. Now when complying with GDPR. It will be definitely challenging but when it comes to websites built on Kentico, I hope that you know like once all the company processes that are related to GDPR will be somehow established and also the staff is trained to GDPR. It shouldn't be that hard. I hope to actually build it later on.

Virgil: [00:10:37] Yeah, I mean you bring up such a good point. I wish I probably shouldn't pick on it considering it, it's a government entity, but you know when you talk about the amount of effort it takes to comply with something like all the provisions of the GDPR. I mean you know I would almost argue myself will a single organization inside the EU government itself be compliant to track data. I always look at it like you know I've been doing this for a long time and we can't even get a client to be have good governance around a single product that they own and basically GDPR is by the way you need to have good governance around everything you need to understand your entire data in its entirety. I don't disagree this is a great practice. I also see it is very unrealistic. I think it's going to be very interesting when the GDPR actually goes into effect in May. As to what happens from there. Because the question really to me is twofold number one is what's going to happen to the 80 percent of companies that will not be fully compliant. I mean I think if you send an email to another person with somebody name technically you could be out of compliance in the second part is what can the EU really do about it. And I don't say that flippantly I say that as, are they gonna sue 587,000 different organizations in the first two months of this. What's going to happen from that? And I have a feeling they want to go after some big fishes upfront that they probably feel like have violated these type of policies for a very long time and then but it's going to be interesting how this is going to come down to smaller organizations. So when you were doing your research into the GDPR. I'm kind of curious I'm assuming you know you guys probably spent some time talking with customers throughout the European Union but also some of your customers in other countries. What did you guys learn from them or what did you see somebody who's not a Google or an Apple or a Amazon or something like that. Somebody on a smaller scale. Where did you really see well here's their potential liability in compliance compared to some of the big organizations?

David: [00:13:01] I believe that most companies will adopt some changes sooner or later you know even if they are outside the EU because larger companies usually target at least some European countries have their services most websites even smaller companies actually track EU visitors behaviour. So GDPR effectively applies to them as well. Also you know another reason I see that most companies will want to adopt something is that GDPR is not the only regulation meant to oversee data protection. There are new or let's say updated data protection regulations, emerging all around the world you know like Brazil, Switzerland, Belarus, you know Bermuda or even the Cayman Islands have something now. So therefore waiting and hoping that it will not affect your business may not pay off in the long term. Of course you had a good question of what is EU gonna do about it. We had such questions as well because we do have partners and clients in mainly United States, Canada,you know UK, Australia and so on. They are concerned that maybe they will not need to do anything. Usually there's always something that's in there and you know maybe you just take care off the hosting but you have access to the personal data. Maybe your are just a data processor you will still need to have some agreement updates at least.

Virgil: [00:14:29] So what do you really think the consequences of companies you know in other countries violating GDPR from a EU perspective? What do you really think? I mean kind of look past the big guys but some of the smaller companies, what do you think some of their consequences could be from when GDPR comes in action?

David: [00:14:49] Firstly there will definitely be some things that the European Union can do to even smaller companies, even outside the borders of European Union. The thing is they will probably use local authorities to enforce some of the laws and based on how the corporation works, there may be some penalties or something like that. We have also talked to lawyers you know who've told us some example stories, you know for example if the CTO of a company who doesn't want to comply to GDPR even though it should, it cannot be punished for some reason you know for example the country is not cooperating with the European Union. Then it may actually happen that, for example the CEO of such a country can actually travel to EU for a vacation and he can get actually arrested at the Borders. I mean I don't really think that this is going to happen on a daily basis. The thing is, I believe that most companies will adopt some changes sooner or later anyways. I mean larger companies they always you know target some European countries of their services and goods and the smaller ones at least you know track EU visitors on their websites. Also the reason why I think everyone will actually want to comply to some extent is that GDPR is not the only regulation meant to address data protection. There are new or updated data protection regulations emerging all around the world not only in the E.U. or U.S. but also countries like Brazil, Switzerland, Belarus you know Bermuda, even Cayman Islands so therefore waiting just and hoping you know that it will not affect your business may simply not pay off.

Virgil: [00:16:33] Yeah, and I think you know overall and I actually just had a conversation yesterday about this with with a customer and I said, you know a lot of these are just good practices. I mean even if you're not going to have a lot of ramifications from the European Union they're probably just good things to do. And you know the U.S. is obviously compared to a lot of those countries when it comes to data privacy is well behind the curve of a lot of other nations. But at the same time I think we're catching up and I think you know there's going to be things that happen here over the next few years that probably go more in a line. But one of the ones that I find very interesting and we've kind of, had some good conversations about this in the past is this whole concept of privacy by design. Where you know it's almost like, duh! You know that's great. Everybody should have it. But you know when you read into the actual regulations themselves it's basically, can the EU really come in and audit a foreign company and sit there and you know hire somebody to audit them and look at they meet their data privacy access. And I think there's going to be some interesting things and you know most of my customers I've kind of said well we know what we know but we're not going to really know until they actually start to enforce it. And we see what happens because I mean there's really the crux of it is until they actually start to enforce it and they start going after organizations that are outside the EU's sphere of influence or really even inside the EU's sphere of influence we don't really know how that's all going to pan out.

David: [00:18:08] Right. You know just to add to this, the thing is actually you know if you don't even try, You know then maybe they will find a way how to punish you, how to get some money for you know breaching some of those privacy designs and so on. If you try your best or at least try to some extent you know then the court more most likely will or you know not even the court maybe it will be a local authority will basically say you know we can see that you really tried to stick to those principles. That's OK Maybe you know next time just try to do it a little bit better. You know or in a different way and it's OK you know. No fines nothing like that.

Virgil: [00:18:49] Right yeah. So when you guys kind of started going through and really putting together what you thought Kentico should do around this process, can you kind of point out two or three items that you really saw that you thought you know you saw a lot of your customers just compared to the GDPR or just data practices in the first place, that had bad practices and that you needed to kind of tackle more first than other pieces.

David: [00:19:16] I believe., as we talked about it previously you know, mostly it's about you know just gathering so much data, that's the biggest issue. So before you know like maybe let's tell our partners you know let's tell our customers you know what data Kentico is working with and so on and what data they may actually expect to get from customers. What kind of tracking data there is on the websites and so on, to understand it better and just gather such data that are really necessary for their business to grow. Also the second thing was you know maybe most of the businesses what we saw were doing unintentionally but basically not having legal basis for anything they did. So repurposing stuff and so on.

Virgil: [00:19:59] Yeah, and definitely one of the pieces it really kind of takes that to another level is not only this stuff that you collect but that stuff that you know other organizations collect on your behalf. I mean if you have a website inside something like Kentico or something like that, you're probably considered the data controller that you control the data and that. But if you have Google Analytics running on top of it and if you have some type of external marketing system or anything else like that kind of plugged in there or if you're pushing information from the website into a CRM or something like that, you're really kind of opening yourself up to even more and you, you have to make sure that you do that. I think one of the most typical things that I probably see out there is those organizations that use those really large third party emailing marketing systems and you know maybe have a website and you know you have the subscribe to our newsletter type of piece and then they're doing it. Well from that side when you actually look at GDPR, not only do you have to make sure that if somebody asks to be forgotten that you can actually work with that company to forget it. But then on top of it, also have what if that company has a breach of their security and all the other components of it. So I'm kind of curious you know Kentico has a lot of functionality internally but Kentico also recognizes that it has a large third party ecosystem around it. Have you guys had discussions with some of your third party vendors that that have functionality that layers on top of Kentico and kind of provided some guidance or at least had some discussions with them about things they would need to do?

David: [00:21:34] Right well you know as we do have some those as we call it the technology partnership then we look at such integrations and we try that our, you know technology partners stick to the same standards and the same policies as Kentico does internally for its modules. So for example you know if we do have some e-commerce integration we try to work wqith the company with the representatives to actually somehow you know say OK so the road maps should be similar to ours you know. So if it comes to you know consents, visitor tracking you know fulfilling the right to be forgotten and so on. We try to enforce the same level of standards as we do internally.

Virgil: [00:22:15] Yeah and that to me is going to be a huge piece too because a lot of organizations I work with, you know they don't just use a tool. They have, you know 10, 15 tools that they use to pass data back and forth. I mean heck even us we have a lot of tools that we use to kind of manage different aspects and you know when you start looking at those tools and you start looking at that entire thing when you start talking about you know kind of applying GDPR to your entire web presence in everything involved in there. This could be relatively massive.

Virgil: [00:22:48] So David before we go I kind of have one other question for you. Since you guys have really deep dived into this, where I'm sure every company is well down the path of actually figuring out how to comply with GDPR. Let's just pretend for a second that there are organizations out there that even this close to it actually coming into effect have not actually even started looking at things. Since you guys have went down this journey and I'm sure you've had discussions with others that have. Where would you really recommend that they start this process of really looking at what they need to do to be compliant.

David: [00:23:22] Right. Well from what I recall you know of the actual start was quite tough because the first thing is you have to basically somehow learn it you know understand the principles so that you can then work on it internally. My recommendation would be to get a consultant or firm that can actually give you all the education related to GDPR. And educate your internal staff. So the managers of individual departments so that they can actually teach the rest of the company. And the second step right after that would be basically start working on the,  we can call it the dataflow. How and what data you are collecting where for what purpose and so on who's able to actually read it you know print it out and so on. So that would be my recommendation first try to learn as much and to use somebody who is good at it who can teach you well just don't try to do it all on your own and then look at the data and what you're doing with it.

Virgil: [00:24:23] And that's such a great point because I was going to say that using somebody who is good at it and really knows their stuff and I hate to say it I think that's going to be one of the harder things to find right now because you know today I get you know probably on average four to five e-mails a day about the GDPR from different organizations. And I think unfortunately there's a lot of organizations that are taking advantage of this and basically kind of using scare tactics like you know the EU is going to shut down their web site or you know you know Bill them a million dollars you know the first day that that is open. But at the same time the one thing I look at is they are all interpreting things very very differently and kind of making their own conclusions and then trying to sell you a service. Basically to help them have them do it. So I think one of the things that people really need to do there is they need to find that trusted partner or find that organization and obviously some of them at least part of it is going to have to have some legal background to it. But finding those that really understand this stuff and can kind of help them out.

David: [00:25:24] Right. I mean basically if I could conclude You know there are two slogan's or motos that I've heard and I think both of them actually apply to GDPR and the compliance. The first one is you know don't be evil. And the second one is try to be the good neighbor you know. So if you try to stick with this and try to you know do your reps or design your Web site and all your business from the perspective of privacy and personal data and sticking to these two slogans I think you should be okay.

Virgil: [00:25:58] That's a really good point in there so. Well thank you David really a lot for joining me on this show. I think we had a great conversation and some really good insight there. So if people wanted to learn more about Kentico and your offerings around GDPR, is there a way that they could find out more?

David: [00:26:14] Definitely. There's a whole bunch of sources in GDPR in Kentico we decided to have our own blog so on Kentico.com/blog. We Also tryied to put as much material related to GDPR and especially GDPR related to websites and web content management and so on. So that's one of the sources and the other source that I would recommend are definitely the electronic versions of the GDPR itself where you can find a lot of interesting facts.

Virgil: [00:26:42] Great and of course you can go to kentico.com to find out a lot of that information. So thank you David. We appreciate it. Especially coming all the way from the Czech Republic to have a discussion with us. Have a great rest of your day.

David: [00:26:54] Thanks for having me here!

Virgil: [00:27:00] Welcome back to the segment that I like to call the stupid buzz. The stupid Buzz's where I take a buzzword that technology has kind of taken and basically our industry has made it meaningless. There's probably no bigger word that's been made meaningless than the word governance and since we are talking about GDPR I thought I'd talk a little bit about governance which I thought would kind of fit into this. Governance means a lot of things to a lot of people but overall the word governance came from the Latin verb gubernare or more originally from the Greek word kybernan. I don't know if I pronounced that right. Which means to steer. It basically means to take something somewhere. But the reality is is that most people don't really understand what governance is and tend to think of it either from the I.T. side where it's technical controls and that people need to put limitations on how we use the software and how we manage our systems or we kind of look at it from the business side and we look at it for you know the rules and regulations about how people develop content and that kind of stuff. But overall when I look at governance and what I really think it means years and years ago when I first actually started speaking in 2008, I gave a talk called facilitating the government out of governance and where I really focused it, is that governance can be a necessary evil but it's something that should be really two things one it should actually help people in doing their job. Otherwise it shouldn't be all about limitations but it should really be about actually doing something good for them. And number two is it should actually be something that is attainable. Otherwise if you're going to have some type of management structure in place around your content editing maybe your marketing process and that. It should actually be something you can measure and actually control not something that you need to just put on paper so the joke years ago used to be that governance plans you know you got paid by the pound. Otherwise how thick the document is today we really kind of look at governance as one of those things that should be something that is maintainable and manageable by people and that. And so when you kind of look at it overall and you ask yourself do you need governance and that. Well the reality is, is that it really does depend on what you're trying to do and whether you can actually enforce it. And so a lot of times what happens is we build governance plans basically kind of to shirk responsibility which actually instead of taking responsibility for something. And we want to do it. So if you're going to have governance don't just be a person that gives lip service and creates some documents that's not going to be used at all but actually do something of meaning with it.

Virgil: [00:29:35] Thank you for joining me on the podcast today if you enjoyed yourself and thought that we had some good information. Feel free to subscribe to us through iTunes, Stitcher, and Soundcloud and many other services or you can visit us on the web at discussingstupid.com where you can find our show notes and also learn more about the different other sessions and episodes that we're doing right now. If you'd like to send a comment you can send a comment to our email at me@discussingstupid.com or you can follow us on Twitter at @DiscussStupid and so I hope you continue to listen in to our future podcast. So until next time we do you can just start discussing stupid on your own.