Interview: Prepare for GDPR with Heather Burns

We catch up with digital law specialist Heather Burns, author of our recently published GDPR Strategy Guide, to get to the bottom of GDPR and how you need to prepare.

---

Tell us a little about yourself and what you do

I help digital agencies and professionals understand the laws and regulations that impact their work on a practical code level, whether that’s accessibility, e-commerce, data protection, or anything in-between. While that role used to be fairly straightforward, it’s become tied in with shifting political developments such as Brexit and the Trump presidency, which have caused not a few existential threats to our craft itself. Right now it feels as if we’re trying to play Tetris with a board that’s moving, but it’s a privilege to help digital workers make sense of it all.

From a website design point of view, what are the key considerations for designers & developers agency side, and marketing heads client side?

If I had to pick out just one point of GDPR to emphasise, it would be the requirement for privacy by design (PbD). This means that all your processes, services, and applications must be designed with optimal privacy and data protection built in from the start, not bolted on as an afterthought or made contingent on the user activating a series of options (assuming they had any at all.) A lot of the questionable and lazy privacy practices we’ve just shrugged and learn to live with need to go under GDPR – and not before time.

Your PbD obligations are both internal and external: internal obligations such as conducting data protection impact assessments (DPIAs), ensuring technical safeguards, and making staff aware of their legal obligations, and external obligations, such as publishing privacy notices, engaging in data minimisation and deletion, and providing users with granular privacy options.

Are there any WordPress plugins out there that will help people deal with the implications of the GDPR?

Absolutely not, and anyone who tells you so probably has a bridge in Brooklyn to sell you too. There are no plugins, software, or “solutions” that will do the work for you. Data protection and privacy are about business processes, planning, and documentation. There are no tickboxes or shortcuts out of it.

Are the service providers (WordPress, Hubspot, Salesforce, MailChimp, Gravity Forms…) doing anything to help their customers become GDPR compliant?

If the product, service, or third party provider you use collects or processes data, it is important to check with them to see how their GDPR compliance is coming along, whether that’s a small plugin or a critical SaaS. While most European-based services are in compliance with existing data protection law and are well on their way to GDPR, many non-European services – particularly in America – are not taking data protection and privacy seriously at all. If a service you use either cannot or will not get into compliance with good data protection practice in a way that will allow you, in turn, to be compliant, you need to find another service provider.

Within a company, who should be responsible for devising & implementing the firm’s GDPR strategy?

GDPR makes data protection everyone’s job. Everyone in the organisation, from the reception to the Board, needs to understand what data protection is, how it works, and how you need to structure your operations to have a healthy regard for privacy. Leadership should come from the highest levels of management with all senior team members involved in some way.

Additionally, if your company engages in certain kinds of data processing, you will be required to appoint a person known as a Data Protection Officer (DPO) who will bear legal and professional responsibility for your data protection compliance. This can be an add-on to an existing role. Most of the agencies I work with tend to have someone doing the job informally already.

How will GDPR affect strategies across different marketing channels?

It is important for digital marketing professionals to pay close attention to the revamp of the ePrivacy Directive, a separate piece of European legislation dealing with cookies, metadata, consent for marketing, and the like. That law was meant to become enforceable on 25 May 2018 – the same date as GDPR – but it is still in the draft phase this late in the game.

Regardless of how or when it its finalised, ePrivacy forms a sort of double helix with GDPR. The rules on privacy by design, consent, documentation, and so on will reference GDPR and you must build on them as you refresh your marketing processes to the new Directive.

The GDPR is a European regulation, but it won’t just affect European companies will it? Could you expand on its global impact?

European data protection and privacy laws apply to the people within Europe whom data is collected about, regardless of where the service is provided from. In other words, if you collect and process personal data about European customers, you must comply with EU data protection and privacy standards for those individuals, even if you yourself are not located within Europe. This tends to come as a shock to many, particularly to Americans who have almost no domestic data protection or privacy laws at all, much less an understanding of their international privacy obligations. Whereas to us, the choice is simple: if you’re not going to protect your European customers, don’t do business in Europe. Ask Equifax!

Will Brexit have an impact on the implementation of the GDPR?

The UK government has already confirmed that we will go into GDPR regardless of Brexit. The question is what comes after that. Parliament has introduced a draft Data Protection Bill which will form the bridge between the European data protection system and any post-EU regime we may devise. It’s what the Bill will ultimately look like which worries me. We don’t want to see a post-Brexit UK stripping away our privacy safeguards in favour of an American-style “anything goes” system, perhaps to coddle up to American investment. It will be important for digital professionals to make their voices heard throughout the process.

---

 Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional website designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.