GDPR Webinar Series: 30 Days After The GDPR Deadline

August 9, 2018
by Sharon Solomon

GDPR Webinar Series: 30 Days After The GDPR Deadline

GDPR Webinar Series: 30 Days After The GDPR Deadline

August 9, 2018
by Sharon Solomon

August 9, 2018
by Sharon Solomon

Our “GDPR Webinar Series” took flight in late June. If you missed out on our first installment, the “30 Days After The GDPR Webinar: What Have We Learned and What’s Next?”, we have you covered with the video recording and transcription.

The GDPR Deadline: The Aftermath

First, the good news. The GDPR is now being taken seriously by online publishers and Ad Tech companies due to the serious consequences it carries with it, including financial penalties for infringement. Unreported and unresolved GDPR violations can lead to fines of up to 2-4% of the annual global turnover or up to €20 million, whichever is higher.

Many big Ad Tech players like Kargo, Verve, and Drawbridge have simply terminated their operations in the Old Continent due to the changes that are required to become fully compliant, especially when it comes to the relationship between data controllers and processors. This is still a grey area that many companies are failing to break down and understand.

30 Days After The GDPR Deadline: The Main Takeaways

Gillian Fishman, legal expert and advisor at Linkilaw, and Rob Beeler, AdMonster Chairman and Founder of Beeler Tech, got together to share their thoughts in the aforementioned webinar. This exclusive session was hosted and moderated by Eyal Katz, Senior Marketing Manager at Namogoo. Before diving into the recording and the transcript of the webinar, here are some key takeaways:

Gillian Fishman: “The most common misconception that I have seen is people still thinking that consent is the silver bullet.”

Explicit consent is something that most people have been focusing on, but in reality there can be a lot of different reasons for processing someone’s personal information. For example, in the business context, the most common example that Gillian saw while working with Linkilaw clients is people relying on the contractual basis.

What the law stipulates is if you have a contract with somebody (i.e – client, business supplier, employee), you can process personal data without getting their explicit consent because that is already implied by the contract. This means that if digital publishers are selling a product or a subscription service, they are not required to required to request additional consent to collect personal data.

Rob Beeler: “Advertisers and Online Publishers often think that GDPR is a one time thing. The May 25th deadline has passed and you do not have to worry about this anymore. Not true!”

Rob feels that GDPR is going to be weaved into more and more things as we go ahead. Americans might think that GDPR has nothing to do with them, but the upcoming Canadian PIPEDA regulations are going to affect them directly on 1 November, 2018. Data privacy has to take top priority – worldwide!

Gillian Fishman: ״The “processor” word gets thrown around a lot and there is a misconception that it is a specifically defined thing.”

Many Ad Tech companies and online publishers think that you have to be doing some specific sort of activity with the information to qualify as a data processor under the GDPR. But if you look up a definition of processing data, it is essentially applies to EVERYTHING you do with people’s information.

Any type of activity with personal data – tracking customers, writing down someone’s name or email address, storing their details in an Excel spreadsheet or even putting them on a lead list – automatically makes you a data processor. The scope of activities is a lot broader than people typically think.

Gillian Fishman:  “Some companies are limiting their services to only those outside of the EU. This is not going to work in the long run.”

Gillian thinks that making an effort towards compliance, despite the ambiguities in a lot of the implementation parts of the GDPR,  is going to serve companies a lot better than trying to eliminate interaction with EU citizens altogether. She also adds that ignoring the EU is not necessarily going to work in the long run.

GDPR applies to anybody who handles EU citizens’ or residents’ data. This can also be a US citizen temporarily residing or travelling within the EU and trying to access PII data. There are also EU citizens accessing sensitive data from around the world. With more and more regulations coming up, companies have to start taking more responsibility.

Rob Beeler: “The GDPR has already taken affect and many companies are still not ready, but it’s going to take some time before violators are actually hit with fines.”

Rob thinks that while the EU is waiting for things to happen on the legal front, the first few penalties will create waves and accelerate the compliance process. He predicts that a massive data breach next year (2019) will probably make the regulators flip the switch and take GDPR implementation to the next level.

He mentioned that cases similar to Facebook and Kinder Generica, which happened before the GDPR took effect, would probably have been punished to the maximum extent if they happened today. Rob believes that the current “understanding nature” of the authorities is not going to last for long.

Rob also brought to everyone’s attention that the PGA tour has already appointed a member in its Ad Ops team to report directly to the legal team due to the complexity of their ecosystem. This cross-departmental approach is something that online publishers will also have to adopt sooner than later. 

30 Days After The GDPR Deadline: The Full Transcription

In case you missed out on the first installment of our “The GDPR Webinar” series, you can relive the webinar and find the entire transcription below.

Eyal Katz

Hey everybody, thank you very much for joining us for our first GDPR Webinar, titled 30 days after the GDPR deadline. I am Eyal Katz, Senior Marketing Manager at Namogoo. I will also introduce our guests in just a minute. So, as I mentioned the webinar is titled 30 days after GDPR and what have we learned and what is next? This is the first webinar in GDPR webinars series. Each webinar will conclude in a certain period of time and will knock out the key development of GDPR over time and hopefully better prepare us for what is still to come with GDPR, PIPEDA which is Canada’s version of GDPR and California’s Privacy Law all set to dramatically progress in 2018. Let us turn on our webcams. Rob, Gillian can you hear me? Beeler can you turn on your webcams?

Rob Beeler and Gillian Fishman

We can hear you fine.

Eyal Katz

Would you like to turn on your webcams?

Rob Beeler

It is not allowing me to.

Gillian Fishman

Yeah me neither.

Eyal Katz

Yeah me as well. Hold on just a second while we solve this very quickly. Just one second thank you everybody for holding on. Just hold on for a minute while we solve this technical difficulty.

Rob Beeler

Should I do some GDPR jokes to warm up the crowd?

Eyal Katz

You got one up your sleeve then yes please do.

Rob Beeler

First of all thanks to everyone one at a time to give consent to hearing this thing. (Laughs)

Eyal Katz

It is all about consents, you may just turn this webinar very quickly into a podcast. I will share my screen where we basically have our welcome slide. Unfortunately, they will not be able to see Rob’s handsome and Gillian’s beautiful faces unless we are able to solve this webcam difficulty we are currently facing but otherwise we will just have to go on without access to webcams.

While I do the introductions, I would like to load up the first poll. See if we could put up the first poll question while we do this.

As we all now are focused on 30 days after GDPR deadline. We originally were supposed to have Alexandra Isenegger, CEO and co-founder of Linkilaw join us but in her stead we have Gillian, Gillian Fishman. Gillian Fishman is a legal consultant at Linkilaw, the legal platform for start-ups and small businesses. From 2015 to 2017 Linkilaw (4.25____) legal market place to also becoming a legal platform for start-ups and SMEs. In 2017, Linkilaw acquired UK leading legal market place LawyerFair and this last year Linkilaw experienced 500% perk. Gillian specializes in commercial contracts and data protection and has helped hundreds of businesses with GDPR compliance.

Rob is our other guest speaker joining this webinar/podcast. Rob here is currently Chairman at AdMonster and founder of Beeler Tech. Rob founded Beeler Tech in September 2016 to share his 20 years of his Ad operations and Ad tech experience and he basically connects between live publishers, agencies, and brands; and consults them with screening on to the visual media web related platforms. Rob has been with Admonster since 2008 serving as and head and chief of Admonster.com and leads on Admonster’s global conferences focused on Ad technology and visual media. Prior he was executive director of ad operations and analytics at advanced internet and now advanced digital. Leading trader of local news and information across the United States from 1999 to 2008, and Rob has extensive knowledge in visual advertising, display, programmatic video related, mobile, training and event management, constant programming. He is a member of the IAB digital operation certification program and (6. 05___).

I am as I mentioned I am Eyal Katz. I am the Senior Marketing Manager at Namogoo GDPR insights. Namogoo GDPR insights is basically a software solution that helps visual publishers avoid data breaches through continuous and automated monitoring of their data processes which is in case of digital publishers is mostly Mart Tech and Ad Tech text. Now we have got the introductions out of the way so 30 day; we are a little bit over the 30-day mark and quite a bit has happened to GDPR. I am going to start with a little bit of a recap of what has happened so far. We started off with Facebook and Google getting sued while off the bat, just pretty much on day one. They were both hit by lawsuits by NASQ and IMC activists and a large number of US publishers chose to shut off their properties for EU traffic rather than go through what it takes to comply with GDPR. We saw Ad revenues sharply decrease only to quickly return and turn around to close to pre-GDPR numbers and we saw Ad tech companies close their doors rather than try to comply.

Though we did not see a Doomsday scenario for Ad Tech. We saw companies Amazon or Facebook make pretty bad data breaches but their consequences are still pretty much unclear. But what is probably the most common talking point coming out 30-day past the GDPR deadline is the misconceptions around GDPR. The EU commission has left a lot of grey areas around the GDPR and I am sure you have all encountered these. Basically, my first question and I would like to direct it to Gillian if you could answer this first, what is the most common misconception that you have encountered with GDPR.

Gillian Fishman

I think the most common misconception that I have seen so far is that people thinking consent is the silver bullet but everything you do requires explicit consent and you have seen a ton of companies go on these campaigns both before and after the GDPR was implemented trying to get renewed consent from people when in a lot of cases that was not necessary in the first place and actually the regulatory guidance recommends that you try to use a different basis, so there is other reason that you use generally when you process information and they say you should use reasons other than consent wherever possible. I think it has a been a ton of talk around consent when that did not need to be necessary.

Eyal Katz

So if it was not consent what other way would you have of, if I understand this correctly there are other way of basically complying other than actually requesting direct consent. You want to expand on that a little bit?

Gillian Fishman

Sure, there are six, what they call lawful bases for processing information under a GDPR. The first one is explicit consent which like I said is the one that most people have been focusing one, but in a lot of cases we can rely on a different reason that you have to process someone’s information. For example in the business context the most common example that I see when working with our clients at Linkilaw is that people relying on the contractual basis. What the law says is if you have a contract with somebody, if somebody is your client, your business supplier, or your employee, a lot of the big categories of people you are collecting information about, then you can process that information, whatever you need to do to prepare that contract without getting their explicit consent.

Eyal Katz

Okay. Very interesting. Bob, what has been your most commonest misconception that you have encountered.

Rob Beeler

Yes. I am dealing with the Ad operations people mostly ad publishers and you know one of the big misconception is that you are done. May 25th passed and you do not have to worry about this anymore. I think there is a part as GDPR is weaved into more things that it is going to be something of a daily issue. You can probably say GDPR on a daily basis at some point; not yet because it is all kind of waiting to see. I also think that there is obviously in the US this kind of feeling that this does not affect you. You already hinted at what is going on in Canada. There is obviously some discussion about what might happen in the US at a state level. I think regardless that geographic piece of it is really that it pipes in the way that we transact within AdTech are going to be impacted by GDPR due to the signals being passed through it and the way we buy, the way we think about things and so it is going to have a much bigger impact than I think people have thought of in ways that I am thinking of yet.

Eyal Katz

Those are both really good points and I would also add that, at least from my perspective, what I have seen quite a bit is that a lot of companies outside the EU really feel that GDPR is not really concerned and they are not too concerned about GDPR and GDPR does not have anything to do with them. There is a lot of grey area around the whole concept of how or to whom GDPR is really effective for and I think that there is a lot of misconception around that. I was recently at a local conference here in Israel and we had a member of the EU Commission coming in and mention something about tracking and also about how even if you bring in basically anybody that you bring in to a website even if you are not an EU based company and you track them in any kind of way basically, you already have to be GDPR compliant to do any kind of basic tracking of any kind EU resident.

Even if you are not actively pursuing them, you are not trying to sell to them, you are not trying to market to them, if you have any kind of tracking software which is creating a user ID for that person then in that case you would be required to be compliant with the GDPR regardless of your geographical location, regardless of your business processes.

Gillian Fishman

I will jump in very quickly as well. I think another big misconception that came to mind when you were giving that example is not just people think it does not apply to them because of their location but the word processing gets thrown around a lot and there is kind of this misconception that it is a very specific definition that you have to be doing some sort of technical, special sort of activity with the information to qualify, if you look up a definition of processing in the GDPR, it is essentially applies to anything that you do with someone’s information. As you mentioned if you are tracking them the second you write down someone’s name or email address or store in an excel spreadsheet, put it on a lead list something like that you are considered to be processing that information, so the scope of activities is a lot broader than people think it is though.

Eyal Katz

Right, and that really relates to a question we just got asked by Nate Palmer on what does GDPR require around Google Analytics and user tracking. He says that he had gotten very conflicting opinions on this and since you are going to like place a cookie on the user’s machine with a unique ID it allows people to individually track them. From my understanding and you guys can feel free to correct me if I am wrong, any kind of unique ID, session IP, cookie ID, something that helps recognize an online use as a specific person, a specific user which can then be used for targeting purpose, which can then be used to kind of create an online persona it is considered a person identifiable information.

Gillian Fishman

Yes that is correct, it is considered person identifiable information when you have something that directly ties to a person and can be used to identify them specifically. I think some of the ambiguity with tools like Google Analytics comes with how businesses are specifically using the information they are getting. I have seen some businesses where they do look up those unique users and look at their unique activities, but I think that is kind of a smaller population of businesses because if you are looking at what one individual is doing then you are using personal identifiable information.

What I have also seen and I think the majority of businesses who are using the more basic function of Google analytics to just get an idea of what is happening in the Ad world, like 20% of my users clicked on our link through a google search and 30% came from the Facebook ad. If you are using information in the ad but then you are not looking at any particular individual so that is not person identifiable information even though pieces of information that make up that statistic would be person identifiable when you are looking at the one on one.

Eyal Katz

Right great! I guess we have already kind of touched on this but Rob we would like to get your perspective on this. I know a lot of large publishers especially outsider the EU really feel like GDPR does not concern them. What would you say to them?

Rob Beeler

I think it does. They are wrong if they are kind of taking that stance. I do think that there is a part where it did not. Some of this has to do with corporate culture has to do with how you work with your legal team. I think that for a lot of publishers and companies outside the EU there has been very much a wait and see type of an attitude. In the cases of like Trunk where they have actually turned off their websites to the EU I actually happened to be in Milan and happened to click on a sat link without even thinking about it and then realized that I could not actually access it. It was pretty jarring actually to just not get content when I wanted to. I think at time and on lines with what the attorneys speak on this, Gillian can correct me if I wrong on this, but that is not the spirit of what GDPR is trying to accomplish.

Ultimately that is not going to be the strategy that works but there is a part about waiting for a little bit more direction on certain aspects of this where I could see companies are saying let us wait and see what happens. The fortunate part for those of us that are dealing the technology piece of it, it is not like Oh, here is something that has actually been announced through the ruling and this is the way to do it, then you can go okay cool let me flip that switch. It might take months to years to comply with something that comes out, some of the things that come out of the court cases and whatever and so I think there is a wait and see attitude. I would sit there and think that having good data processes and a good relationship with your user, it just serves you best to just start doing it; and it also shows an effort to comply which will keep you from getting seized or brought in the court. That is my thought, Gillian please correct me if I am wrong.

Gillian Fishman

I think you are right. I think making an effort towards compliance even though we do not know specifics and there are ambiguities in a lot of the practical implementation parts of it, is going to serve you a lot better than trying to eliminate your interaction with EU citizens. That is why some companies are limiting their services to only those outside of the EU. I would also add that that is not necessarily going to work, because the law is meant to apply to anybody who handles to an EU citizens data just because you are not letting anyone with a connection inside the EU access that information like your example just showed, you are not an EU citizen, you are an US citizen in the EU trying to access something. The opposite of that can be true, could be EU citizens accessing information from around the world and then you are following a _____ of that you are trying to make the solution simpler than it really is.

Eyal Katz

Just trying to clarify that if you are an EU citizen outside of the EU trying to access a non-EU website, the website that supposedly is not necessarily needs to be …..

Rob Beeler

Oh even one that is

Eyal Katz

Since you are right here outside the EU but you are an EU citizen does that mean that website that you have just landed on their domain do they need to comply with GDPR if you are an EU citizen outside of the EU.

Gillian Fishman

Yes.

Rob Beeler

I think, you know that more than I do, I think the part that I think most people are going to think about with that is again someone from the EU in the US have a choice to access, they are asked for consent then what is their ability to cope after that company especially if that property does not even have an EU existence. The way I think there is one part is again “alright this is not about how to gain this” I am actually in favor of the concept that GDPR is, but if I am working at it going right a regulator is going to go after my blog in the US first right? Most likely not.

I am probably okay with EU citizens outside of the EU. At the same time, there is probably going to be a cottage industry of attorneys that are going after people to show that they are not compliant with GDPR. It is going to be a nice sort of business to be in. I have got a feeling that the targets of that are still going to be companies that are in the EU or US companies that have an EU presence, while you can knock on their door and you can say “hey, you are not compliant”.

Gillian Fishman

Well, I think that is true from the outside, I think the question of enforcement is one of those areas that is still very grey, because the way that it is written, they have tried to make it as sweeping as possible so it is going to apply to businesses outside of the EU in a lot of circumstances, but how that goes about getting enforced against these businesses is a question that we have not necessarily placed an answer to yet.

Eyal Katz

I see that as something that would be very difficult to, especially with the scenario of an EU citizen outside of the EU accessing any kind of a website. It would be very hard to, like how would that website be required to know that that would be an EU citizen. That would be something that would be very difficult to enforce I would think.

Gillian Fishman

Yes

Eyal Katz

Right. Okay so we kind of touched on a point of a lot of publishers who block out EU traffic. What do you guys think a trend moving forward. Do you think that at some point, they will have to comply or can they just keep on doing this pretty much forever as more of a strategy? Rob would you mind taking that one first.

Rob Beeler

Yes, in time there will be things related to GDPR are going to happen that I think we are going to force their hand and again you alluded to the fact that right now GDPR is about EU or similar regulations and laws will probably go and affect elsewhere. If you think about it, I am stepping outside of my zone of expertise, but I am thinking politically about worrying for something or a great part from a run-on which is I want to protect your privacy and mine. You are not going to have someone say well I am against that. Right so it is an argument to win votes and it is something that I think there will be more stuff that happens. I am more focused on I think that how companies are actually trying to comply. There are definitely some companies that are doing wait and see, I do not think they are saying they are just never going to do it. I think people get that. I think it is more of the amount of effort and we are seeing effort.

Some of the publishers that I am talking to, while front facing I might not look like they are doing anything they are trying to figure out the backend. That other part of this is that this is not an AdTech issue. GDPR applies to any data. So, if you have subscriptions, if you have any other kind of thing where you collected information as Gillian mentioned that you are collecting email addresses or whatever you are going to have to comply. There is a lot of backend stuff that I do hear people working on just to show up and get the technology in place and then a lot of examples that I have heard I just cannot talk highly enough about I think is just amazing. PGA tour actually has someone at Ad operations that also reports into their legal team. The reason that they are doing that is because this is so complex we cannot work as a silo anymore. All this stuff is multi-departmental and that means having someone understand that what you are doing when you are targeting or using this technology and do stuff we need that basis and we would then be able to talk to the legal team so we can actually figure out where we want to go with this and give good directions to the rest of the companies. I think that is just an amazing step and maybe we will see more of that going forward.

Eyal Katz

Right. I guess what you are saying is that Ad operations might be evolving to a place where for the one end they have to make sure that they are optimizing their revenue and increasing yields for the company and then on the other hand it also becomes part of the job description to maintain compliance and compliance with GDPR can also be compliance Ads TXT and stuff like that. So it might be like a job description like that and operations in the near future that would be something that you would agree with.

Rob Beeler

From the very start of my career the attorneys that I worked with would call me up and ask me to explain Kappa they would ask me to explain third party behavioral targeting and what it meant because they obviously wanted the privacy policies to follow that. This is the same line. There is the technology that tends to out-strip what anyone’s legal team to keep up with and by the way obviously with the legal ramifications that tech people need to understand and so having people that can speak both languages is going to be really essential. I think going forward, may be not the next six months but next year expected to be in someone’s job description so as to be able to speak some legal ease. Anyone that is going in the ad operations to get a legal degree but maybe it will happen.

Eyal Katz

This is very interesting because we also have Gillian on the line and Gillian is going to give us the other perspective on the legal side of things. Gillian would you agree with this there is increasingly room in online businesses for people who can combine technology with as Rob puts it as legal ease.

Gillian Fishman

Yes absolutely. I think that legal ease is a misleading way to put it a little bit because one of the main goals of GDPR is to get away from that kind of language to speak to people very clearly and have them understand in plain language what is going on with their data. So, I think hopefully we will see a departure from legal ease and I am even okay with that as somebody who understands the language. I think it is time to get away from it but I definitely think that somebody who is aware of the regulatory requirements and can then turn around and know how that applies on a practical day to day basis is going to be huge.

Eyal Katz

That is interesting to know how all my publishing particularly now when this is a general development in that sense. Actually, when it comes to digital publishing in particular, it would appear that what most have been concerned with is, as mentioned in the start, about getting user consent, using stuff like CMPs consent management platforms or consent web-ins being prescribed on their web properties but the GDPR is about a lot more than just requesting consent to collect personal data. It is about the data itself and what we do with it and how we do it. Gillian what do feel will be the biggest GDPR compliance issue moving forward past consent.

Gillian Fishman

I think once you have consent and I think this is true across all kinds of businesses you have to make sure that you are putting in the right backend processes to make sure they are recording it correctly. You need to be getting time stamps of when people consented, the language they consented to and be able to demonstrate that going forward. The automation of those types of processes and figuring out exactly how that is going to work in your business specifically I think is the next step. Also, to periodically review what you are asking people to consent to and making sure it is changing along with any changes in your business. Wherever it is possible to give people more options you are supposed to give those options. As your business evolves as the technology evolves you should be able to separate options and you would have to implement way to actually maintain that on the backend.

Eyal Katz

So, basically, gain consent and maintain over time in a way that is not automated but in a way that is kind of like running in the background and at the same time is also reliable. You can entrust it on the background and on scale would do work on where businesses should be going.

Gillian Fishman

Right I would say so and you know when it comes to the different types of tracking and cookies and all the different ways that we are collecting information, I am not at best in the technology area by any means, but I think we will see additional development for how we can separate out people being able to consent to one type of processing over another and when they submit that request or that piece of information, you are having a system that can then ensure that the types of tracking or the types data collection that they do not want is automatically sorted out.

Eyal Katz

Alright and Rob what would be your take on this. What do you think is the biggest GDPR compliance issue more than past consent?

Rob Beeler

So first of all I agree with everything that Gillian just said and I of course regretting my legal ease comment or my labeling that way.

Gillian Fishman

I did not take it personally.

Rob Beeler

Okay, good. The two areas I am watching with it so maybe not the biggest but it is obviously but surely within AdTech there are going to be tools that monitor what is going on because as it has always gotten this industry in trouble. It is not necessarily your partner. It is your partner’s partner and that partner’s partner, partner. At some point someone needs to make money and so they start doing deals with that aim and it goes all the way up stream. You would work on consent and you would work on that and then you are going to have partners who just do not follow through what they are supposed to do. It is going to be very important to not only have those tools Gillian mentioned in terms of how to handle what you are doing but monitoring what everyone else is doing to make sure that you are doing it right. That is not a plug for Namogoo, but obviously you are in that area and it is important.

More philosophically, as people understand and communicate the conclusion that GDPR is a real thing and the underlying part is not to just have some kind of legislation to hurt us and that the fact is that people, not user, people have a right to privacy and understand how their data is being used the conversation that publishers have with consumers and users and people is going to evolve. That could be the most beautiful thing that comes out of this. Right, which is an understanding that I am publishing content I need to get paid, here is how I would like to do it so you do not have to pay out of your pocket, (34.15___) right. When to have that kind of levelled conversation it could mean a lot whole new level of relationship between varying brands, publishers and people that can be really awesome if we go about it the right way.

Eyal Katz

Absolutely. The whole deal with publishers is towards relationships this towards relationships and this could be a big part of that and you kind of touched on that of course I know you did not mean to plug that, I will though. So at the moment what we are seeing if there are a lot of publishers that once they have gained consent they do need to have a system in place to maintain compliance and that is why we feel that GDPR insights is a great tool for digital publishers who want to keep, to track and make sure all their data processes are maintaining compliance. That is it for the plug if anybody would like to hear more information about GDPR insights, then they should just fill in a survey that will appear shortly on you screen, but let us move on.

So 30 days as I mentioned we just roll back to talking about 30 days after GDPR and I would like to talk about something that is a concept that is relatively new to GDPR consent that is browser-based consent. I do not know if you heard about this, I just heard about this relatively recently and basically it is instead of asking for consent on a website by website basis, the user would provide their consent in their browser. They would just need to do this once and it will allow them to provide consent once. The browser then basically behaves like a CMP and all the services can sign up for that so called CMP which is basically the browser and then you can collect personal data and that way it is a little bit can be considered a more comfortable way of managing a consent. So, Gillian I do not know if you have heard to a browser-based consent before but what are your thoughts on this.

Gillian Fishman

Yes, I have heard of this and it is a concept that has just started to emerge recently as you mentioned. I think it is a great idea in theory but coming from the legal perspective I will be interested to see to how it is actually implemented because when I think about a blanket consent that is in browser that applies to a whole myriad of websites in my mind it does not sound like something that would be GDPR compliant because of what I mentioned earlier allowing people to have as many options as possible. So, one of the guidance compliance has said that consent for a blanket category of businesses is not compliant. So, I do not know how they would get around that issue, whether it is segmenting by business types, segmenting it by type of information that is collected, uses of that information but I think it has got to be a little bit more complicated than just one overall chain consenting mechanism.

I also think that the success of that kind of a deal going forward is going to depend on the user reactions as well. Because you know personally I would be happy to get rid cookies menace and not see them anymore, I would be able to give one consent that takes care of all of that deal where you have to click in to every website that you go to but I think for other people the GDPR and some of the scandals with Google, Kinder Generica, Facebook has been more of a wakeup call than anything and it maybe certain that people want more control over their data. So, I think there is going to be 2 camps of people if that comes to that type of action; some people who think it is a great idea and some people who really would prefer to be consenting on a case by case basis.

Eyal Katz

Yes, obviously at the end of the day the GDPR is about the users and it is about creating a better user experience out there. So, Rob what is your take on that kind of consent.

Rob Beeler

Do not get me started on this one. This one is the one that fires me up right. Because you are absolutely right. As a user, oh can you hear me?, can you hear me?

Eyal Katz

Rob I do not think I can hear you.

Rob Beeler

Can you hear me now? Can you hear me?

Eyal Katz

Oh shit.

Rob Beeler

can you hear me?, can you hear me? Can you..

Gillian Fishman

Okay I can still hear you Rob but I am not sure what is going on the other end.

Eyal Katz

I can hear you,

Rob Beeler

Gillian can you say something to him and see if he hears you?

Gillian Fishman

Yes he can hear me alright isn’t that it? Hello? Hello?

Rob Beeler

Yes I can hear you.

Gillian Fishman

Yes I wonder it may just be that we are talking to trouble at this point.

Rob Beeler

This is why I am all fired up about. I think people can hear us but I think Eyal cannot.

Eyal Katz

Sorry I could not hear you there for a minute, but I can hear you now.

Rob Beeler

Here I was like all fired up right and then there like wait no one can hear me? Come on I was like getting animated here, we should have had webcams.

Eyal Katz

Looks like it was just me.

Rob Beeler

Yes so, from the user’s perspective, I think the browser-based thing could win out because it is going to be annoying to get consent on every site as you both mentioned. Agree with that, it is a trap. So, one of the reasons that we are doing this is because of Google who has got the biggest browsers out there Google. If Facebook does plan to take in this space they can do it as well. It is the big guys that are the ones that control the browsers and if we relinquish this to them, it is essentially their data. To me I cannot dismiss it. I think it is going to happen, there will be conversations about it but the very people I think should not be having control of this are the ones that are going to get control of it if we moved to browser-based solutions.

Eyal Katz

Yes right seems like it could be kind of a catch 22 in that sense and so yes I completely understand that point of view. I also see that after about 30 days into GDPR that most of the EU businesses especially but also businesses outside EU are doing a lot better than we may have thought that they would be 30 days in. That GDPR was not as armageddony as we first thought. Rob you can go first I would like to ask do you think this is because that a lot of businesses have actually been doing a great job being compliant or is it that GDPR is more hyped than anything else.

Rob Beeler

Wow!! Those are 2 yes. First of all, I am writing down the word armageddony because that is a common word I am going to use. I love that. So, no we have not been great on compliance I think actually a lot of people are getting it wrong and it has not just come to light yet that they need to do it properly. I do not know whether it is hyped, I think that it is obviously real. But of course, this kind wait and see attitude and so business is going to continue. You mentioned at the beginning that there was a quick drop of transactions happening when GDPR first went into effect and then digitally recently reported that it is back up to the same level. \

Look, people have budgets to spend and you just not spend money because then you do not get the money back. That is how unfortunately budgeting works and so the money is going to flow until it really demonstrates that it does not work any more then money is going to get shifted elsewhere. I have the feeling that right now why not continue to do business which is keeping the way some of these companies that should probably die off have not that just is because there is actually still money and transactions happening and they are going like awesome, we will live for another day.

Eyal Katz

Yes, I get that too. I see that a lot of businesses are kind of like taking a wait and see mentality. How about you Gillian what is your take on this? Have things actually been doing a better job is it all a hype or people will wait and see what is going to happen.

Gillian Fishman

I do not think it is all a hype and I think the question of whether businesses have been doing a good job, is still unanswered and I think that is the reason why we have not seen a lot of commotion recently because we have not gotten to the point where the people who are in charge of enforcement or who are going to be drawing up the fines or bringing these issues to light. They are not ready yet. I think that is really the main reason why we have not seen a lot going on. Our headquarters at Linkilaw is in London so we have done a lot of work with registering UK businesses as data controllers which is something that is required from the office that supervises GDPR stuff in UK and the website was so overwhelmed with volume that you could not even register people for like two weeks because they just were not prepared.

I do not know if that is comforting or disconcerting but I think the law makers and the enforcers were almost as caught off guard as also some of the people that are trying to get ready so they are trying to get their own side of it together and once all of the dust has settled and they have got a hold of these new registrations of all these new businesses whose information they need to be looking after then we will start to see a little bit more action.

Eyal Katz

Okay, and by action do you mean law suits, litigations?

Gillian Fishman

I do not think that we are going to see a ton of law suits right off the bat. I think their stance still is that I heard and read some of the authoritative bodies that are controlling this in different areas of the EU, a lot of them are taking a much more understanding approach than I expected them to but realize that this is a lot of information, it is a lot of process, lot of steps that have to be taken for compliance and something that might be even said that enforcement is going to be coming as a last case scenario. Would not they try to work with people to help them with practical information sharing. So, I think that before we lawsuits and fines what we are going to see more of is kind of case studies and guidance hopefully where they are taking a lot of what people are doing making an evaluation of whether those are the right practical step in providing some feedback and some guidance on what people can do better or what examples of the businesses that are doing it right before they start taking swings at people.

Eyal Katz

If I am kind of reading between the lines what you are saying is that GDPR will continue to kind of like evolve organically based on the next few months and how things could go in the next few months?

Gillian Fishman

Yes I think so. (47:50 audio break____) taking their take on implementation on how they can comply with this and the court is actually taking a look at what businesses are doing and saying this is what we had in mind or that we are thinking that you should do it like this instead. So, it is going to be kind of a collaborative effort.

Eyal Katz

Alright, how about you Rob where do you see things settling in with GDPR. Where will we go from here basically?

Rob Beeler

I agree that it is going to set in at the same time maybe because I have just all been skeptical I think some people are going to wait for some laws and some critical things to actually happen, I think the one thing that will accelerate everything, this is a prediction that is that in the next year someone is going to have a data breach or something at a level that will bring the regulators together to go right. Let us use this as an example. Facebook and Kinder Generica that happened before GDPR happened before May 23rd, maybe I am talking outside my realm here but I just think that someone is just going to become the scapegoat or the example to be made of what is being done wrong.

But yes, I do not think mostly companies are going to get fined. I think that the idea of some case studies is going to be really helpful. I just think it is going to take a little bit of a stick and the carrot to get the people to comply with all of this because it is not easy and as I said when we talked before, there are companies that make their living off taking users’ data and do whatever they can with it so they are going to continue to do that until they get ousted out. So that is my prediction.

Gillian Fishman

I think that is true in a certain sense. Your point of someone becoming a scapegoat I think that that will happen. That is an accurate prediction but I think the focus is going to be on big companies. It seems to me like there is a sliding scale of what the expectations are if you are a Facebook or a Google then the bar has been set much higher for you. So, I think if it is a big company that is in the public eye like that then they should be watching what they are doing a lot closer than smaller companies who are trying to implement their own processes right now.

Eyal Katz

Right that makes sense. I guess it is kind of like leads back to what Rob was saying earlier about the political aspects of GDPR and like my predictions would be we are going to see a lot more GDPRs just with different names like what we are seeing in California, and in Canada. It has a lot political appeal especially if you go after big targets like Facebook and Google but also if you after the smaller ones as well just to show that you are taking this seriously and that you are going to follow through. Such courses can carry a lot of political clout with politicians in election years which the US is experiencing right now but US, Europe, all democracies at one point or another there are elections going on somewhere so I would think that this will expand a lot further beyond the borders of the EU in the near future.

Rob Beeler

I hate the term GDPR as “s” I hate that in the plural sense. I will take apocalypses but I will not take GDPR.

Eyal Katz

We will take that as (52:15____).

Rob Beeler

I think I have heard somethings that the California stuff just seems to be in peril that the lobby has been pushing to get that off the ballot, but there is going to be more regulation. It is just going to bubble up elsewhere, I agree with that 100%.

Eyal Katz

Alright. There are a few questions that we have from our attendees and if there are any more please add them in the comments while we field these so we have a couple from (52:49____) the first one is about user data request. I am assuming (52:53____) means SARs and the portability of data. I am not sure what the question is but I am guessing that what he is alluding to is about the possibility of somebody requesting the personal data from a publisher that they collected on him and then using that personal data to share it and then share their own personal data or somebody else’s with a competitor or something along those lines. Would you see that as a concern or something that can be used?

Rob Beeler

Well let us ask this in a different way. Can GDPR be used maliciously by companies who want to take that data and use it for their own purposes.

Gillian Fishman

I think what the questions are leading to in the first place is the right to data portability which is a new light that people have under the GDPR and it means that individuals have the right to ask a business to provide them with all of the information that has been collected about them and that business then has to turn around and give it up to them in a simple readable electronic format. I think and two of you correct me if I am misunderstanding the question, but as far as someone else requesting information or providing it in a malicious way you can only make a request to obtain information about yourself.

So, this is not a situation where I can go to a company and ask them for all of the information that they have collect about my neighbor. That would go against the whole point of the legislation. The point of data portability is so that people can obtain all the information they have given to one company and turn around and give it somebody else who they would rather be working with. So, I do not think that is malicious I think that is just how competition works. There is a chance of that happening.

Eyal Katz

Great. So, thanks everybody, thanks to Rob and thanks to Gillian for joining me, thanks to all our attendees who have joined in and watched/listened to this webinar. I will provide everybody with a recording and you will receive that via email. I am also going to provide you guys, everybody is going to receive a link to the GDPR tag audit that Namogoo provided a free tag audit for your website to see which data processes are collecting data on your users and we will send all of that over. You stay tuned and stay close to your email inboxes as this the first of the GDPR webinar series and we will be announcing the topic of the next one shortly and I hope you enjoyed this webinar.

Gillian Fishman

Thank you for having us.

Eyal Katz

Thanks guys bye bye.

Interested in Namogoo?

Schedule a call with one of our marketing consultants
to learn more