Three years after the introduction of tighter data regulations & GDPR in Europe, the world of data protection and privacy is only getting more complex. In fact, my guest today described the privacy challenges we face today as a “perfect storm”.
From changing cookie laws, to complex data transfers, to the latest class action law suits being brought on behalf of professional footballers, there is now doubt that the tectonic plates in our industry are shifting.
So how can we ensure we’re professional, prepared and protected as much as possible?
While we continue to cope with COVID, our industry is facing rapid changes, such as the increasing use of facial recognition technology & biometrics, so listen to learn all about the approach you can take to ensure “custom privacy protection by design, which will endure by default”.
Richard Dutton, Managing Director of the Elias Partnership joins me on today’s show to explain the concept of a “Data Health Check”, what it does, how it helps and how your company can ensure a legally defensible position should a data breach ever occur.
PAULA: Welcome to Let’s Talk Loyalty, an industry podcast for Loyalty Marketing Professionals.
PAULA: I’m your host, Paula Thomas, and if you work in Loyalty Marketing, join me every week to learn the latest ideas from Loyalty Specialists around the world.
DUTTON: Thank you.
PAULA: Hello, and welcome to today’s episode of Let’s Talk Loyalty.
PAULA: One of the most fascinating and fundamental topics of conversation for loyalty marketing professionals is the whole area of privacy and data protection.
PAULA: It’s an essential pillar of our business, but in my experience, can sometimes be overlooked or neglected over the lifespan of a loyalty program.
PAULA: So to help you understand the context for privacy today, in our increasingly data centric world, I’m chatting to Richard Dutton, Managing Director of the Elias Partnership, and they have extraordinary expertise in this whole field.
PAULA: So I’m delighted to welcome Richard onto the show and let’s get on with the conversation.
PAULA: So Mr.
PAULA: Dutton, please do tell me, first of all, what is your favorite loyalty statistic?
DUTTON: Well, Paula, I’ve thought long and hard about this, and I’m gonna fall back on what I think is one of the fundamentals of loyalty, which was shared with me by an old friend who happened to be the co-founder of Airmiles, a fellow called Philip Beard.
DUTTON: And he said, Richard, whatever you do in loyalty, make sure you focus on these three things, lift, shift, and retention.
DUTTON: Everything else falls away from that.
DUTTON: So that was great advice, and I followed that since then.
PAULA: My goodness, wow, and what incredible credentials.
PAULA: I mean, the Airmiles brand alone, Richard, I mean, it’s just extraordinary what they created.
PAULA: And quite a long time ago, I think the company originally set up maybe 20-odd years ago.
DUTTON: And yes, beyond that, I mean, I think certainly in the 90s, it was there.
DUTTON: So, you know, Philip been there and done it all.
DUTTON: So certainly somebody to learn from.
PAULA: Wonderful.
DUTTON: Particularly given his partner at the time, Keith Mills then went on to launch Nectar, and he was involved in that as well.
DUTTON: So yeah, some really good credentials.
PAULA: Wonderful.
PAULA: Great stuff.
PAULA: So speaking of credentials, you’re coming to talk to us today from a legal perspective, which I think I confess to you, Richard, is the part that scares me the most about working in loyalty.
PAULA: And I’ve often actually remembered getting a phone call in Ireland from the Data Protection Commissioner, which back in, I’m going to say the early 2000s, certainly focused my mind on the amount of attention that was coming on data, data protection.
PAULA: So tell us a bit about your career from a legal perspective and looking at loyalty programs.
DUTTON: Right, well, I actually had a degree in law, and one of my fellow students at the time was a fellow called Dean Armstrong, who has since become a Queens Council and one of the leading barristers and lawyers in the world of data and cyber, blockchain and crypto assets and cryptocurrency.
DUTTON: So short term, about six years ago, we teamed up and formed Elias Partnership, which is the business we currently own.
DUTTON: He’s the chairman.
DUTTON: And we focused very much on data rights, all aspects of data protection and across multiple sectors.
DUTTON: And the reason I got there was, my world, while I got a law degree, I didn’t follow it except in the commercial world.
DUTTON: So I’ve been in a commercial and therefore 30 odd years of practice, as it were, in dealing with commercial law, contract law.
DUTTON: And part of that experience was very much in retail marketing for about 20 years.
DUTTON: And that was where I discovered a lot of affinity with technology, getting involved with radio frequency identification early on in the mid 90s, which soon became smart card technology.
DUTTON: And in the early 2000s, we were one of the first organizations to introduce multi-application smart card into Liverpool as part of a loyalty program, which had the transport application as well.
DUTTON: So similar to the Oyster card, it was a transport application which sat on a loyalty card.
DUTTON: So I’ve always enjoyed the technology element, the applications, rather than being a technologist per se.
DUTTON: Yeah.
DUTTON: And that has translated certainly into the area of data governance and the way in which certainly the data regulations are being applied today.
PAULA: Yeah.
PAULA: Brilliant.
PAULA: Brilliant.
PAULA: And we’ll get into that now, Richard.
PAULA: But just before that, I think it’s always great to mention you are a colleague and a friend in the Customer Strategy Network.
PAULA: So we share our global colleagues and we all work together obviously on various things.
PAULA: So that’s another feather in your cap.
PAULA: And you’re also a board member with the Loyalty Academy, if I’m correct.
DUTTON: That’s right.
DUTTON: Yes.
DUTTON: I’ve been a member of the Customer Strategy Network since 2008.
DUTTON: And on the board at the Loyalty Academy for about five years now, that’s right.
DUTTON: Along with Mr.
DUTTON: Capizzi and others, yes.
PAULA: Wonderful.
PAULA: Well, I recorded an episode with Mr.
PAULA: Capizzi recently, so he’s on the show tomorrow as well.
PAULA: So yeah, we’re all good friends.
PAULA: So tell us about the context for the conversation, Richard, because as I said, it’s a long time since I’ve been responsible for data and had that phone call from the data protection commissioner.
PAULA: But so much changes, you know, and I think we all have to pay very close attention.
PAULA: But at the same time, the sheer complexity of what’s happening is really what makes it such a big concern, I think, at all levels of the business.
PAULA: So tell us what’s going on globally, as easily as you can, because I suppose I’m conscious that, you know, UK is where you do a lot of work, and the US, I believe, but then there’s stuff going on in China and all of that.
PAULA: So tell us a bit about what is happening.
DUTTON: Well, I think one of the first things I’d like to say, it’s a rather grandiose statement, but one of the challenges we’ve got is the internet is broken.
DUTTON: And you have a situation, frankly, where the current pandemic, apart from COVID, is data breaches and ransomware, where companies all over the world are being targeted.
DUTTON: And largely because the internet itself, the way it was designed, was not designed to cope with the volumes and the nature of the beast right now.
DUTTON: So the internet, given so much now, relies on it.
DUTTON: It is part of the problem.
DUTTON: And you also have a real divergence in terms of data regulations in some of the major continents.
DUTTON: So in Europe, we have the GDPR, in the US.
DUTTON: Their data laws, effectively, what was Privacy Shield, was invalidated by the European Union last year, which created a significant amount of problems.
DUTTON: Yeah, so the data transfers between the EU and the US are a subject of a lot of current stress and tension.
DUTTON: The Chinese have decided that Chinese data stays in China, and they are making a play to be privacy-centric.
DUTTON: The Russians, similar, everything stays in Russia.
DUTTON: You have state surveillance in those.
DUTTON: So, you have competing entities, state entities competing with the big tech from America, which has been all embracing, really.
DUTTON: And some people listening to this may also recall that in the last month or two, China have taken a very aggressive stance against their big tech companies.
PAULA: Yeah.
DUTTON: Effectively telling them, you need to relocate back to China rather than listing yourselves on the American Stock Exchange, for example.
DUTTON: And it’s a very overview situation there, but nonetheless, there’s a crackdown coming from China.
PAULA: Is there more that I should worry about?
PAULA: Or, I mean, I don’t know how far to let you go.
DUTTON: One of the things I would say, Paula, is that when the GDPR first came out in 2018, there was an awful lot of scaremongering going on about the fines and everything.
DUTTON: And justifiably, there were also an awful lot of people in the data protection space who became self-appointed experts.
DUTTON: One of the flaws in the way in which the GDPR was deployed was that they didn’t have any way of certifying expertise.
DUTTON: So you had huge numbers of people who appointed themselves as experts, advised companies without understanding the law.
DUTTON: And one of the difficult challenges of the GDPR is, unlike a rule-based law, like speeding, if it’s 30 miles an hour speed limit, that’s rule-based, you can’t go above it, right?
DUTTON: You get fined.
DUTTON: Well, the GDPR is principle-based, so it’s about interpreting it.
DUTTON: And that is where there is a significant difference, and a lot of people have interpreted it incorrectly.
DUTTON: And that’s what we’re seeing now as case law over the last three years since the GDPR was introduced, is having significant impact, going back to what I said about the transfer of data between the EU and the US.
DUTTON: It’s causing a lot of problems.
DUTTON: The cookie laws have changed, as Europe is taking a stance against big tech.
DUTTON: So the most recent being the Luxembourg Data Protection Authority, even smaller than your Irish equivalent, has just fined Amazon over $800 million for a breach, which effectively was all about cookies.
DUTTON: So the regulators are emerging from their COVID-induced inactivity, and they are gonna put a marker down.
DUTTON: So that and the advent of the class action lawyers, I think has made it a very feisty environment now in terms of the data protection regulations.
PAULA: Yes, yeah.
PAULA: And just for anyone not familiar with that acronym, Richard GDB Hoare, am I right?
PAULA: It’s General Data Protection Regulation, is the acronym?
DUTTON: That’s the one.
PAULA: Wonderful.
PAULA: And that applies across the European continent.
DUTTON: Yes, and also, if you are a European data subject, wherever you are in the world, you have rights about your data.
DUTTON: So even if you were in the US, for example.
DUTTON: So there is a jurisdiction element there, which people sometimes are unaware of.
PAULA: Yeah.
PAULA: And I think what caught my attention again, back in 2018, Richard, was how high the stakes were.
PAULA: So without being familiar with how laws work or are imposed or assessed, the fact that there were fines, I believe, being mentioned as percentages of turnover, for example.
PAULA: So the principles of how the fines were going to be calculated were all of a sudden extremely frightening, I think, for companies, you know?
DUTTON: Yes, it’s a fair point.
DUTTON: And the problem the GDPR has faced is that the regulators haven’t really enforced it, certainly in the first few years.
DUTTON: And a large amount of that is due to the fact that they have been challenged resource-wise and COVID has had an impact as well.
DUTTON: But the unfortunate thing for many of the GDPR and privacy activists, certainly, is that even the companies that were fined, like British Airways, I think there was a fine there of about $283 million.
DUTTON: Dollars or pounds, I can’t quite remember, but nonetheless, it was reduced to about 20 million in the end.
DUTTON: So you have a situation where lots of companies, frankly, have just taken the view that, do you know what?
DUTTON: I’ll take the fine as a cost of doing business.
DUTTON: And there is an attitude there in many companies because the regulator isn’t really going to enforce this.
PAULA: Risky strategy, I’m hearing.
DUTTON: Well, certainly, if you take that view, I suppose you either live by it or you die by it.
DUTTON: Certainly, as far as I’m concerned, the threat vectors are coming from a number of areas.
DUTTON: So the regulator is all over Europe are waking up.
DUTTON: The second thing is the class action lawyers are really being aggressive in Europe, particularly in the marketing services area where you’ve got a full blown assault on programmatic advertising and programmatic marketing.
DUTTON: So anybody that’s involved in those sectors, particularly with the IAB in Europe who are under real pressure, you’ve got hundreds and hundreds of companies who have followed their guidance about the GDPR.
DUTTON: And it is clear to anybody that really understands the law that they misinterpreted it.
DUTTON: And all of those companies, I think, are in a potentially very vulnerable situation.
DUTTON: I’ll leave it at that.
PAULA: And the other piece I know you’re doing a lot of work on, and it is in the class action space, you mentioned it to me, and this is professional athletes such as footballers and their rights to their own data.
PAULA: So I’d love you to explain this because this sounds like a very new area of concern for, again, companies that are capitalizing on what I might have interpreted again as a non-legal person as publicly available data, but all of a sudden that’s being classified as data that’s owned by somebody else that I couldn’t possibly access or use.
DUTTON: Yeah, well, we’ve been involved since the start of this particular case, which is known more generally as Project Red Card.
DUTTON: We provided the legal opinion through Dean Armstrong QC.
DUTTON: And this is about professional footballers who have had their performance and tracking data effectively processed and used by sports data companies, gaming companies, and betting companies without the players’ consent.
DUTTON: And there is a wholesale industry here, which has brought up over the last decade.
DUTTON: And the players are not benefiting from the amount of money that’s being made by these companies.
DUTTON: And we are actively involved in making sure that they are represented, and they can in fact be compensated for the use of their data by these companies.
DUTTON: So we’ve been involved in that.
DUTTON: I can’t say too much at the moment about it, because it’s ongoing, but it is nonetheless, as you say, reflects a fundamental shift, turning of the dial in the way in which data and personal data rights, and this is something that Dean has emphasized, is that personal data rights will become one of the most valuable asset classes in the world within the next three years.
DUTTON: We’ve actually seen a Supreme Court verdict in the US recently, which effectively releases all these college basketball and college football players allowed to use their name, image, and likeness and profit from it, whereas previously it’s all been done by the colleges in a sort of collective bargaining agreement.
DUTTON: So the tectonic plates are shifting, Paula, in sport, and we’re right at the heart of that.
PAULA: Well, yes, I can see the scale of the…
PAULA: I don’t know what the right word is to use here, the challenge and the level of awareness and education, I suppose that’s required.
PAULA: And one of the reasons I love the way you work is that you do come in from an external expert perspective to advise, whether it’s a loyalty program manager, director, anyone who’s working with data, I know you work in a particular way to do essentially a data health check, to help people and to help companies, I think more accurately, to assess where they are in terms of their compliance with the various rules and regulations, and I guess advise areas for improvement.
PAULA: So I’d love you just to talk through, first of all, is that an accurate description of your data health check?
DUTTON: Yes, it is, in essence, there’s probably four aspects to this health check.
DUTTON: Okay.
DUTTON: And there’s plenty of people out there who can conduct this.
DUTTON: There’s no doubts about that.
DUTTON: What’s unique about ours is this, is that once you’ve been through what we call the documentation review, and there’s probably about five documents which really give you a sense of the organization, from the privacy policy through to the data flows and the data protection impact assessments.
DUTTON: You get a feel, and once you’ve also had a look at their internet-facing security, which we do through some open-source intelligence tools, you get a feel for the business.
DUTTON: We write the report and we come in and we offer the C-suite of the organization a 90-minute session with Queen’s Council under legal privilege.
DUTTON: So it’s an independent assessment, and it’s the opportunity for the organization to ask those questions about do we have a legally defensible position?
DUTTON: And they can do it in the knowledge that whatever is said is said under legal privilege.
PAULA: Okay.
DUTTON: And that can therefore be addressed in private, because so many organizations get really, really stressed and irritated by people coming in and saying, well, you’re doing it unlawfully.
PAULA: Totally.
DUTTON: And so that’s one of the special areas that we address.
DUTTON: And particularly then, in a 90-minute session, there’s an awful lot of questions you can get at, get in front of one of the leading authorities in the world on data.
PAULA: Brilliant, brilliant.
PAULA: Yeah, no, as I said, I’ve definitely been in the category of people getting stressed, because so much of it feels subjective, and it’s hard to know who to trust.
PAULA: And it’s an ongoing problem, like any loyalty program I’ve ever worked on, it rears its head constantly.
PAULA: And I feel like I wish we could just have some people that would just take ownership of this so I can get on with doing the business, in the way that is compliant so that members are comfortable with, without wondering if I’m going to trip over myself constantly.
PAULA: So I think that that’s an extraordinary opportunity to have that C-suite visibility, as you said, address any particularly sensitive subjects, review it and get it fixed, you know, because it just can’t be ignored any longer, if I’m correct, you know?
DUTTON: No, you’re right.
DUTTON: I think ignorance is no defense, certainly.
DUTTON: And one of the things that Dean says on a regular basis to the C-suites that he addresses is if you are in the courtroom, the first question that you will be asked by leading counsel will be, did you take independent expert advice?
PAULA: Ah, yes.
DUTTON: And the answer to that is an interesting one, because if you say no, then you’re clearly not taking the ICO’s guidance.
DUTTON: If you talk about the UK’s data protection authority.
PAULA: Mm-hmm.
DUTTON: But if you haven’t taken it, you’re in trouble.
PAULA: Mm-hmm.
DUTTON: Immediately on the back foot.
DUTTON: And if you have taken it, then it’s a great way then of demonstrating how you have achieved a legally defensible position.
DUTTON: Because one of the challenging things about the GDPR, Paula, is there is no certification process to say we are GDPR compliant.
PAULA: Yes.
PAULA: Yeah.
PAULA: Trained and expert and knowledgeable.
PAULA: Exactly.
PAULA: Yeah.
DUTTON: And there is no company certification process either.
DUTTON: So it’s yet to be deployed.
PAULA: Yeah.
DUTTON: So we maintain that the best position you can have is to have a legally defensible one.
DUTTON: Yeah.
DUTTON: And that’s what we’ve offered and delivered to several of our clients, particularly in the more challenging areas around facial recognition technology where we work.
DUTTON: And you have these areas of really sensitive data.
DUTTON: Special categories of data, they’re called underregulation, where you’re dealing with biometrics and other special categories, which ironically also includes trade union membership.
PAULA: Interesting.
DUTTON: It’s extraordinary, really.
DUTTON: But anyway.
PAULA: Yes.
DUTTON: I digress.
PAULA: Indeed.
PAULA: And you’ve reminded me, I know what has been mentioned, for example, in a COVID pandemic context, for example, about contact data, tracing data.
PAULA: So despite everybody’s obviously alarm and concern about the virus, in some countries, and I believe Norway was one, they were unable to capture the data they wanted to for tracing purposes because that would have violated data protection.
PAULA: So again, comes back to the same point, I think, Richard, where you do need expert guidance.
PAULA: And the point that actually did surprise me that you said there about the opening question is the independent legal council, because my experience again, working for a lot of big companies is, there would be an in-house legal council.
PAULA: So is that not considered sufficient?
DUTTON: Well, there’s no doubt that lots of companies have general council and internal legal expertise.
DUTTON: They will also have solicitors and advising them.
DUTTON: So I’m not for one moment suggesting that that isn’t appropriate.
DUTTON: It is.
DUTTON: But our argument is that if you want to achieve the belt and braces approach, seek independence to challenge that.
DUTTON: Because one of the things that’s happening is, case law is happening all the time, and you’ve got a very, very developing situation.
DUTTON: And by that, I mean it changes.
DUTTON: And so therefore, having an independent assessment will work.
PAULA: Okay.
PAULA: Okay.
PAULA: Perfect.
PAULA: I got it.
PAULA: So talk me through this key documentation that you mentioned is normally what you look at.
PAULA: So I think you said there’s three or four or maybe even five pieces of data that you would look at if you were brought in to do an independent health check.
PAULA: So tell us just at a high level, what exactly do you look for?
DUTTON: So the first thing we’d look at is the privacy policy.
PAULA: Okay.
DUTTON: Because that’s the policy that is the window onto the world, that everybody have an obligation to put it on your website.
DUTTON: And so that’s the document that we scan, we look at to check whether it’s been updated since May of 2018, for example, because so many companies did it up to 2018 and have left it.
PAULA: Posted and forgetted it, yeah.
DUTTON: So you immediately know if it’s dated May 2018 that they have not taken into account any of the case law.
DUTTON: And so you know that they’ll be operating unlawfully.
DUTTON: They won’t be controlling their data.
DUTTON: So that’s the first.
DUTTON: Cookies is the second.
DUTTON: There’s been a case law over the last couple of years, which has changed the cookie laws.
DUTTON: And it’s really obvious to spot those people who haven’t changed their cookie consent, because it’s all about.
PAULA: Yeah, that’s quite visible.
PAULA: Yeah, I’ve seen that one.
PAULA: Yeah.
DUTTON: So the third one would be the data protection impact assessment, which again needs to be a living document.
PAULA: Okay.
DUTTON: Iterative in the sense that it changes.
DUTTON: The fourth is the data flows.
PAULA: Okay.
DUTTON: And it’s really important, because if you don’t understand where your data is going, you can’t ensure it’s being protected properly.
PAULA: Yeah.
DUTTON: So we look to see that.
DUTTON: And then the final document, lots of organizations rely on something called legitimate interest as their lawful basis of processing data.
PAULA: Okay.
DUTTON: And if you do that, then you have to have done a legitimate interest assessment, which in itself is a document that requires quite special attention.
DUTTON: So those are the five.
DUTTON: And then we’ll marry that with, as I said earlier, an open source intelligence tools, which we use to check the internet facing security of a company.
DUTTON: And we’ll also do a search of the dark web as well to see if there’s any evidence of data breaches or emails that may be compromised.
DUTTON: So those are the first two elements.
DUTTON: We then write up the report and the Q&A session follows that with the QC.
PAULA: So from start to finish then, Richard, let’s say somebody’s listening to the show.
PAULA: And from what you’ve said to me before, my understanding is it could be from the brand side, it could be from the platform side, it could be in the context of mergers or acquisitions or IPOs.
PAULA: How much time do you think any company should allocate to bring in you guys to go through this entire kind of health check process?
DUTTON: Typically, it takes somewhere between 30 and 45 working days.
DUTTON: In terms of timeline, that, Paula, as opposed to the number of days.
DUTTON: Yeah, got it.
DUTTON: But it depends on two key things.
DUTTON: Number one, you have to have the buy-in from the CEO.
DUTTON: And number two, you have to have the availability of the key personnel and the organization.
DUTTON: That might be the data protection officer.
DUTTON: It could be the CTO, CMO.
DUTTON: But you need to buy in.
DUTTON: Otherwise, it doesn’t work.
DUTTON: We’re currently advising an organization whose CEO is insistent on going through an IPO.
DUTTON: And they need to be in a position where they can’t be compromised when they go to market.
PAULA: So it’s kind of their own due diligence, actually, even before they go through the IPO process?
DUTTON: Yes, because in this particular organization’s case, a firm of lawyers looked at their data protection situation and said it wasn’t up to scratch.
DUTTON: So they came out to us as an independent organization to do the health check and recommend and remediate where appropriate.
PAULA: Wonderful.
PAULA: Wow.
PAULA: Well, I mean, I can hear the potential for peace of mind.
PAULA: I think I said to you, I was kind of like going, oh, my God, I don’t know where to go with this topic because it is so fundamental to the loyalty industry.
PAULA: But yet I feel the scaremongering.
PAULA: I think you used that word yourself earlier, Richard.
PAULA: I hear much more of that than I hear solutions.
PAULA: So I’m really happy to hear that you do have solutions, recommendations, and I suppose just that expertise to know, OK, what is the first question I’m going to be asked?
PAULA: And can I answer it in a way that at least shows responsibility?
PAULA: And I think intention, if I’m right, Richard, is a word that seems to come through.
PAULA: You said it’s not a fixed measurement.
PAULA: It’s more like were you as responsible as you could have been or should be expected to be?
DUTTON: That’s a very good point, actually, because one of the key aspects and principles of the data protection regulation in Europe is transparency and accountability.
DUTTON: So those two.
DUTTON: And within that as well, it’s about being proportionate, proportionate to your business.
DUTTON: We always say, I mean, there’s the principles of privacy by design.
DUTTON: Well, we talk about custom by design, enduring by default.
DUTTON: So each business is different.
DUTTON: So you customize by design for the business to ensure that it’s enduring by default.
DUTTON: You made a good point earlier.
DUTTON: Enduring by default means you can, it happens as part of business as usual.
DUTTON: What so many organizations are faced with at the moment is the pressures of business as usual, but still trying to then remediate some of the issues they’ve got around the data protection.
DUTTON: So if you build and design it right, it becomes part of business as usual.
DUTTON: And that’s what would be a real slam dunk for any organization.
PAULA: And I do remember seeing again, having done a bit of reading around GDPR when it came out, there were companies positioning it as an opportunity to really showcase integrity around taking care of your customers.
PAULA: And even certainly in my part of the world, Richard, which from what you said earlier, I’m possibly covered under GDPR, but I’m not in Europe.
PAULA: But many companies I believe here in Dubai, for example, in the UAE, would follow GDPR practices and principles, even though not legally required, for example, for local customers, but just to be seen to be doing what they can do in terms of global best practice.
DUTTON: Yes, I think that’s right.
DUTTON: I think the opportunity is competitive advantage.
DUTTON: If you are, as an organization, you’re looking at best practice.
DUTTON: And I mean, your rights as a European citizen, you have them in Dubai.
DUTTON: But it doesn’t matter where, I mean, you might be in the Far East as an expat.
DUTTON: For example, my nephew is in Singapore.
DUTTON: So you have the challenge of Singapore law and the data protection laws in the UK.
DUTTON: I think there’s an awful lot of, if you look at some of the web services companies, they’re hosting all over the world and they can shift between continents.
DUTTON: And that’s what’s happening, particularly when you look at some of the solutions to the problems of data transfers between the EU and the US, that lots of US companies are now saying, right, we will move our hosting to Europe or to the UK, for example, rather than have it go to the US.
PAULA: Yeah, yeah.
PAULA: And certainly Ireland has done extremely well.
PAULA: Now, not mainly from a privacy perspective, it’s more of a taxation incentive that we do have Facebook, we have Google, we have HubSpot, we have, I think, most of the biggest tech companies in the world have their European headquarters in Ireland.
PAULA: So we do get, I think, a lot of attention around how our data protection laws are being enforced, particularly for American companies.
PAULA: So yeah, it’s certainly top of mind.
PAULA: And yeah, I certainly feel like it’s not going anywhere soon.
DUTTON: Now, you’re a commissioner in Ireland is under a lot of pressure at the moment, Paula, getting a lot of stick, even from the European Data Protection Board, because they haven’t been able to process so many of these complaints.
PAULA: I did hear that.
PAULA: Yeah.
DUTTON: And I think they’ve been taken to court along.
DUTTON: You know, the privacy activists are, in fact, I think it’s the Irish Civil Liberties who have taken them to court.
DUTTON: But the UK’s ICO is also being taken to court for not enforcing.
DUTTON: So there’s a lot of tension.
PAULA: Yeah.
DUTTON: Apart from, you know, the COVID pandemic induced tension, you’ve got a lot of tension building up in Europe about this.
DUTTON: And increasingly, the European Data Protection Board looking at ways in which they can get consistency of decision making and in rulings across Europe as well.
DUTTON: So that’s one to look out for.
PAULA: So I guess the only other question I had then, Richard, was for anyone who is listening, if they do want to, first of all, you know, maybe do a bit of their own kind of research preparation, are there, you know, general areas that they can stay up to date?
PAULA: Or would your advice be generally, actually, it’s quite specialized.
PAULA: So, you know, whether it’s internal council or external advice, what do you think loyalty professionals should be doing with this whole increasing awareness, let’s say, and the tectonic plates situation?
DUTTON: Well, I think that from a loyalty marketeer’s perspective, let’s just say, or anybody who’s in the space or a loyalty program, if you haven’t looked recently, you need to review your own privacy policy.
DUTTON: The first thing I would be doing is saying, well, if you just follow that train, you’ve got to know what you’re looking for.
DUTTON: One of the things about training and the knowledge of the GDPR, there’s plenty of training modules out there.
DUTTON: It’s very easy, and there’s some really good stuff.
DUTTON: But it’s the refreshing because of the case law changes.
DUTTON: And that’s where people may have missed the case law that we’ve referred to previously.
DUTTON: I think the data transfer and data sharing, data sharing is something that people overlook and into their supply chain, particularly.
DUTTON: Because outside of the whistleblowers, internally, the data sharing is where the problem has been.
DUTTON: If you look at some of the big data breaches that have happened in the last six to nine months, SolarWinds in the US, where Microsoft had their source code compromised, which has impacted companies globally.
DUTTON: There are too many unknown unknowns right now.
DUTTON: Too many sophisticated hacks, which I come back to, the internet is broken.
DUTTON: And this is a combination of checking your security, but also checking your governance and your compliance.
PAULA: Well, wise words indeed, Richard.
PAULA: Thank you for those.
PAULA: Are there any other important points that maybe I haven’t asked you about before we wrap up?
PAULA: And of course, then I do want to make sure people know where to find you.
PAULA: So maybe you’d address those two for me.
DUTTON: Now, my final point would be, I’d just like to reiterate.
DUTTON: Remember, your company is unique.
DUTTON: So custom by design, enduring by default should be your mantra.
DUTTON: The second thing is you can find us at Elias Partnership.
DUTTON: I’m on LinkedIn.
DUTTON: So happy to have an initial chat with anybody.
DUTTON: No obligation.
DUTTON: It depends what sort of organization you are, if we can help.
DUTTON: What we do say is, if your philosophy is, I’m happy to take a fine.
DUTTON: There’s a cost to doing business.
DUTTON: Please don’t waste my time because we can’t help you.
PAULA: Well, I’m actually relieved to hear that, Richard, because it’s a reality.
PAULA: So, I mean, clearly you’re speaking from experience, but they’re not the kind of people I want to do business with either.
PAULA: And I know it’s impossible to be perfect, given what we’ve talked about in terms of the perfect storm.
PAULA: But yeah, let’s at least set out with our integrity and our intentions intact so we can do the best possible job.
PAULA: So yeah, thank you for that.
PAULA: So wonderful.
PAULA: OK, so Elias Partnership, I’ll make sure we link to that in the show notes.
PAULA: Obviously, if anybody wants to reach out to me directly, Richard, I’ll make sure to send them your way.
PAULA: And yeah, I just really want to say thank you so much for all of the incredible work you put into preparing for today.
PAULA: I know you do this data health check probably day in and day out, but I really needed to be spoon fed a little bit of the process to understand exactly what you do, because again, I’m just coming at it from a practitioner’s point of view.
PAULA: So yeah, really want to say thank you so much for your time.
PAULA: So Richard Dutton, Managing Director for Elias Partnership.
PAULA: Thank you so much from Let’s Talk Loyalty.
DUTTON: Thanks Paula.
DUTTON: I’ve enjoyed it.
DUTTON: Thanks.
PAULA: This show is sponsored by The Wise Marketeer, the world’s most popular source of loyalty marketing news, insights and research.
PAULA: The Wise Marketeer also offers loyalty marketing training through its Loyalty Academy, which has already certified over 170 executives in 20 countries as certified loyalty marketing professionals.
PAULA: For more information, check out thewisemarketeer.com and loyaltyacademy.org.
PAULA: Thanks so much for listening to this episode of Let’s Talk Loyalty.
PAULA: If you’d like me to send you the latest show each week, simply sign up for the show newsletter on letstalkloyalty.com and I’ll send you the latest episode to your inbox every Thursday.
PAULA: Or just head to your favorite podcast platform.
PAULA: Find Let’s Talk Loyalty and subscribe.
PAULA: Of course, I’d love your feedback and reviews, and thanks again for supporting the show.
Sign up here and get the latest podcast episodes and loyalty marketing news delivered directly to your inbox