Keynote at the Consumer Identity World 2017 EU in Paris, France
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the Consumer Identity World 2017 EU in Paris, France
Keynote at the Consumer Identity World 2017 EU in Paris, France
We're almost there. It's almost happy hour, but nothing worth having comes easy. So they put a lawyer in front second to last, before happy hour, but good news is I only have 20 minutes, so it's not gonna be a big problem. Last time I gave this kind of talk, I did it without slides, which forced people to look at me all the time. I thought this time I in a really giving mood, cause it's almost Christmas or I've prepared two slides. Are you guys, if you have any questions about the stuff I'm talking, please free to chip in with questions directly. That makes a lot of sense.
I guess if we're talking about legal stuff, so happy to kind of have this as an interactive session. As I said, I'm lawyer, I'm a digital media and technology lawyer at a law firm called Osborn Clark. I'm based in Germany. So I'm a German data protection lawyer in the heart of the storm at eye of the storm. And I advise both online and offline or technology and non-technology companies in data protection issues and other it issues. And as you can imagine, GDPR is one of the main issues to talk about.
And we are advising a lot of clients in achieving GDPR compliance or at least in their attempt to do so until May, 2018 clicker. Yeah. I didn't even write the two slides. I prepared myself. So I'm working with quote, the first one is actually really basic, but it's so fundamental that it kind of sets out the impact of general data protection regulation.
I, I just assume that you are familiar with what GDP I is. It's a piece of regulation that will, unlike a European directive applied directly, it will be enforceable. It will not require any kind of implementation law. So come 25th of May, 2018, it will apply. And the level of detail, the scope and the impact, it has leads some people to say it's a revolution of data protection coming from Germany. I would say it's an evolution, not a revolution because it has mainly been modeled after German data protection law.
Many of the aspects that are really new to many countries or many jurisdictions have been implemented into German law for many, many years, such as the data protection officer, which is a fairly new institution in many countries has been introduced into German law in 1998 and German businesses survived this as well. So what the UK information commissioner Elizabeth Dunham said is that we are all going to have to change how we think about data protection.
It's, it's fairly basic, but it's, it's fundamental. And it's absolutely true because the impact that GDPR has on, on businesses is, is so deep because the, the requirements that will be implemented based on GDPR will have an impact will influence internal processes. Internal structures of, of businesses will have impact on, on responsibilities as they are allocated in companies. Data protection officer, for example, is just one example, which is, will be a role that's entirely new for many companies in, in countries where the data protection officer has not been been implemented yet.
And it, it can be an external person acting as a data protection officer, but for many companies, it will make sense to have an internal data protection officer. And this will be really interesting to see how the data protection officer will be treated and will be considered in the context of employment law. Because the data protection officer is free in executing. This role is not supposed, and he's not allowed to take any directions from management.
He will report directly to management and most important implication in, in, in the context of employment law is that he can't be fired for doing his job, which is quite a contradiction to how employees are acting. Usually if they are not acting according to directions, or if they are advising the management that something should be done differently, or if they are pointing their finger on stuff that's going wrong. This will be very interesting for companies to handle these processes and these responsibilities. And another aspect of TDB.
Now that that comes into mind when, when thinking about how, how deep the impact of GDPR will be in, in, in internal structures is privacy by design, which basically says that unlike in the past products and services, once they are designed, once they are set up, need to have basic data protection principles implemented into their structure and into their design. Whereas in the past when products or services have been built, there have been many people on the table. The question was, is the product scalable? Is it user friendly? Is it profitable? Is it data protection?
Compliant was not necessarily a question that was relevant in building the product data protection and legal came in fairly late in the process when approving the final steps or something like that. And when legal was, was then causing problems, they were overruled by someone. This is something that's not going to work on the GDP I anymore.
So the principle of data minimization, for example, I'm gonna speak about that in a minute as well, will have to be implemented into the structure of products when they are being designed and in a world of big data where the interest is to learn as much as possible for a customer to have as many data as possible. Having to abide by the principle of data, minimization can be quite a contradiction, which means that the product may only collect the data that are absolutely necessary to perform the service or to provide the product.
And that's gonna be a real challenge for many companies in implementing these processes and these structures already at the level of, of building product and designing services. That's gonna be really interesting. So the next quote I would like to work with is from Julian box CEO of KLEO, who said there's little point putting a ring of steel around data that you shouldn't have, which is beautifully points out two aspects.
The first one actually is GDPR might require you to put a ring of steel around data, but GDPR also requires you to reflect and think before you actually start collecting data. And before you actually figure out whether you need to protect such data on which way you need to protect such data, I already talked about the, the principle of data minimization. So if the principal basically states that you're not supposed to collect this data because you don't actually need them, there's no need to worry about how to protect the data. Another aspect in the context of whether you should have data.
We're gonna talk about that tomorrow in more detail is around with interest of collecting or for collecting data or consent. Is, are you actually, is the company actually entitled to collect the data and to handle it? If the company's not entitled, there's no need to, to worry about protecting the data and consent will be structured and detailed in an, in an absolutely new way in, in, in many regards.
So it's, it's again, I have to repeat it. It's it's been in Germany like that for many years. Requirements for obtaining consent have been very strict in Germany, and this will be kind of harmonized by way of GDPR.
And what, what you actually have to abide by in terms of consent is that concern needs to be given freely. It needs to be given informed, and it needs to be given expressly, which basically makes a lot of ways that consent has been obtained in the past illegal, because you can no longer work with some kind of consent wording in the privacy policy or in terms of use. And by having the customer accepting your terms of use when, when he registers getting consent for any kind of kind of data collection, and also that it needs to be given expressly has, has deep impact on processes.
How, for example, registration process or subscription processes are designed because the consent that is obtained for any collection of, and handling of data needs to be separated from that. And expressly always requires that it needs to be separate action to be performed by the user, which is usually executed by a separate check box that needs to be ticked by the user.
So, and also whenever we, I speak to clients and I say, well, you gonna need a separate check box. They're gonna say, well, that, that that's gonna kill my conversion rate. I'm not gonna do that.
They, I, I'm not, not sure all these statistics that clients present to me are true, but some of them say that that every check box in a subscription or registration or purchase process decreases the conversion about 30%. I'm not really sure that's accurate, but that's the fear companies are, are working with. And the more declarations need to be given expressly, the more check boxes need to be implemented. Collection handing of data will be another one.
And the fact that it needs to be given informed consent needs to be given informed means that the CU consumer needs to be provided with detailed information about which data are collected, how and used for which purposes, if they are supposed to be transferred to any third party, such third party needs to be named expressly at the time the consent is obtained. So you can imagine that a checkbox with a, a very lengthy text next to it in the, in the registration process or purchase process that is supposed to be fairly easy and, and happen very quickly can be quite a burden.
But the fact that GDPR sets out these detail requirements makes it very difficult to, to kind of combine these two interests of complying with GDPR and of having, having an easy, having a good looking process on the platform and why you should actually comply is obvious. Everyone's heard about the fines that, that GDPR will bring. That's basically even for German, for German benchmarks and absolute revolution, 20 million or 4% of worldwide turnover, which never higher, of course. So this will bring a whole new relevance to, to data protection regulation and also to enforcement activities.
Whereas in the past, authorities may have been existent. They may have asked questions. They often did not have the, the proper resources to do actual enforcement action, but come these fines, they will have proper financial means to actually generate resources, to, to take enforcement action. And the whole thing about GDPR and, and what it brings, brings a whole different awareness to, to the whole topic. So it's gonna be very interesting to see how authorities are actually gonna start their enforcement action. There are many theories obviously about how they're gonna start.
There are many questions about, are they, are they gonna go for the big ones to set a strong example? Are they gonna take Google or Facebook or whoever in case they find any non-compliance or are they going for the small ones because it's easier. And because it's for them to warm up and get familiar with processes, it's really hard to say. I would imagine it's probably a mixture.
Those authorities that have been active in the past, like the Germans will probably continue what they've been doing, which is a mixture of going after the big ones and also going after small ones, once they become aware of any and noncompliance in any case, moving away from all this negativity with the fines.
I think GDPR also brings a lot of potential to be used as kind of a kind of a marketing tool for so to speak because non-compliance, although it will no longer be an option will definitely be a huge burden when, when, when talking about winning consumers and, and consumer trusts and, and on the other hand, compliance with GDPR can, is very useful. Tool will be communicated very proactively and to generate user trust and to kind of present yourself as a company that's on top of data protection, which is more and more becoming a very sensitive, sensitive topic.
So this was my attempt of touching GDPR from a leader perspective in under 20 minutes in order to leave room for some questions, we're gonna talk about that in, in greater detail tomorrow. So we now have a couple more minutes to take questions. If you like, No questions, you're really ready for happy hour, The question or implicit and explicit concern.
So, I mean, for implicit, where you have to provide the service and data. Yeah.
I mean, you don't need the sophist consent management to make clear what is your service and what your data, but once it's done, it's not as, as the explicit consent, which can change time. Exactly.
So, I mean, part of your, of the, which say clear about your implicit, then start to progressively go after the explicit. If you start to get the explicit over that's would be the thousand checkbooks. Yeah.
So, yeah, that's a, that's a very good question because it, it, it makes the, the difference clear between a question that's often kind of mixed up. Do I actually need consent or is collection and handling of the data required in order to perform the service or to provide the product?
That's, that's not even from a legal perspective, even a question of consent into collection and handling, it may be consent to my terms of views, which say, I'm gonna perform this. I'm gonna provide that, and you're gonna have to do this, and you're gonna have to pay the fee, but consent is not required. As long as collection and handling of data is necessary in order to provide the service or to provide the product. And that's why the terms of uses.
For example, these, I heard, I heard to tell you about the hundred 50 pages long documents that no one ever reads, they're the perfect place in order to line out what the service actually is, what the, the, the performance is, what you actually do. And because that's how you point out what you need to do with the data in order to provide the product. And as long as anything you do with the data is reflected in, in, in these descriptions of the product into services, consent is not required for, for this collection handling of data.
Could you give us some context when Germany rule these laws out in the late nineties benchmark for us in compare to 2018, you know, the law goes into effect and how many organizations were ready? When did the DPOs get established?
Like, what was that, you know, sort of uptake in adoption and awareness, like, As you can see from a face, I haven't been a lawyer in 1998, so I can't really tell, but the question of having a certain period of time until you actually need to comply will probably have been handled a bit more flexible back then than it will be now, because everyone has been aware of the date of 25th, of May, 2018 for a fair amount of time now, so everyone knew what's supposed to happen.
And what's usually the case when, when laws come into effect, regardless of whether they're being discussed publicly to the extended GDP or not, there's some kind of transition period. So that law comes into effect and you're gonna have one year or two in order to adapt. The process with GDPR was a bit different because it's happening on a European level. And it's been discussed very, very broadly on, in, in public. So I would assume that there's not gonna be too much tolerance on theology side, As you can see from my face, I was here in 1919.
And I can tell you that most of the principles of the GDP were already actually described in a number of regulations from San, been one of the pioneers in field. The question is the sanctions that are there. So now we're getting into a point where sanctions are really going to hit it out and, and that's going to make tremend change. Great. Thank you very much. Thank you. One other point, the DPA's data protection authorities are coming some really with some really useful tools so that this whole notion of privacy risk assessment and the whole risk thinking behind this.
So we may wanna check out their websites cause they're really coming in with some practical tools there. Yeah. Checking out their websites is, is always helpful anyway, because they published opinions on how they interpret stuff.
So, yeah, definitely. Good idea. Great. And our final.