What is GDPR with Doc Sheldon (Podcast)

C: So, welcome to today’s podcast where I’m joined by the infamous, or the famous, Doc Sheldon. Doc, thank you very much for coming onto the podcast.

D: I think you’re probably closer with the infamous, Craig.

C: Yeah.

D: Yeah, thank you for having me, I’m looking forward to it.

About Doc Sheldon

C: It’s a privilege to have a man of your experience, and a man I’ve watched a lot over the years and learned from. Not just yourself obviously, your fellow colleagues; Bill and Ammon, and various other people out there. So for me it’s always good to have guys like you on, after learning and watching a lot of stuff over the years. I don’t think I’ll ever probably have someone that I’ve watched that much, from your crowd. Unless I can get Bill on whatever, I don’t think I’ll have the same feeling towards anyone else. It’s weird, having watched a lot of stuff on you guys, to then finally talk to you in a podcast.

D: You need to be more selective in who you watch, Craig.

C: Yeah. I know, I know. You taught me a lot of bad stuff, that’s how I’ve got a bad reputation, is listening to you too much. For anyone who doesn’t know who you are, Doc, can you tell the audience a bit about yourself and what you’ve done over the last 20 years?

D: Oh, well I worked for about 20 years as a business consultant in the offline word, and decided to retire early, and about the same time I decided to retire Wall Street went tits up and left me without any financial reserves. So I decided to go back to work, but I didn’t want to be on the road for six months of the year anymore, so I decided to start working online, and because I had some background in marketing and publishing I decided that SEO copywriting might be a good way to go. I started with that, and I got so interested in SEO that I started studying it and pretty soon that was the tail wagging the dog, and I started paying more attention to the SEO portion.

D: The last 17 years this is what I’ve been doing, and I still have the content agency, but my partner basically runs that, and I’ve been focusing on SEO, and I’ve tightened my focus over the last few years to the technical aspects, rather than working on organic optimization or paid, which I detest, I focus on the technical. Getting the site to be fast, to be efficient, to be crawlable, indexable, and over the last year and a half I’ve started focusing heavily on GDPR, because I find such a dearth of awareness. Many companies don’t even seem to know it exists, and those who have heard of it, most of them think it doesn’t apply to them, and the vast majority of them are wrong. So I focus now heavily on the technical aspects of GDPR, doing compliance audits, and helping companies get into compliance with the GDPR is the general data protection regulation out of the EU — that’s what I’ve been working on almost exclusively for the last year now.

What is GDPR?

C: A year of GDPR. You obviously mention that the vast majority of people are ignorant or totally unaware of what GDPR is, and obviously feel that it’s not relevant to them, and we had a brief chat prior to coming on here. When GDPR was rolled out there was no government initiative or … I’m not blaming the government, I don’t know whose responsibility it would be to make a bigger awareness. It kind of almost dropped on our laps, you just heard people talking about GDPR, you have to be GDPR compliant and stuff like that.

C: So I think that obviously is a big factor in it, there was no real buildup to it. We all know that Brexit’s happening and stuff like that, and there’s been talks floating about for years, and it’s all over the press. But with GDPR, it was basically landed on your lap. That is obviously never going to be helpful, but I’m assuming then you’ve got problems in educating people as to why they should be taking it seriously.

D: Yeah, often. I don’t do a lot of outreach for this, I get most of my work via referrals, and a lot of the times the client company is already of an opinion that GDPR doesn’t apply to them. I’m doing a client right now whose business is almost entirely US based companies, so what they did is they simply blocked all European IP addresses, which is a shame because an awful lot of international, they’re a B2B and most international companies will have a presence in the EU and the US.

D: So they’ve lost that visibility, and it seems a shame. So trying to convince them that “Yes it can apply to you and here’s how, here are the possible repercussions if you don’t comply” is sometimes an uphill battle. People resist it, especially the US.

D: We Americans are a bit bullish about not being told what to do by anybody, much less somebody outside of our own borders, and being told that the European Union can arbitrarily tell us what we can do with our business in the US, that rankles, that really pisses some people off. My attitude on GDPR is it’s basically common decency and common sense.

D: The main premise of GDPR is that someone’s personal data belongs to them in perpetuity. The fact that you’ve gathered their name and social security number, for instance, does not suddenly make that your data. It is always theirs. That’s just common sense and common decency, and then protecting that data, giving them some avenue or recourse to change it, or have it deleted, or not have it processed in a way that they don’t want, that’s just common sense too. So, that’s what GDPR is supposed to do. So if you look at it from that standpoint, it shouldn’t bother you quite as much.

The Cost of Implementing GDPR

D: The other thing that I run into is when I show the GDPR to somebody who is unfamiliar with it, their reaction is much like my first reaction was, “Good lord look at this. This is going to cost me millions.” If they’re a large corporation, they’re talking about taking on at least one, perhaps several more full-time employees, which is a cost. They’re talking about a lot of disruption of their internal operations to implement new policies and procedures, and train staff and all this.

D: So for a large international corporation, it can be a major hit to their bottom line. But the vast majority of companies aren’t faced with that. For a blogger, for instance, even if you’re just blogging and providing free information to your readers, you’re still potentially liable to comply, because the regulation specifically says it doesn’t matter if any money changes hands. If you’re gathering data, you’re gathering data. If you’re processing it, if you’re passing it outside of the EU, these are all things that make you susceptible to certain aspects of the regulation.

D: So, it’s not that much of a stretch to just think, “Okay, I’ve gathered someone’s information, they have a right to expect me to treat it a certain way.” Because every single year, every month we have hundreds of thousands, if not millions of users who have their data exposed because of breaches, or hacks, or just poor security and that often falls into the hands of folks that like to sell lists, that like to use phony accounts, that like to make fraudulent charges against banks for credit cards.

D: So, the risk is tremendous. There are literally hundreds of billions of dollars lost every single year because of breaches. Hundreds of billions of dollars out of users’ pockets and much of it is unrecoverable.

The fines for not complying with GDPR

D: The other thing that happens, an awful lot of users have credit cards, for instance, that protect them against that sort of thing. So the bank loses the money instead, which means that for all of us the cost of using those banks will go up. The impact is widespread, so we need to protect their data, and GDPR is simply motivating.

D: They have massive potential fines under GDPR, up to 20 million euros, or 4% of your annual turnover, whichever is greater. But it’s not meant to be punitive, it’s meant to be motivation. They scale those fines depending on the seriousness of the infraction. So they’re not trying to put people out of business, it is intended to be able to be an incentive to comply, and it should be.

C: Obviously, you’ve got to hit people in the pocket sometimes to teach them a lesson, and that obviously would scare people, the thought of someone taking that 4% or 20 million from your company, that’s going to give people a wake-up call.

C: You mentioned earlier that there are guys out there that think that they don’t comply with GDPR and stuff like that, and probably won’t ever comply with it. I’m not sure how widespread this misconception may be, but the rumour in the UK, or the circles that I speak to, feel that GDPR will only apply to big companies like Amazon and bigger companies. Is it actually the case that smaller companies are also being put through the legal process and being fined?

So Small Companies Get Fines for GDPR

D: There are some considerably smaller companies that have been fined. Usually what happens, in the cases that I have seen at least, what happens is something comes to their attention, they decide to do an audit of the company to see what caused this breach, did the company comply with the requirements for notification and whatnot, and depending upon what they find they may assess a fine.

D: What I have seen in almost every single case is an assessment of the good faith effort to comply, and if they felt like the company was making a good faith effort but fell somewhat shy in particular regard, they’re usually much more lenient. If they find blatant disregard and basically, “To hell with it, I’m not going to do this” attitude, I think you can expect the maximum.

D: There have been some small companies, I saw a company not to long ago who probably had a … I didn’t see the exact number, but I would guesstimate looking at the business they were probably well under $1 million annual turnovers. They got fined 1500 euros because they had gone through some major effort, they had really made an honest effort to comply, but they had a breach because of a security flaw that was found and exploited on their servers, and they did notify.

D: So, they made every honest effort to comply, but they fell slightly shy, and it was basically a slap on the wrist. So 1500 euros is not that big a deal, but it was a wake-up call to them. But again, they had really tried, and not over the last three weeks, they had been working on it since 2017.

C: So that to me was a very almost lenient, at the very least a very fair fine. I think they probably, the commission probably felt it was incumbent on them to do something to slap them on the wrist, and it was a token amount. So you’ve probably heard about Facebook and Google of course are huge targets, both of whom have taken a very antagonistic attitude towards European regulations, so I think they made an example of them. They had not been what had deemed to be a very honest effort to comply. They basically thumbed their nose at the commission, one of those “Screw You.” “No, screw you.”

C: So yeah, I think Facebooks and stuff, companies of that size think they are above the world, and it’s good to sometimes rein that in, because as you say, people’s data is theirs, and because somebody signed up for a newsletter doesn’t mean you’ve got the right to abuse and abuse people’s data and sell it on, and whatever else goes on in this world. I think it’s obviously too early to say because people are not doing GDPR, I think it’ll take 10 years or so, or five or ten years to be able to see the impact of GDPR in obviously slowing down the amount of spam we all get and stuff like that. It’s way too early to say whether that’s going to be the right … or whether they need to adapt their approach.

C: But in terms of companies looking to implement this stuff, where do you start? Where’s a good place to learn more about GDPR? Other than hiring a guy like you who’s taken the time to research it all, where do people look to, to find out what they should do?

Where to learn more about GDPR?

D: Well, my first suggestion would be to be very, very careful. There’s an awful lot of information available on the internet, people who are setting themselves up as experts or consultants or whatnot, and I see an awful lot, much like is the case in SEO, who are putting out incorrect information, and of course there are some, again like SEO, that are simply trying to take advantage of an opportunity to dip into someone else’s pocket.

D: So you need to be very, very careful. There are a couple of Facebook groups, for anybody who has a presence on Facebook, if you do a search on Facebook for GDPR, there’s a couple of very large groups there.

D: I came across some very knowledgeable people, quickly when you’re involved with conversations like this, you see the people who are very opinionated and very bullish on their attitudes, and then the other people who are much more open-minded and say, “Well, we’re not really sure, but we suspect this, and this could be that.”

D: I find that a more reasonable approach because there’s a lot of grey area, there’s a lot of the regulation that can be open to interpretation. So, if you find those groups, and you spend a little time in there, reading these threads, I think you’ll quickly spot a few people. I found an attorney over there, I’ll even name her.

GDPR Attorney

D: Her name is Ann P. Mitchell, very knowledgeable, very professional, and I have referred her many times to people that needed a legal opinion. Typically, a large corporation, an Amazon or Facebook, would need legal staff to help them interpret and implement. A blogger or a small business would not necessarily need to have a lawyer look at it, but there are questions.

D: If something is a little iffy, I have a disclaimer on my site and on my quotations that I am not an attorney, these are my good faith attitude interpretations, but if you need a specific legal finding you should go to an attorney, I can recommend one if you like. And it’s very touchy, again you’ve got to be careful because there is a lot of misinformation out there.

Other good GDPR Resources

D: So, that is one good resource. Another good resource that has not yet been made public, supposedly in the ICO, which is the UK version, the commission, is going to be publishing a list of certified GDPR consultants. I have not been able to see yet the criteria for certification, but it is a certification of compliance by the commission, so I would hope that it would be fairly reliable. These are people who are working within the realm of the regulation and giving good guidance.

D: So I will be sharing that as soon as it does happen, I’ve heard rumor that it’s going to be happening before the end of the year, I hope that’s true. That would be another resource when it happens. The other thing is just like with any sort of service, I think that referrals, recommendations from other clients.

D: Most companies that I have seen, they’re not trying to do it in house. To get out there and learn it, and then take all the steps to comply is a massive effort when you’re starting from ground zero. So most companies are not doing that. Their implementation might be in house, but they’re bringing in outside consultants.

D: So if you find a company that is, especially if it’s a business that is sized similarly to your own, who has obviously made the effort to comply, and it’s not just downloading some WordPress plugin that calls itself GDPR compliance or something, if they’ve done more than that, you might reach out to them and ask them, “Hey, did you work with somebody outside of your organization? We’re looking to do this, and you seem to have gotten your ducks in a row. Is there somebody you would recommend?” That can be helpful too.

C: I think you have to look at other people and see what they’re doing as well, and take inspiration from that, because they could have spent X amount of money getting those ducks in a row, so it’s a good suggestion, that one.

C: Is there any places where people can learn? Because it’s such a new subject, I think it’s like being new to SEO again, you just don’t know who the hell to believe, because there are guys out there portraying themselves to be experts, and then you look between the lines and you can spot them a mile away, just chatting absolute garbage, and as you say, looking to dip into people’s pockets. It’s insane, but we’re always going to be faced with that now because of the way the world is.

D: I don’t know of any good resource at this point, Craig. You know, that’s an interesting idea. I might try to get with some people and try to put together some sort of a list. I do GDPR compliance audits for my clients and help them get compliant, but I by no means consider myself an expert. I have maybe a year and a half of involvement with it.

D: I’ve done an awful lot of research, spent a lot of time working on it, but still, just like anything, there’s a lot left to learn, and I think a lot of that learning is going to be on the process side from the commission standpoint. It really was a very valiant effort to put together an extensive regulation in a relatively short period of time, they covered the bases pretty well.

D: But since the regulation covers basically every conceivable scenario, there are a lot of areas that is difficult for some businesses to determine, “Does this apply to me or not?” There’s some gray in interpretation, and I think a lot of that interpretation is going to come out as cases arise and we see how the commission responds to them, and we’ll start seeing some clarification come.

D: The one thing that I have seen that I have been rather dismayed with, normally when something’s this complex you would hope that there would be a contact point where someone could send a specific question to someone in power, someone at the commission, and say, “Okay, if this is the way we’re doing this, are we good? Are we in compliance?” And you can request an audit, but I suppose you could go to the tax board and request an audit too, but does anybody really want to open that Pandora’s box if they’re not sure?

D: Plus the fact that you’ve got to understand, there’s an awful lot of noncompliant entities out there that the commission is trying to look at and handle. They have all these different supervisory authorities scattered around the different member states of the union, and that was brilliant the way that they did that. They managed to diffuse that effort somewhat, but how many of those member states are going to have a massive staff to handle this? There are budget constraints laid upon them as well.

D: So, trying to make people available to do even voluntary audits is going to be a bit of a stretch, depending on where you’re located. So, no, there is no place. I wish that there was something I could recommend. Like I say, I do these audits, and I do not consider myself an expert.

D: I don’t know of any other non-lawyer that is working in this area that I would consider being very proficient, reliable. I do know some people that are looking at it, and I think they’re trying to decide is this something that they want to really delve into? To the best of my knowledge, none of them have yet.

Education in GDPR

D: Why I decided to, I have no idea. Just a glutton for punishment I suppose. It’s fascinating to me, it’s an educational process, but like I say, I’m learning every day. So I’m not an expert and I can’t say, “Here are experts.” I do have that one attorney that I feel qualifies, but she’s a practising attorney and this is an area of her practice. She is not going to be able to come in and do what a company needs in terms of auditing and determining compliance needs, and plus the fact who wants to pay a lawyer’s hourly rate to see if something complies, or to see if they need to worry about it? It could be financially prohibitive.

D: So watch this space. I will try to find better resources. That wasn’t a question I even came prepared for. So, I don’t know of any off the top of my head, but I will start looking because that’s a very valid concern. Maybe I’ll get together with some people and try to put together a list of some resources.

C: It’d be perfect if you could. On to something else that obviously I would like to ask, because I’m not a GDPR expert, I wouldn’t even come close to even saying I know much about it. But I know there are guys in the UK, who obviously are not into politics in a big way either, but Brexit’s coming up and some people think, “Ah, to hell with it, Brexit’s coming up, we won’t have to bother with this. We’re leaving the EU.” And hedge their bets on that way of thinking. What would you suggest to someone who’s got that train of thought?

What happens to GDPR after Brexit?

D: Well, supposedly the ICO, which is the commission in the UK, they have said that their intent is to adopt a regulation that will basically be a carbon copy of GDPR upon Brexit. So if a company in the UK is working towards GDPR compliance, they should not face any necessity to rework things. The efforts of their undertaking now should be perfectly valid if the ICO decides to follow through on what they’ve stated.

D: The impact of Brexit is, I think a lot of us don’t really know yet how deep the impact’s going to be. Obviously the trade aspect’s going to be a heavy one, but in terms of processing, the big thing that I see coming about is, if you are in the UK after Brexit, you will now be outside the EU.

D: So if you’re gathering information of EU residents and transferring that to your own company in, say Birmingham, you are now moving personal data outside of the union, therefore you become not only a controller, but a processor.

D: That’s going to be a major impact, and it won’t be a major impact, I mean that’s going to be the big change, but it won’t really impact companies that much, because if they’re complying as a controller, and they’re doing their own processing at their own facilities in the UK, their compliance efforts will be just as valid as a processor, they simply have to dot a few more Is, cross a few more Ts to fill in all the blanks.

D: They will have a dual role; they’ll be both controller and processor. If they’re using a UK based processor external of their one organization, the same will be true. They’ll simply be required to ensure that that processor is complying with the aspects that are required because data is being moved outside of the EU.

D: Basically, you have to have an agreement with certain clauses present between yourself and your processors, and those same clauses would apply if it was an in house processing operation. But it’s more of a contractual thing, a formal agreement if it’s an outside processor, even if they’re right across the street from you in Birmingham. So, the impact will not be tremendous, but that will be a change in their status, they will now also be a processor. Beyond that, I wouldn’t expect much impact.

C: So, just to clarify for anyone who doesn’t understand the difference between the processor and the contact, what would you say in short is the difference? For someone who’s in the UK, who’s now going to also be a processor, is that going to mean that you’re going to have to do more GDPR compliance, am I correct in saying that?

D: By suddenly taking on the additional role of processor, no. There will not be more compliance. Basically, a controller is someone who gathers and receives personal data, and the processor, whether it be the controller or an outside entity, is someone who uses that data, processes it to, whether it be for marketing purposes, communication purposes, to comply with a sales contract, whatever. In any way whatsoever that they process that information, in a means that is potentially identifiable to the data subject, which is the user who’s the owner of that information, they’re the processor.

D: So, there’s not a difference in the responsibility, it’s just basically a matter of definitions. Like I say, the biggest thing is that there needs to be a formal agreement, a contractual arrangement between a controller and a processor, if they’re outside the organization.

D: You can’t simply have a word of mouth agreement, you can’t continue with business as usual with your brother-in-law down the street. You have to have something formal in writing, and there are requirements when you have to report such exportation from your company to a processor from the EU to an entity outside the EU to supervisory authorities.

D: The big thing that I think that also is going to fall, that I just thought of that’s going to fall upon UK based businesses after Brexit is, there is a requirement for any business that is not physically located in the EU or the EEA, European Economic Area. You must have a representative somewhere in the member state where you’re doing business.

D: Now, if you’re in the EU, pick a member state. You can have one in Belgium, or Germany, or France, or Spain, wherever. As long as it’s a member state of the EU, you can have a representative, and this is basically someone who can be a local, if you will, contact point. Within the EU local, that could be someone who can receive service of legal documents, that can be held responsible. It’s a legal representative.

D: Much like in the United States many people have, they may live in Texas, but they have a Delaware corporation, they have to have a legal representative in Delaware to do that. That person can receive notifications and services from the Delaware government on their behalf. It’s the same concept.

D: So, if you’re in the UK and after Brexit, now you will be required to find a representative. Now, this presents a problem for everybody, because at present there is a real dearth of representatives available. This is something that just was not foreseen, and there aren’t nearly enough people out there that are prepared to become legal representatives within different member states, as compared to the number of companies who are looking for them.

D: You and I both know, when that sort of a situation arises, Craig, you’re going to have all sorts of jack legs jumping up and saying, “Send me a million euros, I’ll be your representative.” And the person is not going to fulfill the requirements, all they’re going to do is cash your check.

D: So that is where I think that having a list of certified representatives is going to be imperative, and that list needs to grow rapidly because there just aren’t enough people available. I mean, one person can be representative for a number of companies, obviously, but it’s a real uphill battle. I am looking for one right now for a client and having a hard time finding somebody who is available, and affordable, and capable. Capable is important, because if that person fails to comply, they could make my company liable for massive fines. I’m responsible for ensuring that they comply. So, they’re basically representing my brand, and they can hurt us if they don’t do their job. So you have to be very careful of that. That will affect UK citizens after Brexit.

How long does GDPR take to Implement?

C: So, in terms of implementing, or someone coming to you to get you to do one of GDPR audits, if you like, and start the ball rolling with that process, I know it’s going to go one of those answers where you’re going to say it depends on the size of the company and all the processes and how much data they collect. But just in general, can a company get someone like you in and get this done in a month, or does it take far longer? Obviously it will take far longer on the bigger projects, but roughly how long does it take to become GDPR compliant for an average sized business?

D: Well, average size, let’s say a company that has … if they’re selling to English speaking countries in the EU, but they’re based in the US, and they’ve done nothing yet to comply, they just became aware of GDPR. An average sized company that’s, let’s say 50 employees at a max, they probably are not going to be faced with a lot of requirements.

D: Basically, they’re going to have to establish some written procedures and policies, they’re going to have to change the way that they handle data, in terms of their IT people are going to have to ensure that encryption is utilized in moving any of that data, even within the company.

GDPR Policies

D: They’re going to have to establish policies to limit the access to that data to the people that actually need it for processing purposes. They’re going to have to change their website somewhat to make sure that when people are asked to supply, let’s say they’re signing up for a newsletter. “Give me your username and an email and we’ll send you our weekly newsletter.”

D: Okay, well if you’re taking their email, you’re gathering personal data, and that personal data can conceivably be connected to that individual, even though they gave you a fictitious username. So you have to make them aware of why you want it, and what you’re going to do with it, and who you’re going to share it with, if anybody, and of their rights under GDPR, in terms of having it corrected if it’s mistaken, the uses of it limited, to get a copy of it, to have it removed and deleted entirely, and the right to be forgotten. So these are changes that’ll have to be made. It will depend tremendously on the client’s ability to generate these things.

D: Now, one of the services that we offer, we offer in three phases. We first come in and do an audit where we assess the business and its operations and say, “Okay, here are the things you need to do to become compliant.”

D: The second phase is actually providing with a roadmap and templates for these documents of, “Here are the specific tasks you need to complete.” And it might take me one or two weeks to do the first phase. It’s going to depend very much on the business’s motivation and staffing resources as to how fast they can do that second phase.

D: Then the third phase, we come back and again do an audit, a compliance audit, make sure everything was properly implemented, it’s fully functional, and still does actually comply in all regards, and give them a written report of that. That serves as documentation should they ever fall under the scrutiny of the commission, it serves as documentation of their efforts, which always helps, shows good faith effort, and if it does need correction then obviously those corrections would need to be made as well.

D: I have seen it take as little as two weeks for a very small company, the company had seven people. And they dealt with people in the UK, so presently because the UK is still in the EU they had to comply in that regard. They decided that they might as well go whole hog and make sure that they’re still compliant after Brexit. I am working on one right now that I expect is going to take upward of three or four months because I know that the in house staff limitations is going to make it very difficult for them to push through all these changes, documentation. A company that has 500 employees, there’s training involved of all these people too. There’s going to be some training sessions required. So you could imagine, that could add many weeks to a process, as well as some cost.

D: So I haven’t had to deal with a client that really had that many employees and was going to have to go get 200 people trained without impacting their operations. They’re going to have to stagger those courses over a couple of months, that becomes prohibitive in terms of time and cost.

D: So it’s a difficult question to answer, but basically one or two weeks to find out if and how much you need to comply, and then whatever you can do in terms of complying, which is going to be contingent upon how many people you have available, and how many things need to be done, and then the final audit, again that’s generally a week or two to prepare, to actually perform it and prepare a written report. So, anywhere from a month to six months, it depends.

GDPR Process

C: I knew it was going to be a depends answer, but I think it’s obviously good for people to hear what goes on behind it, and as I say, it depends because you might have to train 200 staff is still a good answer. It just gives people something to think about in terms of the task that lies ahead.

C: But going forward, I think we spoke about it previously prior to coming onto the podcast, is that people instantly look at what’s involved in GDPR and instantly get fearful. And I think in general it does seem to be a lot worse than it possibly is, would they be right with that kind of thought?

D: Yeah, I think that was my first impression when I first looked at the regulation. It basically is intended to cover every conceivable scenario. So when someone looks at it, it’s 150 pages of semi legalese, and their impression is, “Oh my god, this is going to cost me an arm and a leg, this is going to take me forever to do. Why do I need to have this?” Many of the requirements in the regulation are not going to apply to most businesses. They’re going to apply to people like Facebook, Google or Amazon, certainly.

D: They’re going to apply to a lot of smaller corporations as well, but there are things that are not required. For instance, one example is the DPO, the data protection officer. Some companies will be required, depending upon their size, the number of employees they have, and the type of information that they handle.

D: If they handle let’s say medical biometric type data, they’re going to be required to have a DPO. That’s going to be a dedicated full-time individual on the payroll who this is all they do, they ensure ongoing compliance. But most companies will not face that requirement. They simply, they can assign the DPO’s duties to someone in house as a collateral duty.

D: However, the only issue there is they’ve got to be sure that any other duties the individual has do not present a conflict of interest. In other words, if this person is faced with a necessity to enforce a certain style of processing internally the information, are they also in charge of the IT crew who is responsible for updating the website? Because now you’ve got, they’re trying to divide the attention of their staff between task A and task B, and if there’s a conflict of interest, the DPO’s duties must always take precedence. So you have to avoid a conflict of interest.

D: But most companies won’t need a dedicated DPO, they could just have someone assigned the responsibility. Now, as long as that person’s responsibilities don’t conflict, and they’re given the resources with which to do their job, then you’re good. So it seems very prohibitive when you look at the regulation in its entirety, but it really doesn’t apply in its entirety to most companies.

C: Yeah. Pretty much sums up my impression too, “Oh, no.”

C: Yeah, I mean that’s obviously the first thing I saw when I seen GDPR was, “Crap.” And, “How am I going to deal with this?” But it’s good to know that obviously once you unravel all the stuff that goes on and what’s involved that parts of it definitely don’t apply to you, but I think to give people an end kind of thing, I think it’s common sense and common decency that’s just been put into practice, and it’s trying to eliminate people who spam the crap out of stuff and don’t build marketing lists organically.

C: People who are buying lists and stuff are all the ones that are going to suffer, and I don’t think that’s always a bad thing in most cases. So, I think there has to be some kind of law, because it is literally a free for all online just now. There is, or there was no real regulation.

D: Yeah, you sum it up, common decency, common sense. It’s just a matter of … The main premise of the regulation is that someone’s personal data is theirs forever. The fact that you now have it in your possession does not make it yours. It is theirs, and they have the right to know, they have the right to control, and they have the right to have it deleted, they have the right to get a copy of it.

D: They have a number of rights that are outlined under the regulation, and it is incumbent upon us to make them aware of those rights when they hit our website, or if it’s a trade show, it can also be in a face to face meeting at a trade show for instance, or in a sales call. The regulation applies when there is interaction between their personal data and an entity.

D: So, there are limitations, the fact that you have my email address because we met in a bar does not mean that you have to read me like a Miranda card, read me my rights when you ask me for my email address. But if you take that address and do anything with it, put it into your system, okay, put it into your electronic Rolodex. If you did that on occasional basis, not a big thing, it doesn’t necessarily apply. But if you’re going to a trade show and you get 600 stars and put them all into

D: Now, you’re approaching a scale that does require some sort of compliance, and those are the gray areas, and I think they were left intentionally vague. They don’t say that if you have 149 of these or less then you’re okay, but if you have 150 or more you’re not. They simply say if you’re doing it on a large scale or a small scale, if you’re doing it occasionally or regularly.

D: What is occasionally? Well, occasionally is I occasionally meet someone in a bar and get their business card. I can defend that decision and I’m sure that the commission would agree. But if I’m giving away a free Mercedes Benz with a drawing if you’ll push a business card in there, and I gather 5000 business cards and pull them all into my system, that approaches a scale that is probably going to be very difficult to defend. I’m going to have to treat that as personal data.

D: It’s common sense, just remembering that the data is not ours simply because we came into possession of it, and remembering that the users, the people that are the owners of that data remain the owners and must have control of it.

C: Yes, common decency comes into play as well. You just wouldn’t do that with a normal person’s data surely. I have probably done it in the past, but realistically none of us want to have that going on. But sadly Doc, we are at the 50 minute part, and I know we could probably talk all day about lots of different subjects, especially given a man of your experience, but I’d love to have you on in the future to cover other stuff, talk about different things.

C: But for anyone who is interested in getting a hold of you or potentially talking to you about GDPR or something else, where’s the best place to get a hold of you?

D: Well, I can always be found on Facebook, Doc Sheldon, and my email is Doc (at) intrinsicvalueSEO dot com.  And if you can’t find me, you can always find Craig. Somewhere back in our lineage we are related. We’re both Campbells, so he generally knows where to find me too.

C: Yeah, if anyone’s listening and you struggle to find Doc, give me a shout and I can point you to the nearest place to find him, wherever he may be in the world at that point in time. But yeah, thank you Doc for taking time out of your life to talk to me and a bit about GDPR. I think a lot of people, hopefully have a bit of a better understanding as a result of it and what’s involved, and all of that kind of stuff. So thank you very much for taking time out.

D: I’ve enjoyed it. I would also like to say to anybody out there. I’m not going to give you my PayPal address if you have a question. I don’t always have all the answers, but I can either point you to someplace you can get the answer, or I can perhaps get one for you if I don’t know it off the top of my head. But feel free to reach out to me if you have a specific question.

C: Perfect Doc, thank you.

seo profile image

Craig Campbell

I am a Glasgow based SEO expert who has been doing SEO for 18 years.

  • social media icon
  • social media icon
  • social media icon

Online Courses