Olivia Walker – The Implementation of GDPR

All around the world companies, small and large, make use of marketing agencies to deliver and nurture their services and clientele. To this end agencies have some of the most client to business interaction, are themselves companies with employees and legal matters to attend to, and like any company, must adhere to regulations and be aware of compliance procedures worldwide.

Over the flowing pages, Lawyer Monthly hears from Olivia Walker, General Counsel & Company Secretary at Creston plc, based at Creston House in Soho, London.

Here Olivia reveals the ins and outs of her General Counsel role at the Creston Group, but in particular about the implementation of the EU’s General Data Protection Regulation (GDPR), which was introduced in the first quarter of 2016, and will come into force in 2018. Olivia talks about the challenges in implementing the regulation, the rewards therein, the priorities for businesses at this sensitive turn, how it will affect the marketing sector in Europe, and the overall impact it will have on her role as the legal counsel of the Group.

What kind of legal matters do you generally deal with at the Creston Group?

My role is broad and covers anything and everything with a legal flavour. My time is divided between our 27 Unlimited agencies and Creston plc; with over 900 employees I am kept busy! For the Unlimited agencies, my key focuses are commercial contracts, intellectual property and data protection. For Creston plc my focus is on M&A, international partnership activity and corporate governance. From April this year my role expanded to Company Secretary, which as well as participating in Board meetings, involves working on the Annual Report and Accounts, preparing for the AGM and recently, ensuring our governance procedures comply with the EU Market Abuse Regulation, which came into force in July this year.

Can you tell LM how the EU’s GDPR package will benefit businesses across Europe? Are there any disadvantages?

Big data is increasingly being used in the world of marketing and it is essential for the Unlimited Group, in common with many businesses across Europe, to look at their systems and the way they handle personal data to ensure compliance with all applicable legislation. In my view, a key benefit of the GDPR to businesses is that it will give their clients confidence in how they are handling personal data and help restore trust that might have been eroded through recent high profile data leaks. Additionally, harmonisation of the legislation is another big plus for EU data handling; everyone has the same set of rules and, for example, we don’t have to worry about whether the German Telemedia Act requires explicit consent in the same way as the Data Protection Act 1998. The disadvantages to businesses are the time and management costs of implementing the GDPR and ensuring on-going compliance.

What should businesses be prioritising now and can we expect UK enforcement despite Brexit?

At Creston we have set up a dedicated Cyber & Information Security Committee. This involves IT and data experts across the Unlimited Group to ensure the business is GDPR compliant when the regulation comes into force in May 2018. Firstly, we conducted a group wide audit of the personal data held across the group. This information then allowed us to identify the next steps to update systems and the way we store data to allow us to effectively implement new rights, such as the right to be forgotten. We have also been prioritising group wide training on the impact of the GDPR and key differences from the Data Protection Act 1988 so that all levels of the business can start thinking about how these changes will impact them.

As for the impact of Brexit and the GDPR… the prevailing viewpoint is that some form of the GDPR will be adopted in the UK. At Creston, our approach is to prepare for the GDPR in a ‘business as usual’ manner. Regardless of where the UK gets to, it is important for the Unlimited Group to be compliant with the GDPR in light of our European client base. Data protection should be a race to the top and ensuring compliance with the highest standards.

What will the new GDPR rules entail for businesses such as Creston and its agencies? How will it directly affect your work as GC?

Our agencies are predominantly data processors rather than data controllers. The new legislation introduces direct compliance obligations for data processors with the same increased liabilities which apply to data controllers. Several of our agencies within the Unlimited Group already hold ISO27001 accreditation and we have data protection experts across the group. The new GDPR rules will require additional work on the policies, procedures and systems already in place to ensure compliance with the changes.

As GC, the emphasis will be on training and working with the agencies to translate the legislative requirements into actionable workstreams. The GDPR affects our business not only with regards to the limited personal data we hold, but more importantly when working with clients. For example, when designing and building client websites to improve user experience, if those websites collect personal data, we need to build a site that allows our client to comply with the GDPR, such as explicit informed consent mechanisms.

How would compliance with the regulations be implemented across the Group, and similarly across UK marketing sector?

As mentioned, at Creston we have set up a dedicated Cyber & Information Security Committee which is currently working through this question! Increasing agency wide knowledge through training is a key step – you can put in place compliant systems and policies, but they will fall flat unless employees are aware of them and their importance. Data protection needs to be seen as a positive for businesses, being a tool with the ability to win and retain clients, rather than an administrative burden.

Creston is strongly focused on risk mitigation. Data protection goes hand in hand with cyber security and this has been a key area of focus for our business as part of our GDPR preparation. Additionally, risk mitigation involves ensuring adequate contracts are in place with clients and suppliers containing suitably robust data protection and handling clauses.

Across the UK marketing sector generally, implementation focus may be on the new right to object to profiling and how best to achieve appropriate consent mechanisms to allow the sector to continue such activities. Further guidance from the European Data Protection Board is expected on this, which no doubt will be welcomed by the industry.

Would the logistic implementation of the regulations differ across sectors?

Definitely. Each business and each sector will have distinct focuses and the legislation will impact them differently, requiring bespoke changes to their business to ensure compliance. Whilst some new provisions, such as the data breach notification rules will affect everyone, others, such as the right to object to profiling, is specific to certain industries – such as marketing, banking and insurance. Furthermore, the risk based approach to compliance adopted by the GDPR will result in different implementation logistics across sectors.

Do you think this will make your job as GC easier or more difficult? Please explain.

A combination! In the short term, there will be a lot of work to get ready for the GDPR, and the training and monitoring aspects will be ongoing. Once Creston is GDPR compliant, I am not sure whether my role will be easier, but there will be an increased level of confidence that we are looking after our clients’ personal data correctly and also helping our clients to be compliant through the services we perform for them.