Send us a message
Fancy a chat? Give us a call, send an email, or submit the form below and we'll contact you.
Fancy a chat? Give us a call, send an email, or submit the form below and we'll contact you.
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. This is Part Two of a two-part episode in which we discuss the role of a UK GDPR Representative. You can revisit Part One on our main podcast page at https://plainenglish.law/podcasts/.
In Part Two, Dayle and I talk about:
—
DR: In the last couple years, I’ve come across a lot of GDPR “experts”. I don’t know why use air quotes on a podcast but I hope they can hear my tone of voice: experts. What could I, as the consumer or the conscientious business owner, look for as a seal of approval? A stamp that says this person actually knows what they’re doing, they’re not just reading some stuff off of Wikipedia and then rehashing information? What quality assurances can I look for when looking for a GDPR Representative?
TF: Well, you can look for certification from the IAPP. The IAPP is the International Association of Privacy Professionals and it’s an organisation with about 50,000 odd members across the world, based largely in the US and in Europe but very much a global organisation.
They have a certification scheme for European, Canadian, US, and Asian privacy expertise. You could look for someone who has the designation CIPP, which is a Certified Information Privacy Professional. I’ve got that designation for Europe (CIPP/E) and I’m working on the one for Canada (CIPP/C).
The CIPP certification is definitely a mark that shows that, number one: not only do you take the issue seriously, but you’ve passed a certification programme to demonstrate your knowledge of privacy law in in that part of the world that you’re certified for. So that’s certainly one seal you can look for.
But aside from that, to be perfectly honest, there is no professional regulation of GDPR expertise. Anyone can call themselves a GDPR expert, and it does require a certain amount of due diligence on the part of the purchaser to dig a little bit deeper and find out if the person they’re talking to is actually knowledgeable about the topic.
And that’s a difficult thing for somebody to do when you are coming at it from outside of the UK or outside of the EU – you’re not actually subject to the GDPR in your day-to-day business quite the same way, so it can be a real challenge.
And really, it’s like any other professional service. You’re just going to have to talk to some people, talk to different service providers and decide who you’re comfortable going with.
DR: Have you ever come across any so-called experts and realised that what they’re saying isn’t correct? And are there any red flags that we could look for? You told us what we can look for as a positives, but are there any phrases that people use that aren’t quite right? Or is this too broad a question?
TF: It is pretty broad. It’s difficult because, especially because I’m talking a lot about Canada here, because if you’re talking about GDPR and the GDPR “expert” immediately starts talking about “getting consent”, they may or may not know what they’re talking about.
My experience is, that is, consent is important under GDPR in some circumstances, but it’s not the be-all and end-all. In the early days of GDPR, when there was a rash of firms that came out advertising GDPR expertise because the business community was frankly running around trying to figure out what to do to get ready for this new law, there was a lot of not very good GDPR work that got done.
There was a bit of a feeding frenzy, I think, among professional services firms. And that would include law firms, consultancies that were unregulated, large accounting firms, lots of firms got in on this. And the buzzword at the time was definitely “consent”. People were saying: ‘You need consent to process data, so we’re going to write your privacy notice to say that you consent to this and you consent to that.’
I think a more mature understanding of GDPR would be that consent is one of the options, but it’s often not a very good option for many businesses, depending on what it is that they’re doing. So that would tend to be a bit of a red flag for me.
Now, if you’re in Canada, ignore everything I’ve just said. Because in Canada, the equivalent law to GDPR is a federal law called PIPEDA – the Personal Information Protection and Electronic Documents Act – is the federal data protection law. There are a couple of provincial laws that replace it in British Columbia, Alberta and Quebec. Those laws are premised on consent first. The Canadian conception of “privacy” talks about consent non-stop. So, if you’re in Canada and the person you’re talking to says it’s got to be all about consent, they are probably right. If you’re in Europe, and if you’re in the UK or the EU and someone is talking nonstop about consent, they’re less likely to be giving you good advice.
DR: I remember you told me about the other pillars of GDPR, other than consent, and I’m laughing because I can’t remember what they are. You mentioned there are other things you can do to make sure that you’re GDPR compliant, it’s not just consent, there’s also…?
TF: What we’re talking about is the legal basis for processing data. So, whenever you are processing personal data about anybody, you have to have a legal basis for doing that. And the legal basis under the GDPR could be consent.
It could also be because the processing you’re doing is necessary in order to carry out a contract with the person whose data you’re processing. A simple example would be: you fill out an order form because you’re going to buy something from me and you put your name on it. That whole order form, what’s on that form, becomes personal data about you. I, as the business, am going to process that personal data about you just by storing it in my system. I’m now processing data about you. Why am I doing that? Because I can’t fulfil this contract with you unless I process that data.
Essentially, we’re signing a contract. You need to know who you’re signing the contract with, so that’s necessary. In that case, it’s not consent that I’m relying on. I’m relying on the fact that I’ve got a contract with you and this is necessary to do that contract.
DR: Which is “legitimate interest”?
TF: No. Legitimate interests is a separate basis. With legitimate interest, there doesn’t have to be a contract in place. It basically means, for what I’m doing, I’ve got a legal and reasonable purpose for processing the data. That purpose is for my benefit as the business processing the data, or it’s maybe even for the benefit of a third party. But the interest we have in this data is legitimate and the impact on you as the data subject does not outweigh my interest in processing the data.
This is all a very roundabout way of saying basically: ‘What I’m doing is legal and it’s fair, and it’s not particularly harmful to you, and I’ve done a balancing exercise where I’ve actually weighed this up.’
What I’m not saying is: ‘Oh look, this isn’t a big deal, end of story.’ What I am saying is: ‘This is not a big deal because I have looked at this closely. I’ve looked at the impact this could potentially have on you as the data subject, and I’ve concluded based on this analysis that actually the impact on you is manageable or is minimal and it doesn’t outweigh what I’m trying to do for my business or for my customer’s business.’
Now, the Canadians do essentially the same kind of analysis, except they frame it in terms of consent, specifically implied consent. It arrives at more or less the same destination, but it’s just a different way with some different terminology around it.
DR: So, to recap, a red flag you should look for in when it comes to UK and EU GDPR expertise is when people only focus on kind of one area of GDPR, specifically consent. But also, in other places of the world, consent is actually quite a big part of being GDPR compliant or being data protection compliant.
TF: Correct. I think if the privacy notice that you’ve had prepared for you only talks about consent, or if it talks about consent in general terms without specifying what data is being processed while relying on consent, then…. Sorry, I don’t know how to summarise this Dayle. Every time I try to give you a rule of thumb when we talk about consent, well, I can’t even say there is one.
There’s very often you’re going to see consent talked about in a privacy notice, and it’s actually been done perfectly well. It’s just that I see a lot of privacy notices that have a lot of elements that work or that could work, but it does require some training and some knowledge of the area to identify: ‘Ah! That’s not a good application of consent, or that’s even a total misapplication of consent.’
There’s just no way for me to give a quick rule of thumb that says: ‘Look at your privacy notice and this trick will tell you you’re in trouble.’
DR: Which I guess is kind of the solution you’re trying to provide as well, right? Because you say it can’t be done so quickly. It has to require some sort of technical expertise.
TF: Yeah, I think so. I think it’s not so much technical expertise as a good understanding of GDPR, and I’ll tell you why. Because I think most GDPR knowledgeable professionals, whether they’re lawyers, consultants, whatever their line of work is, anyone who has worked with GDPR over a period of time will have probably found that their understanding and their approach to GDPR has evolved.
I think the early days of GDPR, when the law was first published in 2016, they gave us two years to get ready. They passed the law in 2016 and the law came into effect in 2018. That two years was supposed to be spent getting ready for GDPR coming into force and a lot of companies wasted most of that time. There was a huge flurry in the last six months before the start of GDPR (‘Oh geez, we gotta get ready!’) and when I talk about having a more mature understanding of GDPR, I think the entire industry has developed a more mature understanding of GDPR.
And I think most professionals who wrote a privacy notice or gave some advice to a business in the early days 2016, 2017, 2018, they probably would give different advice now because they’ve come to understand some of the nuances, some of the problems that come from choosing certain approaches to GDPR.
The initial instinct people had was to go for consent because, instinctively, that makes sense. If I’ve got your permission to use your data, how can this be a problem? I think that’s what caused the mad rush towards consent in the early days.
Legitimate interest was looked at by a lot of people as being a basis that you would rely on us as almost like a last resort if consent didn’t work. I think most of us have probably turned that completely around and thought, for businesses, they’re probably going to want to rely on legitimate interest and go to consent only as a last resort.
Because consent is difficult. It’s very difficult to manage. It’s difficult to get valid consent. You then have to manage the consent, because if someone turns around and says: ‘Actually, I withdraw my consent’, you just have to stop what you’re doing and with their data. You have to prove that you’ve got a system in place to manage that, because you can’t just have requests coming in and falling into a dark pit never to be never to be processed.
Consent is something that people can give to very specific activities. They can say: ‘I give you permission to do this but not that.’ Again, how do you manage what they’ve consented to and what they haven’t without having really efficient records-keeping?
Legitimate interest doesn’t have nearly that level of complication. Over time, I think what we’ve seen is the advice that people are getting, generally speaking, from GDPR consultants has shifted.
If businesses are still relying on the advice they got in 2017, 2018 when they were first getting ready for GDPR, that might be actually one of the red flags – you might want to actually have a second look at that because the understanding has shifted. Also because the way that data protection authorities across the EU and in the UK, i.e.: the way they’ve approached GDPR, has also, I think, been evolving.
I don’t think the ICO was ready on day one for GDPR. There was a lot of stuff on their website that was out of date as of the first day of the GDPR. It would have things like, essentially, ‘We haven’t written this guidance yet for GDPR’, ‘We haven’t updated it yet for GDPR’, etc. I think they’re pretty much caught up, but it’s taken them some time to update all of their guidance to reflect the GDPR.
If the ICO couldn’t even be ready for day one, and if their understanding has been evolving, and if the way that they’re approaching the behaviours that they’re seeing is evolving, then it stands to reason that those of us advising businesses are going to have an evolving understanding as well.
So, if you got ready for GDPR in 2017 or 2018 and you haven’t looked at it since, then two things. Number one: I think the understanding of the law has probably evolved since then, Number two: that’s 3.5 years since you got ready for GDPR – are you sure that your business is doing the same things it was doing 3.5 years ago?
I think you’d be pretty surprised how many of your data handling practises might have changed. You might have changed the apps that you use. The business report services that you use that handles personal data on behalf of your business, those have probably changed. How many of us had even heard of Zoom, Asana, Slack? I’d never heard of Slack before the before the pandemic started! Slack’s been around since well before the GDPR.
People are adopting new apps all the time. They need to be updating their records. They need to be updating their privacy notices to account for that. And if what you did was you got a GDPR project that got done in the early days and then just let it sit there since then, it probably needs a refresh.
DR: Two questions linking back to the actual proper FAQ. Sorry to go on a tangent. EU and UK GDPR Representatives – are they two different things? Do I need both?
TF: If you are located outside of Europe – let’s go back to the Canadian example – you will need both if you are selling into both the EU and the UK. So if you’re selling to consumers in both the EU and the UK, you will need representatives in both the EU and the UK.
DR: And if I’m a business in the UK, presumably I only need the EU one? And likewise, if I’m in the EU and only selling to the UK, I would then only need a UK GDPR representative?
TF: Correct, unless you’ve got an office here. If you have an establishment in the UK you don’t need a Rep. If a UK company has an establishment in the EU, it does not need an EU Rep because it’s got an EU address effectively, so it’s already got something there.
DR: The second question, I know you’ve answered it already, but I was hoping maybe you could drill down a bit if you’re able, maybe give us an example. So I already asked the question: ‘What does a UK GDPR representative do?’ And you explained your kind of like the mediator or the facilitator or…
TF: …or the contact point?
DR: Yes! The contact point. Sorry there, I should be using plain English, shouldn’t I? The contact point for these businesses. Are you able to explain what a GDPR Rep would do if a client or a client’s customer actually contacted you – what would actually happen?
TF: An example would be, you’ve got a UK customer or potential customer. Maybe somebody you’ve sent a marketing email to and they go: ‘Who is this company?’ So they go to your website and they see on your privacy notice; ‘If you’re in the UK, contact our representative in the UK – Plain English Law – you can contact them here.’
Next that person might write to Plain English Law saying: ‘I received an email from this company. Who are they and what information do they have about me?’ What your Rep will do for you partly depends on the service level you’ve paid for, but the basic function is for the Rep to turn around and forward that correspondence to you, because it’s you that needs to answer the data subject’s question.
Now you might answer that question back through Plain English Law, and you might need some help to figure out what is the correct answer to that question. Because if you’re a Canadian company, you’re accustomed to the Canadian way of responding to data requests from people. The rules are different under the GDPR than what you’re accustomed to. So you might not know what are the time limits are? What do I need to respond with? How comprehensive does my response have to be? Is there information that I can withhold? Can I outright refuse in some circumstances? Can I charge a fee for replying to it, etc.?
All of these kinds of questions, if you’re not located here and you’re not regularly dealing with GDPR, you probably wouldn’t readily know those answers. We, as your UK GDPR Representative, can advise on that.
But ultimately, what has to happen is someone has to reply to that data subject. And either you, as the business holding that data, you could do that yourself once you’ve been handed the correspondence by us, we relay it to you. Or you could ask us to respond on your behalf.
DR: Would you say the value-add isn’t just being a contact point? It’s also being able to being able to help respond correctly and in the right way?
TF: Exactly. Help responding correctly and on time with all of the required bits of information that the GDPR requires you to respond with.
DR: That’s the true value because anyone can just say: ‘I’ll be your representative.’ But if it was Joe-Bloggs-off-the-street and people send messages to Joe-Bloggs-off-the-street and they don’t respond properly, again, that could be a bigger problem than not having the representatives at all. Actually having a representative that knows what they’re doing and can advise on how to respond is the real true value of the service.
TF: Yes.
DR: Cool. I think you need to say that right? (laughing)
TF: Ok well, I wouldn’t say it’s the “true value of the service”. It makes the service more valuable. The primary value of the service is complying with the bit of the GDPR that says you have to have a representative in the UK if you don’t have an office here and you’re selling to UK consumers. That’s the essential rule.
DR: I guess maybe I’m being too salesy about it. From my point of view, it’s a hygiene cost that’s been added to businesses. It’ll be very frustrating because no one likes having hygiene costs for their businesses. But if you can say, actually it adds value, then people are happy to pay for it. Does that make sense?
I think the difference between some of the bogus people that I’ve spoken to and yourself is you actually have the values and the understanding to make sure it’s done correctly. Not just being the contact.
TF: I’m not going to suggest that other people don’t know what they’re doing. I’m going to suggest that I am able to explain things in ways that make sense to business, and are practical for business to implement.
I think other people who are offering a UK GDPR representative service, many of them will do a perfectly fine job. It’s just a question of who you would rather deal with and whether you’d like to get that service in plain English or in GDPR-speak.
Even for someone who is adamant about doing things in plain English, talking about GDPR in plain English can cause a brain-sprain at times because the way the rules are phrased. It is very difficult sometimes to stay in plain English when you talk about this stuff and put it in terms that make sense to the business, rather than someone who’s really interested in technical rules of GDPR.
But what I would say is that the primary reason to appoint a GDPR Rep is simply to comply with the requirement to have a GDPR Rep, however, what that GDPR Rep does for you once someone does contact them, I think that’s where the differentiator could be. What kind of support are you going to get in responding to that request?
You could look at the GDPR Rep as effectively just being a post box, and if that’s all that you’re getting then that may or may not be enough for you. But if you were a smaller business, if you’re a business that doesn’t have a location in the UK, chances are you’re not going to have total expertise in UK GDPR requirements.
How will you respond when somebody submits a data subject access request? They want to know what data you’ve got about them, they want to copies of that data, they want you to erase their data. There are a number of exceptions to that requirement – do you know about them? For example, someone says: ‘Delete all my data.’ Do you have to actually do that? There are a surprising number of exceptions to that requirement.
DR: And in this instance, a UK GDPR representative with a certain skill set and experience level will be able to help advise on that?
TF: Exactly because chances are you’re not going to get a massive number of UK data requests unless you’re a huge company. Those times when you do get those requests, because they will be probably few and far between, it means you probably won’t build the expertise to respond to them efficiently and correctly.
That’s where having that relationship with a UK GDPR Rep who’s got that knowledge, who can advise you on what the appropriate steps are and what the correct responses are, that’s where that value is going to come in.
—
Additional Reading: International Association of Privacy Professionals (IAPP) – CIPP Certification
Episode Title: UK GDPR Representation part 2
Podcast Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 06 Sept 2021
Recording Length: 00:26:15
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. This is Part One of a two-part episode where Dayle and I discuss the role of UK GDPR Representatives for overseas companies. You can find Part Two on our main podcast page at https://plainenglish.law/podcasts/.
In Part One, I use examples to show:
As a side note, near the end of Part 1, I said I didn’t know of any companies having been fined for not having a GDPR Rep. Well, as it turns out, I found one about a week after making this recording. A short summary of that case can be found in our list of FAQs near the bottom of this podcast page.
—
TF: We are talking about UK GDPR Representatives. So you hear the term “UK GDPR Representative”. What’s the first question that pops in your head?
DR: For me, I start thinking about the ICO (Information Commissioner’s Office), but maybe it’s because I’m too close to it. Like, is it someone that has to negotiate between the business and the ICO? Does there have to be someone in place?
TF: No.
DR: No, see there you go, completely wrong. (laughing)
TF: So, the basic idea behind the GDPR, of course, is to protect people’s data no matter where it’s being held in the world. If you live in the UK you are covered, your data is protected by the UK’s GDPR. Now the UK’s GDPR used to be the exact same as the EU’s GDPR when the UK was part of the EU. Brexit has changed a lot of things and not very much at the same time, if that makes sense when it comes to GDPR.
So what happened was that the UK left the EU. We took with us our own copy of the GDPR, we essentially photocopied it more or less. So the UK’s GDPR is now a separate law but, practically speaking for most businesses, it is essentially the exact same GDPR as they were subject to before Brexit.
What’s different though is that, sorry, I’ll try that again. What’s always been part of the GDPR is when an organisation located outside the EU, that doesn’t have an office in the EU, might still be subject to the GDPR if it is processing, basically, if it’s selling stuff to consumers in the EU.
So let’s say a Canadian company for example. It’s got offices only in Canada, and you would think, well, how does the GDPR apply to a Canadian company? It applies to that Canadian company if it is selling to consumers in the EU, or if it is tracking the behaviour of people within the EU, say by using technologies such as website cookies. Yep.
DR: Ok.
TF: So your Canadian company’s website is accessible from the EU, it’s being visited by EU people, you’re putting cookies on their devices, you’re doing monitoring for marketing purposes, you’re monitoring what pages they visit, you’re using Google Analytics for example – just doing that brings the Canadian company within the EU’s GDPR.
Well now, it also brings with the UK’s GDPR if it’s UK people that they are selling to, or UK people that they’re monitoring.
Here’s the thing: under the GDPR, they’ve always had to get a representative located within the EU. So if you don’t have an office in the EU but you’re subject to the EU GDPR, you have to find an EU-based representative and basically provide their contact details in your privacy notice.
So let’s say a German person is browsing or shopping on your Canadian website, and then you sell something to them, and they think: ‘Well, I don’t like what this Canadian company is doing with my data’ – they have to have the ability to contact an EU-based representative to complain to them and say: ‘Hey, I don’t like what that Canadian company is doing with my data’ or even ‘I want to know what data that Canadian company has got.’ They have to have some sort of a local option if you will.
DR: So I’m probably going to paraphrase this in a horrible way but essentially, what Plain English Law would be is the GDPR punching bag, right?
TF: No, well, not so much the punching bag as the relay point.
DR: That’s a better way of saying it – the relay point – because companies have to have a representative in the UK for EU and UK customers, and Plain English Law can be that representative.
TF: Exactly. So in other words, the Canadian company could say: ‘ Our representative in the UK is’, or rather, to UK consumers: ‘If you’ve got questions about your GDPR rights, contact us via Plain English Law’ and it would give Plain English Law’s contact details. So that way your UK consumer doesn’t have to be contacting a Canadian company, you know, having to make an international call to deal with what is perceived to be a hassle.
Whether it is that much of a hassle, these days or not, is a totally different matter, but that is what the law requires. If you are selling into the UK to consumers or if you are tracking the behaviour of people within the UK, through your web cookies, etc., you have to have a UK contact point for people to exercise their GDPR rights.
DR: Using the Canadian company example, what are the repercussions of not having a EU or UK GDPR Representative?
TF: You’ve committed an offence under the GDPR. You could theoretically be sued, but that’s not likely going to happen. You could be subject to a fine. The Information Commissioner’s Office (ICO), which is the regulator in the UK that’s responsible for enforcing the GDPR, if a UK consumer were to complain to the ICO: ‘Hey, this Canadian company doesn’t have a GDPR Rep in the UK, and they need one because they’re selling to me and I’m in the UK’, then you could be subject to a fine.
It’s a fairly basic compliance step. It’s a simple compliance step, you just have to have a contact point, that’s all. If you’ve got an office, or some kind of permanent establishment in the UK, then you don’t need to appoint a Rep because you already have that contact point.
So if that Canadian company had a subsidiary over here or had an office in the UK, then they wouldn’t need to appoint the Rep because they’ve got an establishment here and that would be the contact point. They would just simply provide those contact details in the UK instead. It’s companies that don’t have an establishment in the UK and are selling into the UK – those are the ones that need to appoint a representative.
DR: And can I assume that you need a representative as long as you’re trading in the UK or EU and don’t have a presence there? There’s no timeline on this – until you actually establish a business premises or…
TF: Or stop selling into the UK and purge the data, that’s right. Basically, as long as you’re processing that data, as long as you’re holding onto that data about UK consumers, then you need to have a representative locally.
Now, what’s curious and what’s a bit irritating, I think, for a lot of businesses in Europe about Brexit is the fact that a UK business that’s selling into the EU has never needed to appoint an EU representative until the Brexit transition period ended. Now in 2021, if you’re a UK business and you’re selling into the EU, actually the EEA so throw in Norway, Iceland and Liechtenstein with that. Anyway, if you’re selling into essentially the EU you need to now appoint an EU Rep. Pick a country, any EU country into which you are selling, you need to appoint a rep in one of those countries. That wasn’t necessary before Brexit.
Similarly, a German company, a French company selling into the UK if they don’t have an establishment in the UK, some kind of office or subsidiary in the UK, then that French company needs to appoint a UK Representative. Again, they never needed to do that before Brexit, but now it’s necessary.
DR: How much does a GDPR Representative cost?
TF: It depends on the size of the company, but the basic price starts at £25 a month, billed annually in advance, and a one-time setup fee of £100.00. So, because we have to open the client file and get to know who you are and get to know your business first, and then depending on how big your business is and how many customers it’s got in the UK, once we sort that out that’s when we can give it a more precise price.
Because what the service involves is, if someone in the UK wants to contact your business, and they come through Plain English Law because we are your representative in the UK, every piece of correspondence that we get we have to scan it and forward it to you, and possibly reply on your behalf once you instruct us to do that. The bigger your company is, and the more customers it’s got in the UK, the higher that volume of correspondence is likely to be. So that’s why there is no clean answer to the price question. But the basic price will start at £25 per month.
DR: Paid upfront in advance, so £300 a year initially. And like you said, as an example, if you had an e-commerce business that has 1000 transactions per day, that fee is going to be a lot more than a service-based business that has 10 transactions per month, because the potential for a customer to contact the representative which is you, Plain English Law, goes up, so there’s going to be a potential increase in fees, right?
TF: Correct. Realistically speaking, the likelihood of there being thousands of people contacting your GDPR Rep is almost 0. I mean, realistically speaking, most businesses do not get contacted very often by people asking to have access to a copy of their data, but it’s for that moment when somebody does, that’s when your lack of a Rep can cause a problem and could cause an investigation right then and there.
Because it’s a fairly basic requirement of the GDPR: ‘Don’t have an office here? You need a Rep.’ People need someone in the UK that they can contact. If they can’t contact anyone and they complain, that’s the issue.
DR: I guess because it’s a fairly new law in terms of notoriety or people knowing about it, there haven’t been that many cases of this happening? Are there any stats on how many companies have been fined or how many companies are potentially at risk?
TF: Correct and, to be perfectly honest, I haven’t heard of people being fined for not having a GDPR Rep. But I’ll tell you why I think that is.
There are a few reasons. First of all, the GDPR is relatively new. It’s only been in force for a little over three years, and the enforcement is only starting to ramp up now in different countries.
Secondly, practically speaking, it’s a problem only for smaller companies. Because if a company is large enough, it’s probably going to have an office in many of the countries that it does business in. You wouldn’t have an office in every single country you sell to, and almost no company does that unless they are the size of Microsoft. But what you might have is probably one office at least in the EU. That office may in fact be in the UK if you’re a larger company, or it might be somewhere else in Europe.
If it is somewhere else in Europe, that used to mean (before Brexit) that you would also have the UK covered, and now you don’t. A lot of companies use Ireland as their EU base because Ireland’s got a very favourable tax structure for international companies, and so that is often a first port-of-call for companies looking to establish themselves in the EU, particularly when they saw Brexit coming. They said: ‘Alright, we want an English-speaking country in the EU.’ Business-friendly Ireland fit that bill, so Ireland has been a destination for multinational companies for a large number of years.
Having located in Ireland used to cover off the UK for EU-related issues. Now it doesn’t, so suddenly it triggers this requirement to have GDPR representation. Brexit has triggered this requirement for companies that are using Ireland as their European base.
Episode Title: UK GDPR Representation part 1
Podcast Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 06 Sept 2021
Recording Length: 00:14:39
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, we talk about DSARs, or Data Subject Access Requests. (In plain English, that’s when someone asks you to share copies of data you have about them.) Dayle and I discuss what DSARs are, why people make them, and how GDPR compliance is as much about the process as the product.
DR: …when we had our last conversation you were mentioning how, if an employee were to leave for whatever reason and they make a data subject access request, emails for example may also include other employees’ personal information. How do you know what to give to the employee who made the request?
TF: What you have to do is figure out, first of all, what personal data you have about the data subject who made the request. If I’m the employer, this means itemising the pieces of information I have about that employee: I’ve got this list of emails; I’ve got this specific document, for instance, an annual review in their HR file.
The thing is, now someone needs to read that annual report and figure out if anyone else’s name is in there. At minimum, consider the person who wrote that annual review – this is also personal data about them because they wrote it.
DR: So, I assume the person doing this itemising would be a manager, or would it be the person who wrote the review, or who made the request?
TF: It could be both, it depends on the process. The process I went through with my last employer, I was the line manager of a team of about 10 people, but obviously I had my own line manager. So I went through the quarterly and annual process with my line manager evaluating me, and I did it for my direct reports.
So the reports that get generated included input both from me and my direct reports, and it could say any number of things. If you’re being careful about it, you’re not naming other people, but you can’t guarantee that. There has to be a process before we just dump all this information into a data subject access request. Somebody has to go through it and read it and flag any areas where the report is about some third person, not just about the employee making the request. There’s going to be personal data about the person who wrote the report and it could possibly name other people directly or indirectly.
Let’s say an employee has complained to me about, ok let’s take an example: Jim comes to me and complains about Anne’s conduct. We might have an email exchange back on forth, and it might not even have Anne’s name in it, but it could be clear from the context who we’re talking about, and that makes it personal data about Anne.
So, who’s making those assessments? First of all, you have to decide whether to give it to the employee or not. And if you’re going to give it to them, what are you going to redact out of it?
DR: I thought the rule was that if I, as the data subject, request data about me, it has to be given. Is that not right?
TF: No. There are plenty of exceptions. You can refuse to give information to the data subject after the request if doing so will infringe the rights of others. This is phrased fairly broadly. For example, Dayle, you make this request to me and say you want all the information I have about you. So I locate this document and think, yes, this is clearly personal information about Dayle. But if this report also has in it my opinion about somebody else’s behaviour, that report become personal data about them. Dayle, you may or may not even realise that this information about the other person is in the report. It may or may not be relevant to you and, even if it is relevant to you, does your interest in having that information outweigh the privacy interests of the other person who isn’t even involved in this request?
DR: I have another question. I can’t imagine ever asking for data about me from an employer or former employer. Why would someone do that? What is the issue that makes someone make a data subject access request? What’s going on there?
TF: Ok. Under GDPR, the ‘why’ doesn’t matter. But for general interest, there are all sorts of examples, like maybe an employees is a little bit paranoid and may be worried about what people are writing about them in their HR file.
You’ve got other situations when the person is not paranoid at all, rather they’re in a conflict with their employer. Maybe they’ve been made redundant, or maybe they’ve been through a redundancy consultation process and they don’t like the final result, for instance, finding themselves in a group of employees they don’t think they should be classed in for the purposes of the consultation. They may want to see how this decision was made.
So, one of the ways they could maybe get at that is to say to their employer: “Look, I’m not going to fence with you, I just want to see what personal data you’ve got about me because the GDPR says, as a data subject, I can make that request.” The GDPR also says the employer has to fulfil that request, subject to some relatively narrow exceptions. It’s those exceptions where the employer can have difficulty.
When GDPR was new, I think it was a common reaction for employers to say: “I’m not going to respond to that data subject access request because the employee is suing or they’ve filed an employment tribunal case.” That is not an appropriate response. There’s nothing in the GDPR that says data subject access requests are invalid when there is also a tribunal case going on. You still have to fulfil that request.
Now that we’re deep in the GDPR era, it could be that employees are more likely to make those data subject access requests because they are more aware of those rights. But those rights have been around for a while. Data subjects have had the right to ask for access to their data, and it’s always been theoretically possible for an employee to turn to their employer and say: “Give me the personal data you have about me.” – they just haven’t been doing it.
I think what solicitors for employers are seeing more and more is that this is becoming a, I wouldn’t say an automatic thing, but more and more solicitors are telling the employees to do this as one of the first steps. Whether the employee has been made redundant or they’ve been terminated with cause, or there’s been a grievance or disciplinary process that the employee has been through, there are going to be records from that. And there should be records so show why this person was terminated and what the steps of that process was. The employee could be wondering what the HR member wrote about them or what other people said about them – if that information is sitting in the employer’s files, the employee has a right to see it [unless the employer can point to a valid exception].
DR: Is there a time limit on this? What if I wanted to ask a company I was made redundant from years ago?
TF: Good question. For you as a data subject to go to your ex-employer and say: “I want to see what personal data you have about me”, there is no time limit on that. The limit is whether or not they still hold information about you.
Anyone at any time can go to any organisation and say: “Here’s my name. Are you processing any personal data about me?” And by the way, “processing” doesn’t mean they have to be doing anything with your data – just having your information in their file is a form of processing.
Ok, so your questions to the organisation would be: “Do you have information about me? If so, what do you have?” Anybody can ask that about any organisation. The answer will either be yes or no, we have information about you or we don’t have information about you.
Dayle, in your case since you worked for them, it’s pretty clear they did have personal information about you at some point, and they may or may not have deleted that information, or anonymised it, or purged it from their records somehow. You always have that right. 30 years from now you could go to them, identify yourself, and ask them to look through their files and see if they have anything about you.
DR: Ok, so how would that work? Would that entail them sending me a whole ton of paperwork or batches of emails to look through? From an employer and HR perspective, I can imagine looking through everything would be pretty time-consuming for them?
TF: You’re right, there is a certain point where the employer can say: “Look, the effort required here is disproportionate”, or if the request is abusive or repetitive from the data subject. At a certain point the employer can say: “We’re not doing this because of these reasons.” But those reasons are fairly difficult exemptions to rely on.
The presumption is the employee is entitled to that information – you at least have to try to do a search through your filing cabinet and your emails. Search for the person’s name and see what you come up with.
And that’s just it – the employer then has to document somehow that they’ve actually looked through their records before they reply. They can’t just give a boilerplate response and say: “We’ve searched our records and we can’t find anything about you.” If that’s the response they send, they better have searched their records, they better have done what they said they did in that letter.
If a response a data subject access request isn’t credible and the employee complains to the Information Commissioner, the employer will need to demonstrate what they did exactly to respond to your request, that is, the steps they took to look for and supply the information.
DR: But how would you do that? How could you prove you did what you said you did? What about looking through the server log? Would that be the easiest way?
TF: I suppose? This is definitely where you are exceeding my IT and cybersecurity expertise. Let’s think about it though. Could you lie about what you’ve done and get away with it? Well, I imagine people do that all the time.
DR: Ok, I guess my question was less about ‘lying’ and more about, you know, the employer saying: “I sent Margie down to the filing cabinet. She had a look and didn’t find anything. What more do you want me to do?” That kind of thing.
TF: I would guess the ICO (Information Commissioner’s Office) would probably say: “Well, let’s have a chat with Margie then.” But I think we’re kind of going down a bit of a rabbit hole here. (laughing)
I think the principle really is: if a data subject asks you to look for information, you need to have a process for doing that, and demonstrate you’ve actually followed that process. You normally do this by keeping records. Employers should have a written process that says: “When a DSAR comes in, it goes to this department; these are this steps this department takes; these are the different places they need to look.”
DR: Ok, so should people have DSAR training? What if I, as an employee or former employee, called up reception at my current or old company with a data subject access request, and the receptionist says: “Hi Dayle. You want your data? Sure, just leave it with me.” The company, not just the receptionist, has to do this within a certain amount of time, right? My request can’t just sit there in reception?
TF: Correct. I wouldn’t go so far as to say that everyone needs DSAR training, but that’s part of the process we talked about before that the organisation needs to have in place. They need to think about where these requests are likely to arrive from.
So, if they’ve got a properly set up privacy notice on their website, for example most organisations have their own website, it will say: “If you’ve got questions about the personal data we have about you, contact privacy@xyzcompany.com or what have you. Here’s also a postal address and phone number – ask for the Data Protection Officer or the Privacy Team”, for example. If you provide that kind of information on the website, then that’s great.
The next step is, every member of staff should know that when someone is asking about personal details or about privacy or about what the company knows about them, then they should know the place to point them to. If it’s an employee, I would point them to the people team or HR. And absolutely every organisation’s HR team should have, if not a GDPR expert, certainly a GDPR champion – somebody who’s got enough awareness to be able to flag issues, recognise that what we’re dealing with is a personal data issue, that it needs to be routed within the company correctly, and knows where and who to turn to.
That GDPR champion within HR would then work with the privacy team. But maybe you’re a smaller organisation and don’t have a separate privacy team – you need to have one person who understands enough about privacy issues to be able to handle the issue for the company. Whether that means referring it out, going out and finding some expertise when needed, or whether they’ve got enough expertise to handle it in-house, either way you need a ‘privacy point-person’, and everyone else in the company needs to know who that is. Everyone needs to know who and where to route these requests.
DR: I assume the privacy person could get some kind of badge?
TF: Maybe a sash? Or a tabard like a fire warden?
DR: If it were me, I’d want a cloak and a sceptre. A data sceptre. It would be like a large USB stick with a hand-hold.
TF: An encrypted one, I hope. So yeah, you were asking about GDPR and how that plugs into DSARs (data subject access requests), how DSARs come up and why an employee would ask or file a DSAR. I think the most common scenarios would be redundancy, discipline, possibly even that they didn’t get a promotion that they thought they should get – DSARs can come from people who are still working for you. Maybe they’ve received a poor performance rating and they want more information.
There are all sorts of different scenarios that people could suddenly think up that this company or someone within this company has written something about me or has got something in their records that says something about me, and they want to know what it is.
DR: These are things that I would never have thought about, if I’m honest.
TF: And honestly, I’d never thought about it either until I actually saw it happen. A company I was working for, probably a year or so after the GDPR came into effect, we had at least two of these ex-employee data subject access requests going on at the same time. And this was an organisation that had resources. It’s not like it was a small operation; it was a big company.
So, it had the resources to handle it, but that doesn’t mean it had the processes to handle it efficiently and, specifically, in making sure that the request was actually routed to the correct place so the request could be dealt with in a timely fashion.
You know, you only have 30 days to respond to a data subject access request, and that sounds like a lot of time but it’s not. It’s not, especially if the request gets lost for the first 15 days because someone didn’t know they needed to forward it someone else.
DR: 30 days – is that working days or calendar days?
TF: It’s calendar days.
DR: So, Saturday, Sunday, Bank Holidays – they’re all included? 30 days, that’s it?
TF: 30 days. It’s quick. 4 weeks functionally, so it disappears in a hurry.
The point is the importance of having a DSAR process in place before a DSAR comes in. It doesn’t have to be a massive training programme that everybody goes through to learn about data subject access requests. But what everybody probably does need to know within probably every organisation: everybody should understand what personal data is, they should be able to flag when they’re handling it, and they should definitely be able to flag when they’ve been asked to provide information that involves personal data.
Episode Title: “DSARs for Businesses: What to expect and how to prepare.”
Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 25 May 2021
Recording Length: 00:20:48
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, we talk about allowing employees to use their personal devices for business. The GDPR can make it risky to put personal and business data on the same device, and a good ‘bring-your-own-device’ (BYOD) policy isn’t always a complete answer. Dayle and I start by discussing the difference between data and personal data.
DR: It’s been a while since I’ve done my data protection training. Refresh my memory: is it nine protected characteristics that make it personal data?
TF: No, you might be conflating personal data with discrimination, which is measured on the basis of protected characteristics like race, gender, sex, gender-identity, sexual orientation, etc.
You’ve got data and then you’ve got personal data, which is a subset of data. ‘Data’ just means ‘information’. It doesn’t have to be in a spreadsheet or a database. I keep a notebook for calls I have with clients – all the stuff I write down, that’s all data.
So, the question is, is it also personal data? That comes down to whether that data is related to or is about an identifiable individual.
At its simplest, you take any piece of information and put someone’s name beside it, and essentially that makes it personal data, as long as that information is about them. If the information is about something pedestrian like “the grass is green” and I write “Dayle” beside it, that doesn’t make that piece of information about Dayle. But if I say “the grass in Dayle’s back garden is green and healthy” then, as silly as this sounds, I think that IS personal information about Dayle. And that’s because it relates to Dayle – it’s his property, I’ve said it’s his grass, and it’s information about that grass therefore it’s information related to him.
Would that get him a whole lot of protection in the GDPR? No, not really. But why do I have that information? What am I doing with it? Why do I even have that in my records?
DR: You know, I would wonder why you, Trevor Fenton of Plain English Law, would have information about my grass. Also, that you are so informal about it. Certainly, if you’re going to talk about my grass, you can call me “Mr Rodriguez”.
TF: (laughing) Ok, that’s a very silly example. But there are all sorts of examples that people don’t think of being personal data because they think, well, that’s not ‘personal’, or ‘sensitive’, or ‘private’. It doesn’t have to be private. It doesn’t have to be something you think people would feel a sense of invasion about. It could be as simple as your phone number at work, whether it’s your own or the main number for the company, and I’ve got it in my address book as “Dayle’s phone number at work”, that’s personal data about you.
The definition is breathtakingly wide under the GDPR. It’s a lot wider than definitions in other parts of the world. Canada, for example, where business contact details don’t count as personal data under their equivalent to GDPR known as PIPEDA, or the Personal Protection and Electronic Documents Act.
DR: That makes sense to me though. If you have my number in your address book and it’s my work number, then it’s not personal because it’s my business number.
TF: That’s definitely a debate that could be had, whether it should or shouldn’t be classified as personal data. But the GDPR does classify it as personal data.
Likewise, that means that emails sent back and forth to customers and co-workers, those emails all become personal data about the person who sent it because their name or email address is on it and you can use that to identify who that person is, and it becomes personal data about the person they sent it to for the same reason, and because it’s information sent to that person which makes it about that person.
DR: Ok, so on my phone, I have a VOIP system that is separate from my normal phone contacts. But in theory, that device is my personal phone so I’m potentially carrying around personal, sensitive information about other businesses on my phone – is that right?
TF: Yes and no.
First off, there is no such thing as personal data about an organisation. Personal data is only about individuals, about living breathing human beings. We can get into the debate that sometimes people act as sole proprietors and therefore the individual is the business, but let’s not go there right now. The point is, most businesses operate as companies and there is no such thing as personal data about a company. What does exist is personal data about the people who work for companies, and that personal data could be the phone number for them at the company. That phone number in and of itself is not personal data. You put that phone number beside that person in a contact book, and now it’s personal data about them.
So, if that personal data is on a phone, it doesn’t matter who’s phone that is, it’s still personal data about that person. Now Dayle, on your phone you might have two different address books: one that you use for strictly personal purposes and one you use for business purposes. GDPR will not apply to the personal-only contact book, because it is for strictly household purposes. GDPR does not apply to the use of personal data for strictly personal and household purposes.
I’ve got my list of friends on my phone and I send them an email to go for a pint on the weekend – that is not covered by GDPR. That is a strictly private and household purpose for the use of that data. If, however, I send the exact same email to someone using the details I have stored in my contacts for business purposes, details that the business holds, that’s different.
You’re holding both on the same phone and that can make it complicated. But if you can keep them completely separate within the phone and you’re not cross-pollinating – you’re not taking contact business details and sticking them in your personal address book – then that makes it easier to manage. But the fact that it’s on the phone that you own rather than a phone the company owns, that doesn’t change the GDPR situation. Or rather, it doesn’t change the status of the data, I should say. What it does is make it riskier. It is risky to hold business data on a personal phone because of the amount of discipline required to treat those data sets differently.
And also, on your personal phone, you’re going to put on apps for personal use that you don’t intend to use for business purposes. What if you accidentally give that app to your business contacts book? Because almost every app I know usually asks to have access to all your contacts. Clubhouse being a great example. It’s an example I’ve used before, and I shouldn’t just pick on them because they’re not the only ones who do this, they’re just a more recent example. But yeah, a lot of these apps say: “We need access to your contacts to function.” Putting aside whether they actually need that or not, the question is are you going to give this external business access to all of your business contact details, which is personal data about your business contacts?
DR: That’s interesting. For lots of people like me, especially when they started up, used their personal phone and my mobile phone number to keep expenses down. If I’d given that number to someone for business, and then they went on Clubhouse or whatever app, in theory they’ve given my personal data to a third party without my consent, right?
TF: It’s not in theory, it’s very much in reality. You’ve got your contact book with business contacts in it. That is personal data about all those contacts and your business is the controller of that data. And to be a controller means it’s the business who’s decided why you have that data, what you’re going to do with it, and how you’re going to process it. And that activates all sorts of responsibilities under GDPR.
Now, if you, whether you’re acting as the business or not acting as the business, if you take that data and give it to a third party, you have to have a legal basis for doing that kind of processing. That is a form of processing: to transfer data to somebody else.
What that business has done by transferring that data to a third party without a legal basis is it just violated the GDPR. And the business may not even realise that they’ve just violated the GDPR because it doesn’t even realise one of their employees has just done this.
DR: I know this for sure! I know lots of business owners who are, not just micro, they’re bigger than that. And the director is using their personal phone and they’ve had clients for years and they’ve signed up to various apps that say “give us your contacts” – and I know for a fact some of that data is mine.
TF: You’re right. And you can find little pieces of evidence that this is happening all the time, that your personal data has landed in other peoples’ hands.
Best example I can think of is, I was having a discussion with a personal friend of mine on a messaging platform – I won’t name names here – about a particular online store that they had just bought something from. I had never heard of this online store before. It was a specialist supplier of goods that I had never searched the web for before. Literally the next day, my Facebook feed is full of adverts for this exact company! It was very clearly targeted.
What I figured out probably happened is that company probably has my friend’s address book, and his address book has my phone number in it, and my phone number is linked to my Facebook profile. So, Facebook and the advertiser put all this together: my friend likes this store and just bought something there last week, so let’s see who my friend’s friends are and let’s serve ads to them.
Now, that is not a GDPR violation by my friend because the information he had he processed in the context of purely personal and household purposes, so GDPR doesn’t apply here. But what if that wasn’t a personal friend? What if that was a business associate, someone I’m doing business with? In that context, my phone number and contact details are personal data that is covered by GDPR because the business is the controller of that data. So in that case, the business will have just leaked out that personal data to a third party through its employee’s personal use of that data.
DR: That’s freaky.
TF: It is freaky, and it’s one of the reasons why BYOD policies, or ‘bring your own device’, really need a second look. People need to think: “Should we allow people to use personal devices for business purposes at all? Should they be allowed to receive work emails on their personal devices?” Or would it be better for the business to invest in company-purchased and company-managed phones so that the company can control what apps are put on there, what permissions can be set and, without fear of repercussions, wipe the data remotely at any time. Where you’ve got an employee using a personal device, can you insist they wipe the data on their device? No, you can’t insist on that. And sure, there are mobile device management software that you can install that create sandboxes for the business personal data and all that. But you know what, honestly, for all that effort just buy them a phone. Or say: “You know what? We don’t need you to have a phone. You’re job doesn’t require that. Either way, you’re not installing work emails on your personal phone. We forbid you, essentially – do not put business contact details in your personal contact book. If you need to call customers, you can call them from work, you can use the company-supplied CRM to find their phone number and use the company phone to phone them. You don’t give customers your personal mobile phone number. If you need customers to reach you on your mobile, come to us and ask for a company mobile phone and we’ll look to see if there’s a business case.” That’s how this needs to work. Because there’s no question there’s a lot of leakage that happens of personal data that way: through peoples’ personal phones, downloading apps and giving permissions.
Episode Title: “BYOD: The trouble with using personal devices for business purposes.”
Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 25 May 2021
Recording Length: 00:15:34
Episode Title: “Business Apps & Data Privacy: Free Trials Aren’t Always Free”
Podcast Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 27 July 2021
Recording Length: 00:12:24
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, Dayle and I discuss GDPR risks that are embedded within the mobile and web apps that businesses use every day. What apps do you use? Do you know what data they collect from your device and your business when you use them? And who’s behind each of those apps? Finally, if you read the terms and conditions, what are you agreeing they can do with the personal data that the GDPR requires you to protect?”
DR: Okay, so like I said, I sent you some questions about two major players in the field of CRMs that I know a lot of micro and small and maybe a medium sized businesses would use.
And in their policy you point out two things that most customers wouldn’t be aware of. So the first one was: “You grant us the perpetual right to use customer data in anonymous format.” … and the second one was: “Supplier may use client data in an aggregated or anonymised format for research, education or other similar purposes.”
And you were saying that that’s actually a problem for most businesses, because it means that the data is actually shared in a way they may not be aware of, correct?
TF: Yeah, and it is sort is buried in the terms and conditions and I think a lot of people, a lot of businesses wouldn’t look very deeply at the terms and conditions of most products that they purchase.
Because who’s got the time to read page after page after page of terms and conditions for vendor after vendor after vendor?
The problem is when you’re when you’re using any kind of app, whether it’s a web app, or a mobile app, you’re putting data into that app. Some of that data is going to be personal data, maybe all of it will be, and each one of those apps will have its own storage location.
So basically, the more vendors you have, the more storage locations you have and the more terms and conditions you need to review to see what rights have you given the app vendor to use the data that you put in.
And some of these terms like those ones that you quoted, they sound pretty innocuous because it says, well, hey, you know we’re using it in an anonymised form. The problem is there is no way to reliably anonymize any data set these days.
There are studies out there that I don’t have to hand at the moment but have shown fairly reliably that if you have two or three pieces of what seem like generic information about a person, such as a post code and their gender, you can use other publicly available information on the Internet to narrow down that person to a specific individual something like 85 or 90% of the time. It’s really scary.
So, anonymizing the data just by taking someone’s name off it doesn’t actually anonymize it most of the time.
And you, as the customer of an app where you’re sticking data into that app, you’re still responsible for that data. If you’ve agreed terms and conditions with them, let’s say they can use this data in an anonymised format, you’re still on the hook.
If someone else, whether it’s the vendor or somebody else that the vendor is working with, manages to reconnect or decides to put the effort into trying to reconnect data points with individuals using other data they can find on the Internet, that’s still personal data even though it’s been anonymised. You’re not off the hook by having agreed that. You need to be looking at those terms and conditions. You need to do your due diligence.
DR: So, I’m going to ask a very challenging question. For these major CRM providers, where their terms and policies are quite lacking in terms of GDPR, what would this solution be? Now that we know what to look for, what is the alternative?
Here’s a scenario: I’ve been in business for 6-7 years and I’m using one of these platforms. I’ve been using it for quite a while and a lot of my workflow and sales processes goes through these systems. To now be told that actually there is a potential risk to my business, what would the solution be? Would it be some kind of mapping procedure? Or some kind of…?
TF: Well, exactly. This is where all GDPR compliance starts: with data mapping. That is, figuring out and writing down what data do you have, where you’re storing it, who the vendor is, why you have this data, is the data up to date, and so on.
Every organisation that has personal data is required to keep what’s called a record of processing activities (ROPA) – it could be in a spreadsheet, it could be in a database, it doesn’t matter. It’s effectively a chart that shows what data you have and where you’re storing it while you have it.
And you need to keep that up to date because almost every week we will come across a new app that we think, hey, that could be really helpful. It fills a need for my business. And of course, they all give you free trials. So, you start a free trial and you think, this is great, I’m going to give it a go and you put some information in there – if you don’t record the fact that you’ve done that, you’ve now created a new set of personal data that’s being held by a third party vendor. You’re still responsible for that data, and yet you’ll probably forget about it the moment you decide to abandon the free trial, which you will do a fair percentage of the time.
This is the same situation if you decide to move on from an app after using one for a long time. CRMs are a great example. CRMs change all the time. Maybe they changed their business model or their pricing model or they’re just doing something different now, and a CRM that you really liked five years ago isn’t a great option for you now so you decide to move on. Did you clean up the data you left behind on that CRM? How do you even know to clean it up if you don’t have the data mapping done and kept up to date before you start looking at new apps?
Part of this process, by the way, long before you stick the data into an app should be to ask yourself: “Who are these people?”, as in, who is the company that runs this app? And what are the terms and conditions? What are they going to do with that data? What rights are they claiming to use the data that you stick into that system? You have to ask these questions before putting anything in there in the first place, even in a free trial.
DR: Can I ask a follow up question? So, does that mean it’s not necessarily all doom and gloom if you’re already using the system that’s already ingrained into your business, you can still technically use them, providing you do your due diligence, right? So, let’s say again, you’ve been using one of these CRMs that are quite common. Then Plain English Law comes over, looks at the CRMs’ terms and conditions, and says its lacking from a GDPR compliance perspective. Is it panic time? Is it a case of ‘oh my gosh the house is on fire, we need change CRMs, we need to go to another provider.’ Or is it more a case of ‘okay, we can still use it, but we’ve got to get these things in place to make sure that you legitimising the use of it’. Is that what you’re saying?
TF: Yeah. So, first of all the good news is, I’m describing a situation that practically every organisation finds themselves in at some point. Discovering or realising that you’ve been doing this and using apps without checking their terms and conditions first, even if you find some unacceptable terms and conditions, it does not mean the Information Commissioner’s Office is going to be sending people in windbreakers down to your office to seize computers and slap you with a fine of €20 million or 4% of your turnover.
DR: Remember how I said I imagined this? Guys coming down from helicopters?
TF: (laughing) Yes, exactly! A lot of GDPR compliance scaremongering that’s been going on over the last three or four years gives you that image like, if you put your toe over this line your toe is going to get chopped off, and that’s absolutely not how it happens.
However, that doesn’t change the fact that you need to be looking at these things. You are responsible for demonstrating that you’ve turned your mind to it, that you’ve actually looked at the terms and conditions and thought through what are the risks involved in using this vendor, or in allowing data to be used this way, or in allowing the vendor to reuse the data in some other way? You need to be thinking that through.
And the first step to that, I think, is asking yourself, who are these people? If this is just a website when you first get there, do you know who runs that website? Do you know where they’re located? Do you even know the name of the company that you’re dealing with?
DR: Wait, so let me write this down. Who runs the website? Who owns it? I’m guessing you need, if it’s in the UK, you need a company number and where their base is?
TF: Yeah, and sometimes that is sometimes the biggest flag is the fact you don’t have that information, or even a postal address! A lot of websites, particularly from North America, don’t include a postal address – it’ll say something like, you know, “copyright, thewebsite.com” – but thewebsite.com is not a company name. There is a company behind that site that owns thewebsite.com, but who is that company? Where is their office? Where are they registered? You’re dealing essentially with an anonymous service provider.
Until you can identify who owns this thing and who’s running it, and until you’ve done at least that and then figured out who you’re dealing with, what are the terms and conditions, what am I agreeing to, you shouldn’t be putting any data into that website at all. You might sign up for the trial, but the second you put your customer data in there, you’ve just handed it all over to a total stranger. That’s what a lot of us are doing today and we have to stop it.
The enforcement of GDPR been relatively light touch and been relatively focused on seriously problematic vendors doing really offensive things. But you look at news coming from across the EU and the UK itself, and you’re seeing that gradually the enforcement is getting more and more, you know, turning their eyes to sloppy practices basically. It’s not that by doing these things you’re doing something malicious, it’s just you need to be more diligent.
You need to be more careful about who you’re giving your client data to. It’s just a matter of time before a growing number of data protection authorities start asking why are you doing that and asking you to justify what it is that you’ve done with that data.
And I know we’ve left the EU and I know I’ve brought up EU data protection authorities. But the fact is, if you’re doing business with people in the EU you still have to comply with the EU’s version of the GDPR, which is basically the same as the UK’s. It means you can’t just say ‘Oh well, I don’t have to worry about the French data protection authority’. Yes, you do. If you’ve got customers in France, you have to worry about them.
transcript end
—
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. This is the second part of a two-part episode called ‘The Plain English Difference’. (You can find Part 1 on the Plain English Law website at https://plainenglish.law/podcasts/.) In Part 2 we break down what a ‘contract’ actually is – simply a business deal written down. I make the case for a ‘business first, legal second’ approach to contract writing, and share more examples of how to transform contracts from legalese to plain English. Let’s rejoin the conversation now…
DR: Yeah, that makes sense. Do you mind if I ask you a very obvious question? A layman’s question?
TF: Not at all.
DR: In terms of commercial law and types of documents drafted, are there a set list of documents that you would expect from a commercial lawyer to be able to do or provide? Or is it similar to other professional services where actually it’s such a vast space that no one practitioner or even firm could deliver every single kind of agreement?
TF: It is fairly vast, and yet there are – that sort of formula I just gave you of what a commercial contract looks like – it is literally just a commercial deal written down on paper. It’s just a matter of how much detail you want to go into. The more complex the deal is, the longer the contracts can be. The more eventualities you want to deal with, the more risks you want to deal with, the more ‘what ifs’ you want to deal with, the longer the contract gets.
A lot of these risks and ‘what ifs’ don’t necessarily need to be dealt with in the contract, you know. The law often provides some sort of default positions, some default solutions to problems. It’s just that sometimes people don’t like those default solutions that the law provides, and so that’s why they’ll want to either make it clearer or have a different solution to those ‘what ifs’ in the contract. And they’re free to do that, it’s just that the more of that you do, the more of those things you cover off, the longer the contract gets, the more expensive it gets to draft because it takes longer.
There are specialisms certainly within commercial law, no question – within contract law, I should say. I do commercial law which is sort of fairly general field of: I’m going to sell you this product or service, and so let’s write down what the terms of that sale are going to be. Or I’m going to rent you some equipment, or I’m going to let you use my ballroom for your wedding, that kind of thing. Those are sorts of general business contracts.
There are more specialised types of contracts, like construction, for example is a very good example of a contract that I generally would not handle. I certainly wouldn’t draft one from scratch because there are all sorts of laws that apply specifically to construction and to repair work done on buildings and I just don’t have that expertise. There are all sorts of solicitors out there that focus on construction law. So what I would do is I would recognise this is a construction issue, I have some understanding of the law around it, but not enough to be to be competent to draft this contract and give advice on it. So I’m going to refer this to a colleague that I know who is good with this stuff.
DR: OK, that makes sense.
Again, another layman question from me. A lot of business owners will try and save money by using template contracts. What are the pitfalls of using template contracts?
TF: Well, one of the pitfalls is you end up with contracts that your customers hate reading, and they wonder: “What are you trying to pull? What are you trying to hide? Where’s the trick in here because I can’t understand this.”
The other problem is there aren’t a lot of contract templates out there that are necessarily ready to go for your business, you know. You need to be asking yourself: What is my proposition to my customer, or what is it that I’m trying to get from my supplier, or I’ve got a contractor who is developing intellectual property for me.
For example, there may be a software developer who’s building an app for me and I want to make sure that we know who owns what at the end of this. Now you can probably find a software development template contract out there, and yet there are very few relationships and business transactions that you will do that will absolutely fit one of those templates. And it’s a little bit impossible to tell without discussing with the client how they want that relationship to work.
It’s impossible to tell whether one of these generic templates will work for them without some modification. And if you’re doing it yourself you absolutely can take one of these templates, read it through and ask yourself if that’s how you want things to work.
One of the downsides is that many businesspeople just haven’t seen that many contracts put together. They haven’t seen that many different disputes that have come up, and so a lot of the thinking that goes into what should be in this contract does come back to: “What could go wrong here? And what could realistically go wrong here? And what are the realistic consequences if something goes wrong between me and my customer after we sign this contract? And what do I want the result to be if that thing goes wrong?”
A lot of those discussions will be specific to your business and to your customer, to the customer relationships that you want to have, to the customer experience that you’re trying to set up. And so no – no generic contract template will be able to capture that. You will have to modify it.
The final thing I’ll say is what about your brand voice? So when I mentioned the customer experience, if you’re talking to a customer about and selling – you know, selling them on your product, your service, your brand, whatever it is you think about that journey that the customer takes as you bring them along towards deciding ‘yes, I want to buy from you.’ – they are having an experience and you’re you are building your brand. You want that brand experience to be consistent.
What happens if, after all of this lovely experience they fall in love with your products, etc., and they’re ready to buy. And then you stick this ghastly document in front of them that’s written in this awful prose that, compared to the tone of the conversations leading up to this, is suddenly changed. It’s a jarring experience.
Now sometimes your customer will just draw some breath and say: “Alright, of course, this is just the fine print. I trust this person. I trust this company. I’ll just go ahead and sign.” But if they don’t, how often are you going to know that was what it was all about? If they suddenly go silent? How often are you going to know what really happened? How often do you get to know whether it was actually the fine print that that made them go: “Oh, geez, I don’t want to do business with people who do business like this.”
Because remember that contract you’re handing them – that is your business literally saying this is how we are going to do business with you.
And if it’s written like that, if it’s written in unfair terms, with unnecessary and unfair rules, in an impenetrable language, you’re sending a message to your customer that this is how I want to do business with you. It’s not a good look.
DR: Ok. So I’m going to try and summarise and ‘laymanise’ what you said, although to be honest it’s all pretty clear. Essentially, there’s a misconception that legalese has to be put in legal documents to make it legally binding. That’s not true, correct?
TF: Not true at all.
DR: And the purpose of a commercial contract. And I think this is how you explained it and you can correct me if I’m wrong: It’s like an agreement between two parties for something they’ve already agreed in principle, and the idea is that they should be able to use that document as a reference and go back to should a dispute or disagreement arise. But that document should be so clear that if a dispute does arise, it explains who’s right and wrong? Have I got that right? What should happen in the case of a dispute? Is that correct?
TF: Well it can do. I mean that’s extra detail that you can add to a contract. Or you can simply rely on the legal default, right? We have a court system. We have systems for dealing with disputes. But frankly, they’re very expensive to use, and if we’re perfectly honest, you probably won’t end up in court with your contract.
What your contract really needs to do more than anything is help you and your customer defuse or resolve the dispute yourselves. Because that’s the only efficient way of doing it.
DR: Yeah, like you said: “You do this, I do that, this is what happens if it’s not done, or this is what we agreed to do and this is within scope this is not within scope.” And then if you have that agreement, it’s very clear what should and shouldn’t be delivered, right?
TF: If it’s a clear agreement, because, as I said, all that the contract is, is the conversation that you had, it’s the agreement that you guys made up, you know, sitting around the table in the boardroom or negotiated at the pub. Wherever you negotiated this deal you came to, you said: “Yes, this is how we’re going to work together. Now let’s just write that down so that we’ve got a record of it.” All that a written contract is, is evidence of what you agreed. It’s going to be either good evidence and helpful evidence, or it’s not going to be helpful evidence based on how it’s been written.
So imagine if you are three years later, after you signed this contract, let’s say we’re talking about a shareholder agreement. So you have started a company with one of your friends or maybe one of your family members, whoever it is, but you’ve started a company together and you’ve started doing business together and you thought: “Let’s sign a shareholder agreement first so we’ve got this down on paper about how we’re going to manage this thing together.” Three years later, your business partner does something you don’t like and you think: “Hey, that’s not what we agreed.” So you go to your proverbial desk drawer and pull out the agreement and start reading it.
Now, if this agreement has been written in terms that you don’t really understand or that has long, confusing sentences or some ambiguous wording, then it’s possible for you to read a sentence and come to a very different conclusion than your business partner about what that exact same sentence means. And each one of you, if you’re in a dispute and you want a different outcome from each other, it’s very likely that when you read that sentence, you’re going to interpret it to mean what you want it to mean, and the other person is going to interpret it to mean what they want it to mean.
A plain English, well-drafted contract will never be perfect. I routinely look at contracts that I’ve written in the past and think: “I think I’ve come up with a better way of doing that. I would write that differently today.” So contracts are, even a contract I consider to be really good from a plain English standpoint, can still have some things that I hadn’t thought about when you first drafted it. So that happens.
But you know what? What writing it in plain English does is, it makes it less likely, far less likely, that two people can read the same sentence and come to totally different interpretations of what it means. A more likely reaction is: “I don’t like what you did.” so I pull out the contract, I read it and I go: “Oh, I forgot that we’d agreed you could do that. I guess there’s no problem here.” or “Maybe we need to have a conversation because I’d forgotten I’d agreed that and it doesn’t work for me anymore and I’d like to have a discussion. I’d like to see if we can update this.”
That’s a very different attitude and a very different approach from: “Look what that person did. They can’t do that because the contract says X and I’m going to tell them they can’t do that and maybe threaten to sue.” That’s very different from: “Let’s talk about this because this doesn’t work anymore.”
DR: It’s a more productive way of doing business, right? There’s less aggression, it’s complementary.
TF: And it just makes it less likely for conflict to spiral out of control, because that can happen, especially when emotions get into a business discussion, which happens lots. You know, something that started off with: “I don’t like the way this is working” becomes: “I can’t trust you” becomes: “You’ve done this to me on purpose.” People start digging their heels in – a poorly drafted contract can actually create a conflict that was quite avoidable. And most of the time when I see a contract that does that, it’s because it’s got some significant ambiguity in the way it’s been drafted.
DR: Thank you for explaining. Do you have any key point summaries or takeaways you want to wrap up with?
TF: I think plain language builds trust. When you write things in plain language, people aren’t left wondering what little trick you’re trying to play. They’re not looking for the ‘hook’, if you will.
When you get a dense legalese document that’s drafted by someone else’s lawyer – I know from personal experience – that’s the first thing I wonder. I start looking through and wondering: “What am I missing here? What little things are going to come back and bite me later?” The plainer it’s written, the less likely it is that the document will provoke that reaction.
Also it means, let’s say it’s a customer contract, maybe it’s terms of business on your website. Whatever it is, it’s some kind of customer contract. The plainer it’s written, the less likely your customer is going to have to call in and ask your call centre staff, ask your sales managers, ask any of your staff what this means.
And I’ve seen it. I’ve seen it in businesses I’ve helped before where they’ve – I don’t have measurements for it – but I’ve been told by a couple of former clients and employers that when we updated the contracts to be written in plain, much plainer, much briefer language, there was a noticeable reduction in the number of customer enquiries about what the contract meant. And that means you need fewer call centre staff.
It also means there’s less, there’s just a lot less potential for mistrust. People know that, essentially, it does what it says on the tin, and can rely on it. They can rely on their own reading of the contract without thinking that they might be missing something, and so that’s good for the customer experience. And, ultimately, it’s good for sales and reduces costs.
Episode Title: “The Plain English Difference, part 2”
Podcast Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 16 Aug 2021
Recording Length: 00:17:31
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. Today it’s Part 1 of a two-part podcast called ‘The Plain English Difference’. We talk about how I became interested in the ‘plain language’ movement, re-write some legalese into plain English, and discuss how writing a contract ‘for the judge’ might not mean what you think. Part 2 of this podcast is also available on the Plain English Law website at https://plainenglish.law/podcasts/.
DR: So, “Plain English Law” – that name is pretty straightforward. Tell me about the idea for that? Obviously it means ‘commercial law without some of the legal mumbo jumbo’, but did you have a defining moment or time? As in, when you thought the legalese had to stop and that it could be done in a different way?
TF: Well, the ‘this has to stop’ moment was probably the first time I tried reading software on a software package that I was opening back in the days when you actually received software on floppy discs. And I was opening the package and you start reading the terms and conditions on the outside of the package, half of which are written in all caps, and it’s very, very shouty. The sentences are very long, it’s full of legal jargon, full of technical jargon, and I’m looking at this, you know, probably like most people thinking: “They can’t possibly think I’m going to read this?!”
And at some point later in my adult life, when I was in law school, I was fortunate enough to have a law professor who was very much committed to drafting legal documents in plain English. Whether you were talking about contracts or wills or letters, even an email written by a lawyer – you can tell a lot of the times that the email was written by a lawyer just because of the style that they use in writing that email to their own client. You see the word “shall” a lot, you see a lot of passive voice, a lot of long, artificially formal sentences written in ways that nobody would ever speak to you. And even the lawyer who wrote it would probably never speak to you that way. So why are they writing to you that way? It’s a bit jarring.
And so this professor was committed to teaching us how to write in plain English. And I thought this is great. There is a plain language movement that started, surprisingly enough in the US I think, and the US government’s been banging the drum for plain language documentation, plan language legislation as well. So when they draft laws down there, the intention is to write it in language that typical, you know regular people can understand and that hasn’t been the way things have been done historically. So it was a big shift for lawmakers, for legal drafters and for lawyers to start thinking about writing things in more standard everyday English, instead of writing them in this artificially formal pseudo-Shakespearean style that lawyers are known and maybe not loved for. So I saw some hope there.
You know I trained as a lawyer initially in Canada and I saw how it is that lawyers get their jobs done. And then I started to understand why the legalese persisted. Because a lot of lawyers, most lawyers, don’t draft contracts from scratch. They use databases full of templates, full of precedent contracts that have been in use and recycled for decades. Or in some cases, some of these clauses that you’ll find in these contract templates, go back even a century or more.
And so they were written by people in a different era when this was expected and considered normal, that is, a normal way of writing even business correspondence. If you look at a business letter written in the early 20th or late 19th century, it’s very formal. It’s totally different from anything you’d see businesspeople writing to each other today. Legal documentation hasn’t made that transition quite in the same way to normal everyday English.
DR: Are there, when it comes to these kinds of contracts and templates, because obviously this is this is still ongoing, otherwise Plain English Law wouldn’t exist, right? It’s still a thing. Do you, or rather can you speculate? Do you know why it still happens? Or have you just explained? Sorry, maybe you explained that in your previous answer. Is it because basically lots of lawyers use these kind of precedent law contracts and then reuse them and then don’t update them? Or is it a case of a certain level of fear or posturing? Do you know why it continues like that?
TF: Yes, all of that. And I would also add: it takes time to update these things. So it’s all of what you’ve just said. Number one it’s fear. Ok, if you’re a young lawyer and you are learning how to practise law, you have to remember you’re also learning how to practise law profitably, which means you have to get your job done. You’re asked to produce a contract. You need to produce that contract for your client efficiently enough that the bill will be tolerable to the client. Most law firms will bill on an hourly rate, so if you take too long because you’re trying to take this contract template that you’ve been handed and you’re trying to make it better, the question is, is your client willing to pay for that?
I personally think more clients would be willing to pay for that than we assume, but it takes time. And so the fear is… there are couple of fears. Number one, my client is not going to pay me for all the effort that it takes to hammer the legalese out of this. There is the fear my client will not value a plain language contract.
I think that’s probably mistaken. At least I hope so anyway! (laughing) I’ve started a firm called Plain English Law on the belief that there are clients out there who will pay for this.
DR: No, I’m inclined to agree. As you know, I’m a small business owner and you know, I did the typical thing where I started using templates and contracts templates initially because they were quick and easy and accessible, and I can modify them a little bit. But yeah, I was quite lost in the wordage like the “herewiths” and the “vis-à-vis”. And I know what all those words mean, but when it’s in a written form you’re just like, whoa.
TF: It’s intimidating.
DR: Yeah, it is. And so in your experience, are there any particular phrases or words that constantly get used even to this day that you wouldn’t consider ‘plain English’. Are you able to expand on them, explain what they actually mean.
TF: Well, there are a number of them.
DR: What ones do you particularly dislike maybe? You see them and you’re like, “Why is that even there? That doesn’t work.” Does that make sense?
TF: Ok yes, well the one that drives me that nuts probably more than anything is the little phrase: “For the avoidance of doubt.” So, you’ll be reading along through a contract and then you’ll get to a point where it says: “For the avoidance of doubt…” and then it’ll go on and essentially restate something that had been said before.
I don’t know if you’d call this a sort of verbal tic or an almost a written form of clearing your throat. I don’t know what you’d call it, but it’s not enough to wonder what value those four words add, it’s wondering what value does the rest of the sentence that follows those four words add?
Because what you’re essentially saying, as the contract drafter if you are putting those words into a contract, in my view you’re saying: “I’m not sure. I think I might have left some doubt with the last sentence of the last paragraph.” Well, if that’s what you think you’ve done, then maybe you need to re-draft that last part and remove the doubt in the first place. Instead, you’re putting “For the avoidance of doubt…” and then lengthening the contract in the process.
And even worse, you’re quite possibly rephrasing or slightly recasting something that you’ve already written about. And when someone comes along later, if this contract ever ends up in front of a judge, which is pretty rare, by the way, but you know it, it can happen. More likely, if your customer or your supplier or whoever else you’ve made this agreement with, if they pull this agreement out of the drawer and read it, they’re going to come across this and they’re going to say: “Well, which version am I supposed to pay attention to? The bit that caused the doubt, or the bit that’s supposed to resolve the doubt?” One issue resolved in at least two different ways in the same contract is a recipe for confusion and possibly conflict.
So yeah, that should be your red flag, I think as a contract drafter, pause after you want to put those words in. It says that you’re not comfortable with what you have drafted. Immediately stop, put the pen away. Go back. Fix it.
DR: Can I can I touch on something you mentioned there because you know we’ve mentioned this in previous conversations and I think it’s interesting to know. Why is the..? There’s the phrase, you know, “the contract is written for the judge”. Why is that a poor excuse?
TF: For a few reasons. Number one, of course you write for the judge, but the judge is a human being, just like your client or whoever you’re writing the contract for. Let’s put it this way: if your client understands the contract, give the judge a bit of credit. They will probably understand the contract as well, so writing it in a language that’s more accessible to your client is not going to put it out of reach of the judge, so you can write it for both.
Secondly, judges would probably thank you and thank all of us to stop, quote-unquote, “writing for the judge”. Because that’s when the legalese comes out, that’s when the jargon comes out, that’s when the Latin comes out. And I don’t know a whole lot of judges, but I’ve met a couple and I clerked for a couple of trial court judges when I was a law student, and they hate the legalese. They hate the long drafts because it consumes their time. They would love nothing more than to get concise, plain language drafting in everything that they get from the lawyers that appear in front of them. So that’s why drafting for the judge is a bit of a, well, I don’t think that drafting in a legalese style is drafting for the judge. I think you’re making the judge’s job harder and you’re making your client’s job harder.
DR: That’s fair enough. Going on a slight tangent. Do you have any examples of a non-plain English contract versus maybe a plain English version?
TF: Sure. First off, plain English is partly about being understandable and part of that, by the way, is just shortening the entire document because people get exhausted. So if you’re putting clauses or sentences into a contract that don’t actually help, that aren’t necessary, you’re just making the document longer and more tedious. And you’re making it more likely that people will start skimming through and miss the important bits because they’re buried in amongst nonsense that doesn’t need to be there. So I’ll give you an example.
My two favourite examples. You’ll find this in a huge number of contract drafts, somewhere near the top there will be a section dealing with ‘interpreting the contract’. And you’ll find sentences like this:
“Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.”
DR: Ok, I don’t understand what I said.
TF: Right! If I was to write this in plain language… Ok, first off, this sentence is utterly unnecessary. It shouldn’t be in the contract at all.
Now what does it mean in plain English? I’m just going to draft this in my head as we go because I haven’t actually drafted this. What it says is: “In this contract, if a word is used in plural form, interpret it so that it’s singular whenever necessary.”
Ok, number one: if you’ve written the contract that badly that when someone gets to a sentence, they’re not sure if this if you really meant it to be singular or plural, then that’s bad drafting. This clause doesn’t fix it.
I’ve challenged a number of lawyers to point me to a single case in any English-speaking jurisdiction where this clause (because trust me, this exact wording appears in billions of contracts out there, literally billions, because this is from a widely used legal database of precedents so this clause is in almost every precedent in that database, and that database is used by hundreds of thousands, possibly millions of English speaking lawyers.)… Ok, so I say point me to a single case where a judge has said: “Oh, that sentence helps. Now I know how to interpret this contract. Thank goodness for that sentence.” I’m going to say never-in-the-history-of-ever has that happened. This is a useless sentence.
Secondly, if you’ve drafted the contract that badly, this is a lazy person’s way of saying: “Well, rather than go back and fix my sloppy drafting, I’m going to bung this in here and just hope that it saves me when the judge comes across my lousy drafting.
Ok, second example. Right after that singular-versus-plural sentence, you will almost always find this sentence:
“Unless the context otherwise requires a reference to one gender shall include a reference to the other genders.”
So in other words, if I’ve written this contract in a way that confuses you so you’re not sure if I’m talking about a male, a female, or a non-binary person, or an other-gendered person, if I’ve confused you like that, please forgive me and just interpret this so it includes all of them.
Number one, what on Earth does that even mean? Number two, if you’re writing a contract and your writing is so gendered that you’re going to confuse people about which person you’re talking about in a sentence, then your drafting is so badly broken that, trust me, this sentence is not going to help anyone undo your broken drafting.
And again, I challenge any English-speaking lawyer to point me to a single case anywhere in the world where this clause and the billions of times it’s been used in contracts has ever helped anyone resolve: “What does this sentence further down the contract mean.” So this stuff… just knock it out. It’s absolute nonsense and it lengthens the contract.
And it causes your reaction, Dale. Perfect. I read the sentence to you – maybe if you had read the sentence yourself…
DR: No, I don’t think so. I think I could have read it and still been confused.
TF: And I think a lot of people would be as well. Because, first of all those words: “Unless the context otherwise requires…” Just the ordering of those words. Nobody talks like that, and almost nobody writes like that unless they’re writing a contract. Or, you know, pretending to be a lawyer.
I shouldn’t say ‘pretending to be a lawyer’. Lawyers write like this for crying out loud!
But this is, in inverted commas: “I’m writing legal.” It’s not necessary and it makes people stop and go ‘What? Wait!’ and they have to read it again. You’re doing a massive disservice to your client, you’re doing a massive disservice to their customer who’s trying to agree a contract with them, because they’re both either not going to read it at all because they just can’t be bothered with it, or they spend a lot of time on it because it’s confusing and it’s badly written.
And then even worse, they finally come to the conclusion: “Sigh, that’s not even necessary at all. That’s a total waste of my time.” If they’re lucky, they get to that point, but now they’re annoyed and they’ve lost five minutes trying to figure out why they’re reading this.
DR: And I guess as the saying goes, in business time is money, right? So the time you spend having to read the contract, if you’re a non-legal minded person, and try to interpret it. And then obviously you have a contract – that means there’s two entities involved – so I have to get the supplier or customer or client working with me to understand it and if they have questions about it. That’s a lot of time spent going back and forth. So, the plain English treatment again, if I understood correctly, those two examples probably wouldn’t even make it into one of your contracts.
TF: Right, I would just leave them out.
DR: So that way I’m not confused by those two statements, because they’re just not there, right?
TF: Correct.
So now I’ve got another example here. These are clauses that need to be in the contract, but it’s the style of writing that’s the problem that can be can be tightened up.
This is early on in a contract. It is essentially the introductory paragraphs that they are giving you some context for why the contract has been written. So here’s what the original version said, and this is real, I didn’t make this up. I copied and pasted this and then I’ll give you my redraft of it. It starts off by saying this:
“Company A and Company B are desirous of entering into discussions regarding the project.”
OK, I’m going to stop there. That’s only part of the part of the clause.
DR: Wait, did you say desire-ous?
TF: Yes, “-ous”. Desirous.
DR: I think I know what it means in context, but that’s a really weird word.
TF: Tell me about it. So, these two companies are “desirous” of entering into discussions. Here’s my redraft:
“Company A and Company B intend to discuss.”
Who cares about desires?! (laughing) So right there we’ve shortened it, we’ve put it in an active voice in the present tense, and you don’t have to read it a second time. It’s pretty clear what they’re doing: these two companies intend to discuss the project.
The next sentence in the legalese version says:
“During and as a consequence of discussions concerning the project, it will become necessary for each party to disclose to the other certain confidential and/or proprietary technical and/or business information which each party is agreeable but not compelled to disclose to the other party subject to the undertakings given by the other party in this agreement.”
DR: I’m not even going to try and interpret that. If you could just please provide me with the plain English version, that’d be great.
TF: For the plain English version, I broke it into two sentences and it just says:
“During these discussions, each party is likely to disclose proprietary information to the other party. This agreement governs the use and protection of any proprietary information exchanged between the parties.”
DR: That makes a lot more sense.
TF: It’s still not, you know, pub talk, right? This isn’t banter but it’s still a business document. It’s direct, in an active voice and present tense, none of this “and/or” nonsense. The original legalese version was 70 words long and my redraft is 40 words long and they cover the exact same territory.
DR: And is that where one of your straplines comes from? “We do business 1st and legal second.” Because it sounds to me when you’re re-drafting those examples, you’re writing them for a non-lawyer to read and not have to spend tonnes of time reading / interpreting. Is that fair to say?
TF: Yes, and the thing is with any commercial agreement, it’s ‘commercial’ first. We don’t say “legal commerce”, it’s “commercial law”. The commerce comes first for a reason. Because any agreement that you write, any agreement you make with any other company or with it with a customer, whoever is, is simply it’s a commercial agreement between the two of you where you’re basically saying: “I’m going to do this you. You’re going to do that. Here’s what the price is. This is the schedule we will follow. And if one of us doesn’t do what we promised to do in this document, here’s how we’re going to handle it.” That’s pretty much what every commercial contract says.
There is no contract to write unless you first have a commercial agreement, in other words, business people shaking hands and saying: “Yes, this is what we’re going to do together.” And then all the contract does is describe that commercial arrangement.
And yes, there are legal effects to that commercial arrangement, but the legal bit serves the commercial bit. There’s no point in writing a contract unless it is to facilitate a commercial deal. That’s what a commercial contract does. The contract and the legal bit of it – that’s not the object. The object is whatever transaction you’re doing, whatever relationship you’re setting up. It could be you’re going into business with a business partner, so you’re going to want to have a contract that describes how you run the business together, how you distribute the profits, etc. With that agreement, there’s nothing to write until the two of you have sat down at the table and said: “Here’s how we want to work together, here’s how we’ll manage the company, and here’s what we’ll do with the money.”
Episode Title: “The Plain English Difference, part 1”
Podcast Description:
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 16 Aug 2021
Recording Length: 00:24:05