The General Data Protection Regulation (GDPR) came into force in May 2018. Its aim is to protect the personal data and privacy of European citizens. This text has accelerated a process that was already in place, and is now a benchmark around the world.
We were fortunate enough to speak with M° Alexandra Iteanu on May 3. We reviewed the GDPR and data security, especially for B2B Marketing teams.
- How to apply the GDPR in practice
- What precautions should we take on the B2B Marketing side?
- What are the consequences of the CNIL ruling on Google analytics?
00:00 – Introduction
00:46 – History of the GDPR
02:25 – The risks of non-compliance with the GDPR
03:46 – The main principles of the GDPR
08:49 – Focus on the notion of personal data
15:08 – Data security
16:56 – Right to erasure and right to information
20:30 – CNIL ruling on Google Analytics
25:33 – The future of data protection
Who is Alexandra Iteanu?
A member of the Paris Bar, she is Head of the data and GDPR practice at ITEANU Avocats. She specializes in digital and health data law.
She advises companies on their GDPR compliance (audit, personal data breach, rights management …); but also on defending their rights and drafting their IT contracts.
In 2016, she notably published a dissertation at King’s College University on health data and connected objects (“The Quantified Self within the European Data protection model”).
The GDPR – a real impact since 2018
The General Data Protection Regulation came into force on May 25, 2018. It has become a must-have for companies, matching Kaamelott in France, for example (ok, this is French centered, I must admit it !)
What impact will the GDPR have on businesses?
Data Legal Drive updates the GDPR barometer in partnership with Lefebvre Dalloz and AFJE (the French Association of Company Lawyers) every year, and the 2021 edition taught us the following facts:
- 47% of companies surveyed believe they have a sufficient level vis-à-vis the GDPR. That is, a completeness rate of over 70%.
- The digitization of personal data is progressing. 31% of DPOs (data protection officer) and lawyers surveyed have digitized their processing registers in 2021. That’s an increase of 120% in 2 years (14% in 2019 and 13% in 2020)
- 65% of structures surveyed have accelerated and strengthened their security by introducing new measures
- 76% of employees are increasingly attentive to the protection of their data within their company; 60% of companies have trained their employees in the GDPR
- 53% have updated their legal notices privacy policies and ensured the management of cookies and satisfactory information.
This is progressing, but there’s still work to be done!
The influence of the GDPR on other legislation
Europe is seen as a forerunner on these subjects. Some countries have studied this text either to bring their own laws into line and enable exchanges with the EU, or to draw inspiration from it for their own legislation.
Brazil, for example, adopted the LGPD in mid-2018, which comes close to the GDPR.
Japan fairly quickly brought its laws into line with the GDPR to continue being able to exchange data with Europe.
The CNIL gives us the status of countries around the world considered adequate or not with regard to the GDPR.
History of the GDPR – A quick look back
The 1978 Loi Informatique et Libertés, forerunner of the GDPR
Regulation has existed in France more or less for 40 years with the 1978 Loi Informatique et Libertés, which is one of the oldest data protection laws in Europe; this law already contained the main principles that have been taken up in the GDPR.
But since the 2000s, it has become easier to capture, store and exchange data, which motivated new regulations, which took into account the possibilities of the internet.
The advantage is a uniformization of rules within the EU, whereas before each state had its own text.
It applies to any company operating on the European market, whether based in Europe or not.
A positive view of the GDPR with Seth Godin
Already in 1999 Seth Godin explained to us in “Permission Marketing” that we had to do away with interruption marketing and move on to permission marketing. Don’t “assault” your interlocutor, but earn their attention and trust step by step, making sure at every stage that we have their consent.
The GDPR has put this philosophy into the texts.
Complying with the GDPR should not be seen as a constraint but as good practice with a view to providing a better customer experience for its visitors.
What are the consequences of not complying with the GDPR?
Failure to comply with the GDPR can lead to penalties that can rise to 4% of a company’s worldwide sales or 20 Million euros. In 2021 sanctions amounted to 3.5 Million euros, after 138 Million euros in 2020.
These sanctions follow a procedure that can be lengthy, quite often initiated by one or more complaints from consumers, associations or companies.
Which companies have been sentenced in the last 3 years for non-compliance with the GDPR?
- Optical Centre: €250,000 for failing to sufficiently secure customer order data.
- RATP: €400,000. Several bus centers had incorporated the number of days agents had been on strike into evaluation files used to prepare promotion choices, as well as excessive data retention times and data security breaches.
- RATP: €400,000.
- Monsanto: 400,000 euros for illegal filing of over 200 personalities and journalists for lobbying purposes on the renewal of glyphosate.
- Brico Privé: 500,000 euros for retaining data beyond what was indicated in its processing register (customers who had not placed an order for 5 years or people who had not logged into their account for 5 years), unprocessed requests for deletion, failure to request a strong password when creating an account for customers or employees, or depositing cookies before the Internet user’s consent and prospecting messages, which were not consented to.
- AG2R La Mondiale: 1.75 million euros, due to the retention of data (including banking and health data) beyond the limit and a failure to inform those canvassed.
- idem for Facebook Ireland: 60 Million euros, same reason
The Interior Ministry has received two reminders of the law, one on surveillance drones and the other on the fingerprint file :
- prohibition on the use of camera-equipped drones to monitor compliance with containment measures
- mismanagement of the fingerprint file
As can be seen, however, the CNIL’s first targets were public services or B2C sites. B2B companies seem less targeted.
What are the CNIL’s priorities for 2022?
The CNIL’s priority for 2021 was third-party cookies, and it has since announced several formal notices:
- FranceTests was nabbed for discovering a database of 700,000 Covid test results freely accessible on the Internet
- Clearview AI calculates a photo’s digital fingerprint with a view to finding similar photos
In 2022 the themes will be business prospecting, the cloud and telecommuting monitoring. In particular, its action will focus on:
- Limiting unsolicited commercial prospecting (the CPF? 😂), which is a recurring subject of complaints
- Monitoring tracking tools for telecommuting employees
- Deepen, throughout the year, issues relating to data transfers and the framework of contractual relations between data controllers and subcontractors providing cloud solutions.
The main principles of the GDPR
The GDPR covers all processing of personal data. The few main principles of the GDPR are as follows:
- clear and fair consent on the processing of personal data;
- right to be forgotten: by deleting the data of people who request it;
- mandatory information in the event of hacking and data breaches;
- purpose limitation: by communicating on data usage and storage time;
- security: by providing special protection for sensitive data.
On the B2B marketing side, many of these obligations can be met thanks to :
- forms that offer consent by purpose,
- and to a communication preference center that will group together all consents, the personal information collected and a number of options
I’ve detailed how to build this in a Marketo Office Hours dedicated to our preference center.
Focus on the notion of personal data
Understanding the notion of personal data is key to applying the GDPR. Personal data is any information that directly or indirectly identifies a person. For example a license plate, an IP address for marketing.
This is where we realize that the definition of personal data is contextual. For example, an IP address collected from an online shoe retailer will quickly identify a person who has just entered the site from home.
On the other hand, on the B2B side, the IP address will often be the address of a company behind which we may have thousands of people.
Cross-referencing non-personal data can result in personal data. For example, an IP and a path on a website.
Principle of “Data Minimization”
The GDPR states that we can only collect data that we intend to use.
So we must be careful to collect only the data we will actually use. Among the data we often ask about
- the postal address may be useful at the end of the process if we want sales to meet the customer, or in case of delivery, but certainly not before.
- country is often necessary to filter out interesting leads
- date of birth should only be collected if you want to send a gift to the person (or if it’s used in an authentication process)
- visitor hobbies should not be asked for, unless you want to offer golf courses to your customers 😉
This mandatory document will define :
- the different purposes of processing
- The different categories of data
- the data retention period
The DPO must keep it up to date. The CNIL gives us an example of registre, which initially may be an Excel file.
First the contact persons and the list of treatments
Then a sheet for each treatment
This is defined in Article 32 of the GDPR. On a case-by-case basis, the data controller must implement the appropriate security measures in light of the potential risks to processing.
In the event of a hack or data breach, this must be notified to the CNIL within 72 hours, as well as to the individuals concerned.
There are several points to implement in Marketo on the Security side
1/ In Admin, set your security settings to “High Security”.
2/ Limit the number of people with the “Admin” role (normally no more than two)
3/ Train your teams to limit basic extracts and, above all, not to transfer files by e-mail.
4/ Separate API access to Marketo via different launchpoint services.
Right to erasure and right to information
We focus on these two rights, which are not easy to implement. They are defined in Articles 15 and 16 of the GDPR.
Data retention period
The GDPR tells us that we should only keep data for as long as is necessary to achieve our purpose. But it does not give a defined duration.
The durations will be defined in the processing register above.
The CNIL gives recommendations in the event of inactivity: 3 years for prospect data; idem for customer data, after the end of commercial management.
Data retention and Marketo Engage
How did we do it at Merlin/Leonard?
1/ We defined a “Last activity date” field and a “Last activity type” field for each person in the database.
2/ Each time a known visitor comes to us and has an engaging action*, we update the two fields above.
*such as clicking on an email, or filling in a form.
3/ We can then regularly check which people have a last activity date that is empty or older than two years, and submit them for deletion.
Right to erasure or the right to be forgotten
Anyone can request that their data be deleted from all your systems. This can quite quickly become a complicated cross-functional IT project!
You need to respond to this request within one month, or risk incurring penalties.
How did we do it at Merlin/Leonard?
1/ We have defined a field on the preference center which – if set to “No” – means that the visitor wishes to exercise their right to be forgotten.
2/ When the person submits the form, we receive a notification indicating the request.
3/ We can then check that the person is not an active customer. If so, we activate a Marketo campaign that will delete the person’s data from Marketo and Salesforce.
Right to information
Before any processing, we are supposed to bring to the attention of visitors a certain amount of information listed in Article 13 of the GDPR. We have listed this information on two pages at Merlin/Leonard
They are available at the site entrance in our cookies banner and at any time in the site footer.
Right of access
Here again, anyone can request all the information we hold on them, and we have one month to comply. As with the right to be forgotten, the way to request is not defined and is up to the company.
1/ We have defined a field on the preference center which – if checked – means that the visitor wishes to exercise their right to access 2/ When the person submits the form, we receive a notification indicating the request 3/ We can then activate a Marketo campaign which will send all the person’s data contained in Marketo and Salesforce by email.
What about cookies?
The GDPR distinguishes between cookies necessary for site operation, analysis cookies and marketing cookies (non-limitative list). It requires specific consent to be obtained for analysis or marketing cookies.
We can neither have general consent, nor assume that browsing the site constitutes consent to cookies.
The CNIL recommends deleting cookies after 13 months.
For example, if you have Marketo:
- Marketo forms are scripts placed on web pages and can be considered essential elements for site operation.
- The Marketo cookie used to identify visitors via their IP and trace their digital journey is considered a marketing cookie.
How did we do it at Merlin/Leonard?
1/ We use a WordPress plug-in called “Complianz” to help us comply with the GDPR; it lists all the cookies on your site and groups them into Functional / Statistics / Marketing.
2/ It allows you to create a banner that appears on the first visit. It allows visitors to easily choose to accept, refuse or select the categories of cookies they want. It also provides the visitor with documents informing him or her, among other things, about processing, data collected and retention periods.
3/ It enables us to trace visits and prove the choices made by each visitor.
The difficulty arises when visitors switch from one solution to another (their website and video hub, for example). This is because cookie management is not shared between the different platforms. Each one often manages cookies natively, with varying degrees of success.
This is one of the reasons why we decided to redesign the website and migrate all the tools used on the site.
What about deleting third-party cookies in Chrome?
In January 2020, Google announced the end of third-party cookies in its market-leading Chrome browser by 2023. The company is working on another process to replace them, the “Federated Learning of Cohorts” (FloC) method as part of its “Privacy Sandbox” program.
This involves offering advertisers audience segments established by Chrome, via algorithms, based on the browsing habits of Internet users.
The European Commission has opened an investigation into this new process.
CNIL ruling on Google Analytics
The invalidation of the Privacy Shield in 2021
Until July 16, 2020, data exchanges between Europe and the United States were covered by the “Privacy Shield”. This text made these exchanges legal. The European Court of Justice invalidated this agreement, making data exchanges between these two blocks de facto illegal.
The latter considered that citizens were not sufficiently protected under current U.S. surveillance laws.
In practical terms, this means that using a solution from an American software publisher presents a risk. Especially as it is often impossible to negotiate contracts with these giants.
Of course, the United States and Europe are working to recreate a legal framework that will enable data exchanges once again. But for the time being, negotiations have been unsuccessful.
On March 25, 2022, the European Data Protection Committee published a declaration by European and US officials welcoming an agreement in principle between Europe and the USA. No legal text for the moment, but hopes for a successful negotiation in the coming months.
Google Analytics now banned
Against this backdrop, the French CNIL and its Dutch counterpart have de facto banned Google Analytics. This followed 101 complaints lodged in 27 member states by the NYOB association.
After investigation, the CNIL found that Internet users’ data was thus being transferred to the United States in violation of Articles 44 et seq. of the GDPR. It has given the company one month to comply.
Google has in fact responded by proposing to abandon Google Universal Analytics and migrate to Google Analytics 4, which offers IP address anonymization by default.
Who is Iteanu?
Law firm dedicated to new technologies and information law. Our law firm is the most cited in Legalis, the leading public database of case law in French law.
IT and digital, Internet and electronic communications. For over 25 years, we have been providing our clients with day-to-day advice (assistance in negotiating and drafting contracts, consultations, etc.), and defending their interests in litigation in the information and communication technology (ICT) sector. We work for professionals in their relations with other professionals and in their relations with consumers.
We thus have solid knowledge and a recognized, sharp practice, which ITEANU AVOCATS puts at your service in the digital transformation.