Director of finance at Zuora, Jamie Walker, interviews Ray Orife – head of data protection at Evalian, to discuss all things data privacy and keeping up with compliance.
Could you please tell us about your background, your career path, and how you got to your position today?
I started my legal career in 2014, I trained at a regional law firm in Newcastle called Ward Haddoway. Training tends to last two years, you do a number of seats in various departments and then you’ll progress to a chosen area in which you want to practice after the two years. I left Ward Haddoway in 2016 and went to Newcastle Building Society where I started as a commercial contracts lawyer as part of their in-house legal team.
It was in 2016 just before the GDPR was coming into force that I saw the opportunity to develop and progress my skills. One thing about data protection is that it’s a very complex area of law in terms of legislation and how you interpret the legislation and approaches to risk. There was an opportunity to join Evalian in 2020 to work with like-minded individuals who were also privacy professionals, so I could bounce ideas off them, I suppose it’s cliche but you could say the rest is history, and I’ve been with Evalian now for just over two years.
Can you give an overview of Data Privacy, protection and ethical use?
Data protection is very much about ensuring customers can trust how you’re going to use their personal data and making sure that you use it fairly and responsibly. In the UK, the key legislation is the GDPR and it’s very much focused on principles; making sure that you’re going to be transparent about how you’re going to use an individual’s data, you want to make sure that you’re providing privacy notices at the right time, and that you allow individuals to access their information as well.
In terms of data ethics, again going back to that point around what is right, what is fair and making sure that you communicate the purposes of how you are going to use an individual’s information.
If you think about the way that technology has advanced over the years, that’s what the law is trying to govern, it’s trying to ensure that the law keeps up the pace with technological advancements. I think back to when I was a child playing computer games and there was no such thing as the internet, now you have kids playing with children all over the world through all sorts of devices which are all using vast amounts of personal information, so it’s important that the laws and guidance, governs how all this information is used so that the data is treated fairly.
Why is data privacy more important than ever?
Things have changed so much, look at artificial intelligence and ad tech, how businesses are trying to communicate with their customer base, through subscriptions for media companies for example – but with those advancements, comes more data and therefore more responsibility, we need to be making sure that the way that we use and analyse personal data, is fair.
We have an Alexa in the house that will be collecting personal data, so we need to be thinking about children and how their personal data is been used as well. I feel like the GDPR lit a fuse from a regulatory and legislation standpoint, now we’ve got similar legislation in Brazil, China, and the CCPA in California, and so the GDPR is almost viewed as the gold standard in legislation.
People have also become more aware of what their rights are in terms of their personal data. I see this all the time in my day-to-day role, whether it’s claims that have been made by individuals because their data has been shared incorrectly or by mistake, or there’s been some sort of dispute between an employer and an employee and they’re making a claim because of that. I think that one of the key things is that the GDPR really enhanced individuals’ rights, it brought new rights such as the right to data portability and empowered individuals to understand and have more access to their information.
It’s important that businesses understand how they approach their data protection, it’s important that they get it right and make sure that they’ve got robust measures in place to ensure that they protect an individual’s personal data.
What is the key difference in data protection between the UK and the States?
It’s difficult to compare how data protection is viewed in Europe and data privacy laws in the States. The EU GDPR covers all the member states in Europe and then you have the UK GDPR which governs how data is processed in the UK whereas in the US, there’s no federal law which applies across all of the country; you have individual state laws, but not all states in America have privacy laws and it’s very much sector driven as well.
The actual framework is very different, also class actions are much more prevalent in the US. There’s also a difference in how the supervising authorities act in the US. We’ve seen some huge fines, Facebook was fined around 5 billion US dollars by the Federal Trade Commission (FTC) a couple of years ago, whereas, in the UK, we’ve seen fines be reduced. For instance, in the UK there were the British Airways and Marriott fines a few years ago by the ICO – around £180 million pounds for BA and Marriott’s was around £100 million – but in the end, those fines were drastically reduced to 20 million and Marriott’s was around 18 million, it’s clear that the supervising authority in the US is more willing to issue really significant fines.
Culturally in the US, there’s perhaps less understanding of privacy issues. The UK and EU GDPR cover significant aspects of data protection, like legal requirements and how data is going to be processed, but consent seems to be the main factor in the US as to how data will be processed. In contrast, there are 6 different lawful bases which allow you to process personal data within the EU and UK GDPR.
I would say the framework is very different in the sense that the US privacy laws have different legislation that applies to different sectors in the US, as opposed to having an overarching piece of legislation.
We recently published an update following on from the Data Protection and Digital Information Bill which was initially proposed last July, the UK government has now updated its previous proposal and on 8 March 2023, published its second version of the bill, the Data Protection and Digital Information (No.2) Bill (the “new bill”). The first version of the Bill was very much focused on reducing burdens on businesses and establishing the UK “as the most attractive global data marketplace..”. This underlying theme remains with forecasts that the reforms will save the UK economy more than £4 billion over the next 10 years.
Are there any cases that you know about where data consent and handling perhaps weren’t managed in the best way?
A significant case this year was Clearview AI – the ICO fined Clearview 90 million pounds. What Clearview do is hold a database of facial images, collected from publicly accessible sources, such as social media platforms, which allowed individuals to be identified based on biometric data extracted from these facial images and they were deemed to be processing data unlawfully – without a valid legal basis – this just stresses the importance of data protection, especially when you’re processing sensitive information such as biometric data.
For any processing or collecting of data under the UK GDPR, you have to have a valid lawful basis. It’s really important as an organisation to think about the context of what you’re doing and what your legal basis is going to be before you embark on any personal data processing activities.
Another significant fine last year, was the Irish DPA, fining Whatsapp 225 million Euros, and that was due to not having appropriate consent, and also for not providing sufficient information to its data subjects when collecting their personal information.
One of the issues around the Whatsapp case was that they were actually capturing consent to search users’ contacts, but in doing so, they were also searching contacts who didn’t actually use Whatsapp – which is obviously a huge contravention of someone’s privacy, so it’s no surprise that they received such a large fine.
This shows how important it is to make sure your privacy notices are set out exactly how you’re going to be processing that individual’s data that you’re collecting.
So it’s not just a case of “we got you to tick the box so it’s ok to collect your data” you actually have to justify what you’re using the data for and make sure it’s for a legitimate purpose.
You’re absolutely right. When you’re capturing consent, it’s not just a case of having a tick box there, you actually have to make it clear to the individual what they’re going to be consenting to. There needs to be sufficient consent wording next to any tick box which will allow individuals to go “alright, this is how my personal data is going to be used by you” – it’s really important.
I’d say a lot of the time, organisations get things wrong because they’re not transparent about what they do, arguably, even if it’s not the fairest practice, at the very least, if you’re transparent and you provide that information to individuals, and you give them an opportunity to see that information at the right time before you start processing their personal data, it’s going to be much harder for a supervising authority to say “you haven’t been transparent about how you’re going to process an individuals information.”
What would you describe as a robust data security strategy?
It’s really important to think about how you are going to approach your personal data capture from the outset and adopt a holistic approach, so think about your people, your systems, your physical environment and the third parties that you engaged to support you with your personal data processing.
Think about the organisational measures that you’re going to implement – your policies and procedures, but also what technical measures are you going to implement. If you’re a media company for instance, and you’re providing subscriptions, you need to make sure that at the outset of that data capture, you provide clear consent and there’s a tick box which allows you to opt-in to receive marketing.
Of course, in the UK, it’s not just about capturing consent, after that, you’ve got to look at whether you’ve got a system in place which will capture that consent and make it auditable, so you can see when the individual consented and what they consented to – making sure you’ve got that auditable compliance trail.
You also need to think about your technical controls as well. So what security measures do you have in place? Do you back up your personal data? You also need to consider your physical environment, if you’re not working remotely, think about how your office is set up. I know the open plan is seen as the “in thing” but if you’re processing highly sensitive information then an open plan is not the most suitable for your organisation.
Consider the governance structures within your business too, how is personal data governed within your business – do you have different forms to discuss your approach to your data strategy? How do you ensure that your board have visibility of what’s going on from a data protection perspective in your organisation? It’s about making sure that if there are going to be any issues, the right individuals within the business have a good understanding of what’s going on.
What is key in any data protection strategy for me is making sure that you have monitoring in place, so whatever measures you adopt, make sure that you keep those measures under constant review. If you don’t review those measures, you’re not going to be able to assess whether what you have in place is sufficient or whether or not you need to take further steps to adequately protect the personal data that you’re processing.
This work-from-anywhere culture that’s come about, partly due to the pandemic, happened just at a time when keeping data secure is even more important. Have there been any issues this last year or so to resolve as a result?
I think that there was a lot of stigma around remote working – are people actually working when they’re at home? But what businesses will have learnt is that people can work from home. The interesting thing is we went from going into the office pretty much every day of the week to then working via Teams and over Zoom. Obviously, all of these platforms collect personal data, and they record calls as well, so they’re collecting vast amounts of information.
The main issue was that everything happened at pace, so what we’re seeing now in the aftermath, is that businesses didn’t adequately train their teams on how to use these platforms or how to set them up properly if they’re inviting people from outside of their organisation. It’s of course understandable, as COVID-19 came out of nowhere and then businesses needed to make sure that they could still communicate with each other efficiently. So for many organisations, it became about recovery, and we have been making sure the teams actually understand how they use all these different communication platforms.
What are some key requirements when capturing first-party data?
As I mentioned earlier, you have to have a lawful valid basis for capturing any sort of personal data. There’s a tool that data protection professionals use which is called a Data Protection Impact Assessment (DPIA) and in certain instances, they’re actually mandatory under the law. If you’re going to be processing any personal data which is sensitive on a large scale, you need to conduct a DPIA and if there are going to be any restrictions around an individual’s access to personal data – say for instance if you’re applying for credit.
I would always recommend conducting a DPIA, a set of screening questions just to try to understand what the implications are going to be for data processing. I also mentioned earlier that transparency is one of the key factors to consider if you’re going to be collecting first-party data. You need to be transparent about how you’re going to use that information – so that goes back to privacy notices, and making sure that you provide them at the right time. If you don’t, it’s unlikely that you will be complying with the law.
Another key principle under data protection legislation is keeping data secure and implementing appropriate security measures. Make sure that you are storing data securely and have controls around that – think about who has access to that information. Look at your physical environment, those that commute, how you send data if you have to send it, and what are your encryption policies and your BYOD policies.
Of course, it all flows back to the data subject and if they make a Data Subject Access Request (DSAR) you need to make sure that you have the proper organisational measures in place to respond to a DSAR so that they can access their information.
You mentioned transparency a lot, but we’ve all read those policies that come up where you often just click “accept” without even reading it, are organisations under any obligation to make sure that people read these things?
There’s no real obligation for organisations to show that individuals have read a privacy notice. But what a lot of businesses do when individuals are going through a signup process, is they are not allowing individuals to move through to the next stage of their sign-up process without ticking a box to say that they read that privacy information. We can offer advice on what to include and how to write a privacy notice.
What I would stress to individuals is that you’d be surprised sometimes by what those policies contain inside them. I know that people just click through to speed up the process but I would highly recommend that you read what’s in them! At the end of the day, your personal data is yours, it’s not only up to organisations to be responsible with data, but also up to the individual to ensure they keep it safe.
Finally, can you give us some predictions about the future of Data Protection?
I think the UK will probably be different to the rest of the EU – there were data reforms and DCMS consultation within the UK just recently and the data protection and Digital Information Bill UK was introduced in the House of Commons this summer as well. This legislation, you could almost say it’s a watered-down version of the UK. It’ll be interesting to see where that legislation ends up when it’s actually enacted.
I think that within the UK we will try to adopt a less stringent approach to the EU but I think what that will actually do is present challenges for UK businesses because they predominantly operate in the EU as well.
It certainly seems in the EU that they’re getting more stringent and cautious around the data protection process. You might have seen the French regulator recently deemed google analytics to be illegal. A lot of businesses use Google Analytics, so going forward working within the EU, it means organisations might have to start looking at using different analytics tools on their website. It will have a knock-on effect.
I think in America there will be more data privacy laws created, some of which are being debated at the moment in the US. But this is exciting, it gives us data protection professionals more areas to work in. There are definitely interesting times ahead for the data protection landscape.
Our data protection team at Evalian strive to keep on top of changes in order to ensure we are able to effectively inform our clients and support them through those changes, whether that’s updating policies and procedures within an organisation, training their teams on the GDPR, help with responding to DSARs or just general advice. If any organisation needs help on any of the topics discussed, we’re happy to have a chat about their requirements.