As GDPR hit its first anniversary on Saturday, Microsoft once again called for a US privacy law which shifts the onus of data privacy from the individual to corporations. Today, Americans operate in an opt-out regime which requires them to find and manage their privacy settings.
places an unreasonable — and unworkable — burden on individuals,” wrote
Microsoft’s Deputy General Counsel Julie Brill. “Strong federal
privacy should not only empower consumers to control their data, it also should
place accountability obligations on the companies that collect and use
sensitive personal information.”
Microsoft prefers a single federal standard to piecemeal state-level laws such as California’s CCPA. Brill said the legislation should be interoperable with the GDPR to help reduce the “cost and complexity of compliance.” This framework should reflect ”the changing understanding of the right to privacy in the United States and around the world.” The proposed legislation should “uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.”
American businesses, interoperability between U.S. law and GDPR will reduce the
cost and complexity of compliance by ensuring that companies don’t have to
build separate systems to meet differing—and even conflicting requirements—for
privacy protection in the countries where they do business,” said Brill.
eMarketer analyst Ross Benes, the US ad industry has shifted from a call for
self-regulation to supporting national privacy regulations, fearing ”a
patchwork of different rules” as “legislation looks increasingly inevitable.”
A TrustArc/Ipsos survey of UK adults (16 – 75) found a 36% improvement in trust concerning personal data since GDPR went into effect.
A Snow study found that 39% of global business professionals believe their data is better protected since GDPR passed, with the biggest increase in the APAC region (48%). 40% of Europeans also believed their personally identifiable information is more secure, but only 30% in the US held the same belief.
74% of surveyed professionals believe that the technology industry needs more regulation with 83% of APAC and 72% of US respondents wanting additional tech regulation.
The EU has yet to strictly enforce the law with only one large fine ($56M) versus Google in France. However, Google and the social media and advertising companies are all subject to ongoing suits:
The latest investigation — the first by the Irish watchdog into Google — brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.
Los Angeles Times, “Google could face hefty EU fine over possible privacy violations,” May 22, 2019
important to recognize is that the EU is taking GDPR very seriously, with fines
being established for any breach,” said Ben Feldman, SVP of strategy and
innovation at NYIAX. “I would expect that the first six-to-nine months of
any new regulation action would be spent working out the kinks and processes of
implementation. It is quite likely that we will see more fines in the
The following is a Quora post answering the question, “Does LinkedIn Sell Your Info?”
This is likely to fall into a semantics question. If data is employed in the aggregate and your personally identifiable information is not disclosed, then I would argue that your information is not sold. Likewise, if you are presented an ad because your LinkedIn profile conforms with a target audience definition, your data is also not being sold.
I can’t answer for LinkedIn Recruiter, but can answer in the Sales and Marketing context.
LinkedIn offers a sales product called Sales Navigator. Users can view company and contact information on Navigator just as they can on the free service. It even supports viewing this data within third-party SNAP products. However, Navigator and SNAP are view only. Sales reps cannot download your profile or sync it with any of their partner platforms. They also restrict display of your email and phone information to your direct connects as well as other content you flag as restricted.
LinkedIn Marketing sells advertising on LinkedIn and Bing based upon your profile attributes. Advertisers define their target audience across a broad set of firmographic, career, and location variables, but these segments are not provided directly to the marketer. Instead, they are used for advertising display. Thus, your data isn’t sold, just your eyeballs.
LinkedIn treats its member’s data with respect. Microsoft, its parent company, has called for a US version of GDPR, the European data privacy standard. CEO Satya Nadella stated that “privacy is a fundamental human right” on an April 2018 earnings call and said that the firm has implemented an “end-to-end privacy architecture” which is GDPR compliant.
Artesian Solutions CEO Andrew Yates published a year-in-review blog and a preview of their upcoming Artesian Risk and Compliance Hub (ARCH). The new ARCH capabilities will extend their social selling platform into Know Your Client (KYC) reviews at UK banks. ARCH is in early testing.
ARCH leverages Artesian capabilities around interpreting structured and unstructured data ”to create useful flags and to drive appropriate actions.” Artesian already is on the desktop of relationship managers (RMs) at most of the major UK banks. “This puts us in a unique position to make insights regarding financial and KYC risks available to the front-line as a pre-screen, to ensure that corporate banking relationships begin with an appropriate understanding of risk.”
supports an automated audit trail and storage of evidence. Early tests
found ARCH to be “100% accurate in reflecting policy in pre-screening.” Arch
also reduced the time spent in gathering risk assessment data by 90% and
identified 14% more risk issues compared with manual processing.
a pre-screen at the front-end of client discussions, RMs can focus on new
clients that will pass muster during the onboarding review process. This
process makes both relationship managers and compliance professionals more
effective. RMs will no longer be spending time with prospective clients
that won’t pass compliance review while compliance professionals can focus
their attention on more complex reviews which require their skill and
“ARCH gives companies control of a sophisticated decision engine to enable data being accessed to have rules applied and flags created. It means that Relationship Managers can see a summarised view of what their central risk teams assessment of a potential client would be, before spending time and money engaging with them. The automation aspect of this is fundamental as it brings efficiency, consistency and control to the areas it transforms.
But more than that, it places compliance at the heart of the business – front of mind for every member of staff, informing every decision, instructing every interaction and shaping every relationship from pre-screens for new customer prospecting through to long-standing client development.”
Artesian CEO Andrew Yates
McKinsey research which notes that the risk function at financial institutions
is being transformed “with the detection, assessment, and mitigation of risk” being
transferred to all employees by 2025.
Risk and Compliance tools are a greater focus amongst European sales intelligence firms due to the availability of private company registry data. While US private companies provide only minimalist filings with Secretaries of State offices (with a few exceptions in insurance, banking, and nonprofits), UK company registration data includes directors, shareholders, and financials. Other UK compliance data includes sanctions lists, Politically Exposed Persons (global government officials and relatives), disqualified directors, gazettes (shuttered business and those in receivership), and traditional credit reports. Vendors such as Artesian, DueDil, and Bureau van Dijk have recently emphasized compliance and risk tool development over sales intelligence offerings.
reached 30,000 users in 2018 with their user base tracking over 800,000
companies. According to Yates, Artesian customers “have received 12.5
million actionable insights, 2.5m unique computational matches each week,
automated the equivalent of 2 trillion Google searches per week (13bn per
hour), and have made 523,813 useful connections using Artesian data.”
staff provided over 350 training sessions, webinars, and workshops to more than
3,000 users in 2018. Artesian Academy delivered an additional 1,200
multi-media tutorials, certification modules, role-based tips, and social media
best practices overviews.
While the change is pro-privacy and consistent with GDPR, TechCrunch took a negative view of the new setting.
A win for privacy on LinkedIn could be a big loss for businesses, recruiters and anyone else expecting to be able to export the email addresses of their connections.…[The new option] could prevent some spam, and protect users who didn’t realize anyone who they’re connected to could download their email address into a giant spreadsheet. But the launch of this new setting without warning or even a formal announcement could piss off users who’d invested tons of time into the professional networking site in hopes of contacting their connections outside of it…
On a social network like Facebook, barring email exports makes more sense. But on LinkedIn’s professional network, where people are purposefully connecting with those they don’t know, and where exporting has always been allowed, making the change silently seems surreptitious. Perhaps LinkedIn didn’t want to bring attention to the fact it was allowing your email address to be slurped up by anyone you’re connected with, given the current media climate of intense scrutiny regarding privacy in social tech. But trying to hide a change that’s massively impactful to businesses that rely on LinkedIn could erode the trust of its core users.
TechCrunch overstates the loss. Member control their data, not LinkedIn or LinkedIn connections. Second, there are multiple ways to reach users from within LinkedIn including InMail, messaging, and PointDrive. Unless the email is blocked on the profile, connections still have access to emails from within LinkedIn. Finally, most emails in LinkedIn are personal emails, not business emails (an issue they should address by allowing both and setting privacy and messaging rules around multiple emails), so reaching out to individuals on their emails only makes sense for friends, family, and recruiters on LinkedIn, not businesspeople networking with colleagues and clients.
While LinkedIn wasn’t transparent about the privacy change, it enhanced the privacy of its members. As such, looking for nefarious reasons for the enhancement is a reach.
Speaking at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), Apple CEO Tim Cook forcefully called for expanded global privacy protections akin to GDPR:
Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold. Taken to the extreme this process creates an enduring digital profile and lets companies know you better than you may know yourself. Your profile is a bunch of algorithms that serve up increasingly extreme content, pounding our harmless preferences into harm…
We shouldn’t sugarcoat the consequences. This is surveillance…
We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. We also celebrate the new steps taken, not only here in Europe but around the world — in Singapore, Japan, Brazil, New Zealand. In many more nations regulators are asking tough questions — and crafting effective reform.
It is time for the rest of the world, including my home country, to follow your lead.
We see vividly, painfully how technology can harm, rather than help. [Some platforms] magnify our worst human tendencies… deepen divisions, incite violence and even undermine our shared sense or what is true or false.
This crisis is real. Those of us who believe in technology’s potential for good must not shrink from this moment…
They may say to you our companies can never achieve technology’s true potential if there were strengthened privacy regulations. But this notion isn’t just wrong it is destructive — technology’s potential is and always must be rooted in the faith people have in it. In the optimism and the creativity that stirs the hearts of individuals. In its promise and capacity to make the world a better place.
It’s time to face facts. We will never achieve technology’s true potential without the full faith and confidence of the people who use it.
He also warned about the dangers of AI which fails to protect privacy:
Artificial intelligence is one area I think a lot about. At its core this technology promises to learn from people individually to benefit us all. But advancing AI by collecting huge personal profiles is laziness, not efficiency.
For artificial intelligence to be truly smart it must respect human values — including privacy. If we get this wrong, the dangers are profound. We can achieve both great artificial intelligence and great privacy standards. It is not only a possibility — it is a responsibility…
Yesterday, Cook tweeted that privacy is a human right
based upon four principals:
Data Minimization – Personal data collection should be minimized or de-identified.
Transparency – Individuals have the right to know what is being collected and for what purpose.
Right to Access – “data belongs to users” with personal data available to individuals for copying, correcting, and deleting.
Right to security – “security is foundational to trust and all other privacy rights”
One of the concerns raised by GDPR is fear of draconian fines, but that should not be a concern in the UK, at least for those who act in good faith. “I have no intention of changing our proportionate and pragmatic approach, said ICO Information Commissioner Liz Denham. “Hefty fines will be reserved for those organisations that persistently, deliberately, or negligently flout the law.”
And while many have complained that GDPR is a major hindrance to traditional marketing, it redirects efforts towards better targeted accounts and prospects. “B2B direct marketing is alive and well, and is explicitly envisaged in the GDPR legislation,” said Kevin Savage, Rhetorik’s Chief Revenue Officer. “You can do B2B marketing, and you should because compliance requirements are really a blessing in disguise. Relying on Legitimate Interest requires you to be more mindful and selective about the personal data you keep and use. This selectivity enables you to be more targeted in your messaging, to cut through the noise and engage prospects more effectively.”
Please find the underlying statutes for major European countries, courtesy of Rhetorik:
Yesterday, I presented a discussion of Legitimate Interest as the basis of GDPR communications. For B2B companies in the UK, the 2003 PECR (The Privacy and Electronic Communications Regulations of 2003) law is often applicable when assessing GDPR and Data Privacy:
GDPR and Data Privacy under UK PECR and Non-PECR scenarios (Source: Rhetorik)
The PECR discusses soft opt-ins for individuals, sole traders and some partnerships, but not B2B. The ICO states that “the term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send. The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts.”
Legitimate Interest also applies to data licensing relationships and marketing partnerships. If personal data interest is maintained for a specific purpose (e.g. Technology Sales), data licensing and sharing needs to be kept within the original scope.
Legitimate Interest and Consent also apply within a company. Data maintained for one product line may not be usable for others, particularly if the firm spans multiple sectors.
The UK Direct Marketing Association published guidance on the subject of Legitimate Interest helping make sense of Article 6.1.f:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
And Recital 47:
“The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”
Once the basis of holding personal data is met, companies have additional conditions to meet around transparency (notification and the right to object), data minimization (Is there a legitimate interest in collecting all of the fields? How long is data retained?), and reasonable expectation (limited impact to personal and private life; ensuring data accuracy).
For individuals who opt out, firms must retain suppression lists to prevent the re-collection of personal information. The suppression list should be the minimal information required to ensure the individual is not added back into the marketing database at a later date. With B2B, the list may simply be name and email.
The GDPR also sets out expectations which are relationship specific:
I’ve been looking for a good description of what GDPR (General Data Protection Regulation) means to B2B marketers and finally came across a session given by UK technology profiler Rhetorik. There have been a number of issues that have muddied the waters, making it difficult to provide much more than general rules. Amongst the issues are a focus on the implications to consumer marketers, the lack of a general law that spans the EU, and an emphasis on rumors and fears about what will happen to firms that fail to comply with the regulation.
Rhetorik Data Protection Officer Samantha Magee noted that GDPR covers how and why companies hold and protect data. It is focused on internal processes rather than external communications, and is channel agnostic.
In around 18 months, the EU will pass uniform ePrivacy legislation which covers external communications in member countries. Until then, rules will remain fragmentary. For example, Opt-in or Opt-out protocols differ by country with the UK amongst the more liberal countries:
For the moment, GDPR has given teeth to local regulations. In the UK, the PECR (The Privacy and Electronic Communications Regulations of 2003), overseen by the Information Commissioners Office (ICO), remains the applicable regulation for consumer, single trader, and small partnership communications. It was drafted after the European Directive 2002/58/EC, otherwise known as the or ‘e-privacy Directive’, was implemented in 2002.
There are six bases for communicating with clients and prospects, all of which have equal weight: Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest. Of these, Consent (e.g. opt-in) and Legitimate Interest are the most common for B2B marketers. Support and service departments would most likely be covered under contractual relationships.
“Legitimate Interest aims to provide a solid and lawful basis upon which commercial communication can occur, allowing marketers to promote their products and services to a targeted and well defined audience,” said Magee. “At its heart, is the desire to ensure that commercial practices and communications are relevant to the individual, offering the assurance that high standards of care are applied and that their essential privacy” rights are considered of the utmost importance.”
Part II continues with a discussion of the UK PECR law and additional details on Legitimate Interest.
A few weeks ago, I wrote about enterprise software vendors calling for an American version of GDPR with Microsoft announcing that it was building GDPR into its global product line as its standard privacy protocol.
On the Salesforce earnings call last week, CEO Marc Benioff observed that the software industry has been going through a “crisis of trust for the past six months” related to privacy and data ownership:
“From the European perspective the way they look at data is data belongs to you, it’s your data. Now for us at Salesforce, we understand that. We’ve had that position from the beginning. Our customers’ data belongs to them, it’s their data. I think in some cases, the companies that are start-ups and next generation technologies here in San Francisco, they think that data is theirs. I think the Europeans with GDPR have really flipped the coin, especially in advertising but in another areas saying hey, this data belongs to the consumer or to the customers, you guys have to pivot back to the consumer, you have to pivot back to the customer.”
Benioff once again called for a US privacy law similar to GDPR which provides “guardrails” around trust and safety. “This is going to help our industry,” said Benioff. ”It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”
Benioff also warned that when AI technologies are indistinguishable from humans, trust will also be an issue.
It is less than 36 hours until GDPR becomes the law of the land in the EU Zone. As the regulation has extra-territorial privacy requirements, non EU companies, even those without a physical presence in the EU, are subject to its requirements with respect to communications with EU citizens and management of their data.
The US has a much weaker set of laws and there is concern that US firms are laggards with respect to compliance. However, a number of US technology firms have called for adoption of a US GDPR.
On Monday, Microsoft once again reiterated its belief that “privacy is a fundamental human right” and announced that GDPR will be their privacy standard globally.
“As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important than ever.”
Julie Brill, Microsoft Corporate VP & Deputy General Counsel
Companies, therefore, have a “huge responsibility” to protect and safeguard personal data.
Since GDPR was enacted in 2016, Microsoft has dedicated 1,600 engineers towards compliance. “GDPR compliance is deeply ingrained in the culture at Microsoft and embedded in the processes and practices that are at the heart of how we build and deliver products and services,” said Brill.
She noted, however, that GDPR is a “complex regulatory framework” subject to “ongoing interpretation” by regulators and feedback from customers. As such, the firm will “determine the steps that we all will need to take to maintain compliance.”
As a provider of corporate infrastructure, Microsoft views GDPR as an opportunity to differentiate itself and assist its customers with compliance on the Microsoft Cloud. “One of our most important goals is to help businesses become trusted stewards of their customers’ data,” said Brill. “This is why we offer a robust set of tools and services for GDPR compliance that are backed up by contractual commitments. For most companies, it will simply be more efficient and less expensive to host their data in the Microsoft Cloud where we can help them protect their customers’ data and maintain GDPR compliance.”
Salesforce and SugarCRM have also taken a strong position on GDPR calling for similar legislation in the US. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” said Salesforce CEO Marc Benioff.
This is not a new position for Salesforce. Back in 2014, Benioff said, “I’m all in favor of consumers having more power and more control over their data. As a consumer, you should have all of the rights. It’s like a cloud Bill of Rights. As a consumer or as an enterprise, you should have the right to be forgotten or to add or take away your data.”
As part of its compliance, the firm named their Senior VP of Global Privacy and Product Legal Lindsey Finch as their new Data Protection Officer. Finch has been with Salesforce for a decade with previous stints at GE (Privacy Counsel), the Federal Trade Commission, and Homeland Security.
“The official DPO designation is a natural outgrowth of our existing programme. My team and I will continue to partner across the company to foster a culture of privacy – designing, implementing, and ensuring compliance with our global privacy programme, including ensuring that privacy is considered throughout the product development lifecycle,” said Finch. “The top theme I’m hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.”
Finch described Salesforce’s approach to GDPR compliance:
“We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place,
Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we’ve published on our GDPR website. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.”
Salesforce CMO Simon Mulcahy echoed Benioff and Finch at the Salesforce World Tour event in London last week. Mulcahy stated that many companies simply view GDPR as a compliance issue and nuisance, not an opportunity to align company interests with customer desires. “It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.”
“Benioff is right that we will need some regulation and I can’t see how we can set two standards–EU and US–so we’ll likely need to adopt what the EU has done or risk chaos. This also fits well into the narrative of the information utility. GDPR is another driver sending us toward utility formation for the information industry.”
Dennis Pombriant, Principal Beagle Research
Larry Augustin, CEO of SugarCRM noted that firms have been lax in their privacy and cyber security processes saying that self-regulation has proven to be insufficient with “too many incidents.”
“Data privacy issues are not going to go away. People are thinking a lot here now about GDPR, because Facebook, Twitter, and all of these issues keep coming. And Experian in the US, about managing personal information related to credit card data… there’s just a constant barrage of issues around data privacy and personal information,” continued Augustin. “Everyone has to address it, whether it’s in the context of GDPR or the next thing that’s going to come along. There is definitely a heightened awareness and interest.”
SugarCRM has built a data privacy manager into its CRM as a “command center” for the data privacy officer.
In my discussions with clients. they all admit to the regulations being a muddle that initially adds risk to their business models. The penalties are draconian, but the compliance requirements are ambiguous, particularly for B2B firms. As such, we are likely to be hearing about issues concerning GDPR compliance requirements over the next few years.