B2B Legal Counsel Shares Game Plan For GDPR Compliance: Exclusive Q&A
- Written by Klaudia Tirico
- Published in Industry Insights
Last month, Demandbase appointed Fatima Khan as its new Chief Privacy Offer. With her extensive privacy, data and technology law experience, Khan is responsible for maintaining and evolving the company’s global privacy program and driving strategies to ensure compliance with global privacy and cybersecurity requirements, including the upcoming General Data Protection Regulation (GDPR).
With the GDPR deadline quickly approaching, B2B companies are working to prepare for and adapt to the new compliance standards it brings. In a nutshell, GDPR intends to protect the data of citizens in the European Union. Regardless of their location, all companies that have ties to personal data of EU citizens are required to be GDPR compliant by May 25, 2018.
Demand Gen Report sat down with Khan to learn more about the actions she’s taking to ensure Demandbase is prepared for GDPR. She also shares tips on what B2B companies should know about preparing for GDPR and adhering to the standards after the deadline hits.
Demand Gen Report: How has your past privacy and data experience helped you prepare for your new role at Demandbase?
Fatima Khan: In the past, privacy law was more of a niche area. In the past few years, it has become a mainstream issue that affects all companies around the globe. I think seeing that dynamic change in the law and addressing it from company to company throughout the years has been a great starting point to address another dynamic change in the law, such as the GDPR, for Demandbase.
DGR: What is your first order of business as Demandbase’s new CPO?
FK: The first order of business is really looking at where we are right now and figuring out where we want to be by May 25, which is the GDPR deadline, and making sure that all those compliance actions are prioritized and put into place. It’s really about driving that change and managing it.
DGR: What are your thoughts on the current state of GDPR compliance in the B2B industry?
FK: I think GDPR compliance is particularly important for the B2B industry because no company wants to do business with another company that’s going to be a liability for them. I don’t think companies are necessarily struggling to comply, but I think that they’re trying to better grasp what this regulation entails for their company. That interpretation may vary across the industry based upon that company’s role in the ecosystem and the data they process.
FK: The GDPR is a big departure from where we were before with European law. Under previous law, member states — meaning different countries in Europe — could pass differing laws that interpreted the EU’s overarching privacy law, the EU Data Protection Directive. Now, the GDPR harmonizes EU privacy law across the EU member states and puts in place a single, dominant privacy law. The fines are also much greater than they used to be and are meant to be dissuasive – up to either 4% of annual turnover or about €20 million (whichever is greater). Based on fines alone, it’s now a much bigger risk area for companies than it used to be. Typically, what you’re used to seeing by the UK ICO or other Data Protection Authorities that enforced within the region would be fines around £500,000 for a data breach or even sometimes lower. This is a huge jump in the potential penalties and it has a huge global effect because the GDPR doesn’t only apply to companies within Europe, but goes beyond territories to apply to any companies that process EU individuals’ data.
DGR: What steps are you taking to ensure Demandbase is GDPR compliant?
FK: Demandbase has done a number of things to make sure that they are GDPR compliant. We started by initiating a gap analysis within the company that enabled us to determine which compliance actions we wanted to put in place first. Among the compliance actions that we identified and are working towards are implementation of a legal transfer mechanism of personal data from the EU to the U.S. For us, that specifically means we’re working towards implementing Privacy Shield compliance instead of relying on EU Model Clauses. In addition to that, we have examined our internal processes, updated trainings and are in the process of updating policies internally and externally. Our goal is to make sure that our company is prepared not just from a documentation standpoint, but from an awareness standpoint as well. Another initiative we’ve taken is building out our tools to handle data subject access requests, which is a big part of the GDPR’s requirements as well.
DGR: In the press release announcing your appointment, Chris Golec mentioned the company wants to ensure it hits its privacy goals. Can you share what some of those goals are that would be relevant to other B2B companies?
FK: The company has an overarching privacy goal of making sure that it has a compliant and aware workforce that handles personal data responsibly. In addition to our overarching goal, we have the GDPR deadline, which is coming up fast. By then, we’re hoping to implement a series of steps to help us fully comply with the GDPR. Ensuring your workforce knows how to properly handle personal data is a key goal for any B2B company that hopes to comply with the GDPR.
DGR: Is there any training involved for the staff? How are you communicating with the entire Demandbase staff and the marketing team to ensure everyone is on the same page?
FK: One part of our privacy awareness campaign and goal of having a workforce that is aware is training. Training employees on privacy is something we’re embracing within Demandbase. We’re working on rolling out privacy training specifically focused on employee obligations to handle data under Privacy Shield, as well as privacy training specifically focused on the GDPR. In addition to that, we already have security training for our workforce. We’re also planning to release role-specific training that pertains to how individuals handle personal data and their responsibilities in that role.
DGR: Are there any technologies that you’re specifically using for this training or for GDPR compliance in general?
FK: The technologies we’re using for GDPR compliance are both tools we’ve built internally and external vendors. Some examples include an LMS [Learning Management System] for recordkeeping and a consent manager tool on our website. In addition to that, we have internal technologies that we’ve built out for handling data subject access rights.
DGR: Once the deadline for the GDPR hits and you have all your ducks in a row, is there maintenance involved to keep up with the compliance and make sure everything stays on track after the deadline?
FK: The GDPR is not a one-and-done type of thing. In addition to ongoing awareness for our workforce, there are aspects of our compliance program that we will have to examine on an ongoing basis. For example, whenever we roll out new technologies or update existing ones, we will have to make sure that we have an Article 30 Record of processing in place and determine whether or not we need to conduct a data protection impact assessment, in addition to other compliance actions. The GDPR itself isn’t a single compliance action, but it delineates a set of rules for how you need to treat data within your company going forward.
DGR: Why do you think it’s important for companies to appoint positions similar to yours for the future?
FK: It’s important because depending on the type of data processing you’re doing, you may be required to put in place processes to protect it under law and will need someone to manage this. Another important thing to take into account is that no company wants the other company that they’re partnering with to be a legal liability or cause a privacy or security incident. As follows, having somebody within an organization to help prevent that from happening will serve as a good step for the company and will help promote awareness and integrity when employees are tasked with handling data in an organization.
DGR: Any final advice you would give to companies working to make the deadline and adhere to GDPR?
FK: One thing to understand if you’re in the tech space is that data is really the key to many products and partner trust right now. If your data is not an asset for you — meaning it’s not legally processed — then it is worthless. It’s incredibly important to make sure that you’re treating that data in accordance with legal requirements because you want data to be an asset to your company rather than a liability.