Date: The 24th of November
Time: 12:00 PM - 1:00 PM
CEO, Legal Monster
Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.
So more about the details for this webinar, just ask questions. It's a bit difficult for me to see all of them while I'm doing the presentation, but I will definitely try to cover them at the end. We'll record the webinar, and if you guys have any questions that I don't answer, you're also free to maybe share it in an email and I'll respond to it. We're going to be sending you an email afterwards, just to get your feedback and see how we can make it even better, or if there's any kind of subject you want us to cover.
The thing is, it actually never does. You might use another system. You might use it for other purposes. You might actually collect different types of data, or you might not even do the same. Even though you're in the same line of industry, you might not be offering the same types of services. So the biggest mistakes would be to copy other people's terms.
Okay. There you might have a sign up form, they might be signing up to a newsletter, they might be joining you on a webinar, they might be accepting your cookies. Okay, so you take that customer and you find that, where do you actually collect the data about them? Then you take a step further back and say, "Okay, why am I actually collecting that data from these people? What do I want to use it for?" And you draw out this little map. What you should be doing is also documenting that drawing, because that's kind of like showing how the data is collected, what you use it for and the ecosystem.
Store it, save it, and make sure you update it, because that is also helping you along the way of becoming GDPR compliant, if that's one of the requirements you need to have. What do you need to have? Well, a data flow chart, and this could be a good way for you guys to start, if you haven't done it already.
So that's important, and that's why the first thing you should do is check in a few minutes and think a little bit about, "Okay, when I'm looking at my website, when I'm looking in the apps that I have, when I'm thinking a little bit about when I'm capturing data about people, who are those people? And that needs to be described.
Then you also then need to think a bit about the type of data you collect from each of these groups. Let's take an example. So your website visitors, here you're capturing the IP address, the user's browser, their user agent, information about the pages that they visited, the date and time of their visit. And you might also capture their cookie consent. When they gave it, did they reject it?
Then, you need to also explain what you use the data for. You probably use it for many different things. And what people normally think about is, "Okay, I'm using it to actually provide my service, that's fine. I'm also using it to send out newsletters and people joining events and webinars." But you should also think about the fact that you would get data when people complain to your support team. You would also get data when they are browsing your site. You also of course, get data when people are applying for a job.
So take some time to describe these purposes. And the reason for it is if you hadn't outlined what you use the data for, you can't use it for... Let me rephrase. You can only use the data for the purposes that you've described. So if you haven't described a purpose, you can't the data for it. This is super important, and this is actually where many companies are putting limits on themselves.
So do a bit of groundwork and figure out what you use it for. But also remember, you can't just put all types of purposes in the world, because the GDPR also has some principles that we need to make sure that you've covered as well. Because you can't get excessive amount of data and use it for every purpose in the world. That wouldn't be lawful because that would go against it, like the core principles, that you should only get data on a need-to-know basis and not a nice to know basis, okay?
Then what you'd also need to do, and this is specifically for example if you're selling online, is explain... And by the way, you need to explain always why you're getting the data and the legal grounds. But this example that I'm giving is for selling online. You need to explain to people what grounds you have for capturing and processing their data. It can be that they, for example, gave consent to receive email marketing. If that's the case, well then of course you're allowed to have the data because they said yes to it, and to send them those types of emails.
For the majority of all the users we're getting to subscribe to our service, well, we have a contractual obligation to capture the data so we can lock them as a customer and give them access to our product. We also need to defend ourselves against legal claims. So for our service work, helping companies to collect direct consents, right? It means we're able to prove that we actually did that. We helped the company and the user to collect those consents. And we needed to capture that information for a longer period of time, because it might be that our customers would get sued or might get a claim from a data protection authority. And here then, we would help them being able to defend themselves.
Then you also need to tell them for how long you're keeping their data. That can be really difficult to do if you don't have a private data retention policy. So the first thing you should be doing is saying, "All the data that I'm collecting..." Like you do in a spreadsheet, there are also tools out there that can help you. But simply say, "Okay, I'm capturing consents. For how long do I keep them?" And that's the column you would have. "And then when would I delete them?" The same for, let's say invoices that could contain personal information as well.
So as in Denmark, you would be able to retain an invoice for five years due to the Bookkeeping Act. So you're required according to Danish bookkeeping rules, that to document and be able to document that people bought from you five years later. You need to have it for five years, but after that, you no longer have a legal basis for keeping that data, meaning it should be deleted.
One of the finds that we've seen from different data protection agencies including in Denmark, has been around data retention, because there is so many companies out there that still do not have a data retention policy. And then there are many that have a data retention policy, but actually don't delete the data. So what the regulators have been doing is actually going out to companies and knocking on the door and say, "Okay guys, we're from, let's say the Danish Data Protection Agency. We would like to see your data retention policy."
And then you would go in, you would find it. And then they would say, "Okay, great. I can see in your CRM system, you're locking that you would keep account information for..." I'm just saying something random, "Five years." This would be too long in some cases and other cases, by the way. And then you would go in and then the agency would say, "Okay, give me... Just open up four different accounts in your CRM system."
I would include it on my website so that people would have access to it and they could read it. You could also send it to them, but that's more tricky if people are signing up to services online. So therefore, this is just a recommendation, it's not a requirement.
You also need to include information about who you share the data with. This could be made in brackets or maybe in groups as well. And you can also, if you choose to, have it outlined specifically for each vendor, but that is actually not a specific requirement. Then you need to tell people about their rights. You need to tell them about how they can get access to the information you have about them. You need to tell them about their right to request that their data is deleted. And by the way, you don't always have to delete the data just because a user asked you to, because you might be legally obligated to store that data for a longer period of time.
The perfect example, again, back to the invoices. You are required according to Danish Bookkeeping Act, to be able to document the goods that you've sold. So if your user wants to be deleted and that require... Because the name is on the invoice, that will require that the invoice is also deleted. That isn't something that the user can require, because that would mean that you would be in violation of your other obligations. But it doesn't mean that you shouldn't be deleting other types of data, data where you don't have a legal obligation to keep it.
Then you should be telling people about the fact that they have a right to get their data restricted for processing, how their data can be edited, and also in some cases, the right to data portability. Data portability is for example, very much related to when you're signing up to different types of platforms. Facebook could be a good example. Here, you have a right to data portability, which means that you can request Facebook to, in an easy way check with some technical software for example, to take the data you have at Facebook, and then transfer it to another platform if that's something you would like. Or actually, just have it on your laptop.
When we're talking about these data protection rights, you need to remember you have only a month to respond to the user. So when a user is asking you to tell him or her about what data you have about them, you need to actually respond within a month, this is super important. What I recommend is actually, you do kind of like a little drill. What works really nicely is that if you for example, have a support team, you could send a fake type of request and say, "I would like to get access to my data. Tell me what you have?" And then the support team, we need to build a process around how to actually handle those types of requests. What system should they be looking into? Where could they actually find the information? And actually make it in a format where the user would be able to see the data that you're capturing.
So that was kind of like the next steps for you to consider, and for you to take into hopefully your little internal checkbox. I'm just going to stop sharing my screen. So I have a question. So Anders is asking, "So easy to understand and easy to read, or are there any specific requirements according to the authorities?" Actually, it's a good question. So the BBC actually made a survey a year ago, and found that the licks numbers in privacy policies were way beyond any other types of documents, and other types of articles that you would read online, meaning they were almost impossible to read.
And by the way, what I've seen is that if you do a really nice email, it can actually also be a gateway for you to get good dialogues with customers, and use it as a way to get them engaged in your product or with your service.
Are there any other questions? If not, we are actually perfectly on time. So I will send you out an email afterwards, and I want to thank you for taking the time and enjoying the lunch with me maybe, and see you guys soon. Take care, bye,