Hot Topics in GDPR – Part Two

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 7 – Hot Topics in GDPR – Part Two from March 2018.

In this episode I’m going to talk about some of the common questions I’m hearing in the GDPR world and also recommend some great tools I’ve seen recently.

First off, I must get asked the same question every day, can people be their company’s Data Protection Officer? And generally the answer is, “No”. It’s a pretty frustrating situation because usually the person that has the greatest insight into a company’s data and how it is processed, as well as having the most data protection understanding, is usually an IT manager or CTO, yet both these roles are prohibited from being a DPO due to the conflict of interest. As I’ve said a few times, the DPO is an auditor advisor role that has to have some independence from the actual “doing” of data processing. You can’t mark your own homework so to speak. So if you do need a DPO, ideally you’ll be looking for someone else in the organisation that sits in a governance and compliance role, but this isn’t common outside of large companies, so you may want to look for outside assistance. As someone that does this every day, I know there’s lots of great people out there that can help.

One fascinating thing about all the GDPR projects going on right now is the different approaches everyone is taking. No ONE is best, whatever a consultant may tell you about their special methodology. Something that does concern me though is where people over focus on policy as being the most important part of GDPR. Personally, I’d put it pretty low down on the list. There’s a great quote from the famous Management Consultant Peter Drucker, “Culture eats strategy for breakfast” and this definitely applies here. Every Data Protection Consultant and DPO under the sun can tell your employees what the company policies are, but if the culture of the organisation is to be slap dash with data then policies won’t make any difference. Culture drives behaviour. Policies don’t. So my advice is to focus heavily on culture and behaviour and get buy-in at all levels to keep them on track.

I hear a related question from American companies, “Why should I care about GDPR?” In an ideal world I’d talk about ethics, being a moral authority and doing the right thing. But that’s not really what people want to hear, nor is it their primary concern in the business world. I’m not here to pass judgement on whether it should be or not, but I do know that businesses should focus on whatever matches with their corporate objectives. And one of those is always to build a solid bottom line – and therein lies the primary reason why American companies should care about GDPR. If you want to trade with the EU then you will need to be compliant. And I’m not talking about fines here. Yes, if you trade with the EU then you’re in scope of being fined if there’s a breach of compliance, but that would be a rare event. But the real threat is your clients seeing you’re not complying with the regulation, giving you the swerve and moving to your competition.

It’s something I’m doing right now on an almost daily basis. As a Data Protection Officer I’m performing due diligence on suppliers and if one gives me a bad answer on its Data Protection story, then I’ll start to look elsewhere. It’s all about risk, and I’m here to minimise my organisation’s probability and impact of any data being poorly protected.

So for American companies it’s a pretty simple position. Your clients are measuring you up, right now, and it’s up to you whether they’re worth the effort, or if you’d rather lose them to the competition. If you want to trade with the EU, or trade with clients that themselves trade with the EU, then GDPR should very much be on your radar.

Speaking of competition, there does seem to be a battle of which website can provide the best Subject Access Request Self-Service tool. Social media platforms are leading the way, with Facebook having the longest standing, but LinkedIn’s page is pretty good too. For LinkedIn, just go to your settings page, select Privacy and then go to the “Download Your Data” option. It takes about 24 hours but in that time you’ll be sent virtually all of your data. I say “virtually all” as there have been a few reports of some items missing, such as comments on posts, but I’m yet to see that issue for myself.

My favourite access request tool at the moment is Google’s system, named Google Takeout. Just go to and you’ll be able to export all of the data you’ve given to Google such as your email, bookmarks and hangout conversations. Google neatly shows the format it will export your data in, such as JSON for location history and contacts as vCard format. As with any form of access request, Google are giving you access to what they can and what they want to give you. So it’s hard to know what they’re not including in that export list. The “unknown unknowns” as Donald Rumsfeld famously said. Despite that it’s a very impressive set of functionality and a system that many of should aspire to have in our toolkit for GDPR.

As we get closer to May, it’s great to see HR teams are starting to tighten up their processes. But an area that is causing some debate and plenty of questions is around employee health data. Generally, I’m asked, “is it still okay to ask for health information when people have been off sick?”

There’s a few things to unpack here.

Firstly, in the UK anyway, there isn’t much of a change in Data Protection law between the 1998 Data Protection Act and the GDPR as implemented with the new 2018 Data Protection Act. So that means that Data Protection Law doesn’t stand in the way of employers asking for medical reasons for absence. So, yeah, you can “still” do it, but should you?

Imagine a scenario where one employee has been off sick for a week due to mental health issues. Do you think they’ll want to discuss those with HR? And how will HR use that information? Could it be used prejudicially? Now compare that to if the employee had advised they had been suffering from gastroenteritis instead. Would HR accommodate them differently somehow? Would they expect future absences as a result? Would they move their desk closer to the toilet just in case it returns?

In almost all cases, employers do not treat or accommodate employees differently based on different medical conditions. So why ask? Why risk causing an employee to prefer to lie about a condition they don’t feel happy discussing?

If you truly need to know, then you should document why and be very open with your employees as to why you’re asking and what purpose it serves both you and them. The law supports you here.

Just remember that medical information is “Special Category” data and needs to be very well protected, it could be used against the employee and could present a significant problem if it is inaccurate, which it most likely will be, considering that many employees will just say that they have been off with sickness or flu.

But keeping it simple, my advice is to go back to square one and think what you genuinely want to know, which is usually, “Are you okay now?”, “Is there anything we can do to help you going forward?” and “Do you expect any future absences as a result?” None of these require medical information and following the principle of the GDPR, are all “fair”.

And finally, my recommendation this week is for something completely outside of the world of GDPR. If you’re like me then you probably spend far too much time on your mobile phone each day. But rather than me do the thought leader, life coach guru thing of telling you not to, instead I’m going to recommend you put five minutes of that time to good use and download the Duolingo app. Duolingo, that’s spelt D U O L I N G O, is an amazing app that’s completely free and helps you learn a language with daily fun lessons. They gamify the hell out of it, so it’s highly addictive and keeps you incredibly motivated. As a general rule, I hate learning languages. My brain just isn’t wired for it. But with a few minutes of this addictive app each day I’ve started to get fairly okay at Spanish and removes some of the guilt of excessive phone screen time. Duolingo is the most popular education app on the Appstore and is famously used by both Bill Gates and Me. So it must be good.

Images in this post have been kindly provided by:

unsplash-logoAmie Johnson

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.