Business Apps & Data Privacy:
free trials aren't always free
- Have you read the T&Cs on that business app you’re using? How about your CRM system?
- Do you know who is in control of your customers’ personal data: you or your app vendor?
- In this episode, Dayle and Trevor discuss the data privacy pitfalls contained in common applications’ T&Cs, and the questions business owners should be asking before agreeing to that free trial.
Episode Title: “Business Apps & Data Privacy: Free Trials Aren’t Always Free”
Have you read the T&Cs on that business app you’re using? How about your CRM system?
Do you know who is in control of your customers’ personal data: you or your app vendor?
In this episode, Dayle and Trevor discuss the data privacy pitfalls contained in common applications’ T&Cs, and the questions business owners should be asking before agreeing to that free trial.
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 27 July 2021
Recording Length: 00:12:24
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, Dayle and I discuss GDPR risks that are embedded within the mobile and web apps that businesses use every day. What apps do you use? Do you know what data they collect from your device and your business when you use them? And who’s behind each of those apps? Finally, if you read the terms and conditions, what are you agreeing they can do with the personal data that the GDPR requires you to protect?”
DR: Okay, so like I said, I sent you some questions about two major players in the field of CRMs that I know a lot of micro and small and maybe a medium sized businesses would use.
And in their policy you point out two things that most customers wouldn’t be aware of. So the first one was: “You grant us the perpetual right to use customer data in anonymous format.” … and the second one was: “Supplier may use client data in an aggregated or anonymised format for research, education or other similar purposes.”
And you were saying that that's actually a problem for most businesses, because it means that the data is actually shared in a way they may not be aware of, correct?
TF: Yeah, and it is sort is buried in the terms and conditions and I think a lot of people, a lot of businesses wouldn't look very deeply at the terms and conditions of most products that they purchase.
Because who's got the time to read page after page after page of terms and conditions for vendor after vendor after vendor?
The problem is when you're when you're using any kind of app, whether it's a web app, or a mobile app, you're putting data into that app. Some of that data is going to be personal data, maybe all of it will be, and each one of those apps will have its own storage location.
So basically, the more vendors you have, the more storage locations you have and the more terms and conditions you need to review to see what rights have you given the app vendor to use the data that you put in.
And some of these terms like those ones that you quoted, they sound pretty innocuous because it says, well, hey, you know we're using it in an anonymised form. The problem is there is no way to reliably anonymize any data set these days.
There are studies out there that I don't have to hand at the moment but have shown fairly reliably that if you have two or three pieces of what seem like generic information about a person, such as a post code and their gender, you can use other publicly available information on the Internet to narrow down that person to a specific individual something like 85 or 90% of the time. It's really scary.
So, anonymizing the data just by taking someone's name off it doesn't actually anonymize it most of the time.
And you, as the customer of an app where you're sticking data into that app, you're still responsible for that data. If you've agreed terms and conditions with them, let's say they can use this data in an anonymised format, you’re still on the hook.
If someone else, whether it's the vendor or somebody else that the vendor is working with, manages to reconnect or decides to put the effort into trying to reconnect data points with individuals using other data they can find on the Internet, that's still personal data even though it's been anonymised. You're not off the hook by having agreed that. You need to be looking at those terms and conditions. You need to do your due diligence.
DR: So, I'm going to ask a very challenging question. For these major CRM providers, where their terms and policies are quite lacking in terms of GDPR, what would this solution be? Now that we know what to look for, what is the alternative?
Here’s a scenario: I’ve been in business for 6-7 years and I'm using one of these platforms. I've been using it for quite a while and a lot of my workflow and sales processes goes through these systems. To now be told that actually there is a potential risk to my business, what would the solution be? Would it be some kind of mapping procedure? Or some kind of…?
TF: Well, exactly. This is where all GDPR compliance starts: with data mapping. That is, figuring out and writing down what data do you have, where you're storing it, who the vendor is, why you have this data, is the data up to date, and so on.
Every organisation that has personal data is required to keep what's called a record of processing activities (ROPA) – it could be in a spreadsheet, it could be in a database, it doesn't matter. It's effectively a chart that shows what data you have and where you're storing it while you have it.
And you need to keep that up to date because almost every week we will come across a new app that we think, hey, that could be really helpful. It fills a need for my business. And of course, they all give you free trials. So, you start a free trial and you think, this is great, I'm going to give it a go and you put some information in there – if you don't record the fact that you've done that, you've now created a new set of personal data that's being held by a third party vendor. You're still responsible for that data, and yet you'll probably forget about it the moment you decide to abandon the free trial, which you will do a fair percentage of the time.
This is the same situation if you decide to move on from an app after using one for a long time. CRMs are a great example. CRMs change all the time. Maybe they changed their business model or their pricing model or they’re just doing something different now, and a CRM that you really liked five years ago isn’t a great option for you now so you decide to move on. Did you clean up the data you left behind on that CRM? How do you even know to clean it up if you don't have the data mapping done and kept up to date before you start looking at new apps?
Part of this process, by the way, long before you stick the data into an app should be to ask yourself: “Who are these people?”, as in, who is the company that runs this app? And what are the terms and conditions? What are they going to do with that data? What rights are they claiming to use the data that you stick into that system? You have to ask these questions before putting anything in there in the first place, even in a free trial.
DR: Can I ask a follow up question? So, does that mean it's not necessarily all doom and gloom if you're already using the system that's already ingrained into your business, you can still technically use them, providing you do your due diligence, right? So, let's say again, you've been using one of these CRMs that are quite common. Then Plain English Law comes over, looks at the CRMs’ terms and conditions, and says its lacking from a GDPR compliance perspective. Is it panic time? Is it a case of ‘oh my gosh the house is on fire, we need change CRMs, we need to go to another provider.’ Or is it more a case of ‘okay, we can still use it, but we’ve got to get these things in place to make sure that you legitimising the use of it’. Is that what you're saying?
TF: Yeah. So, first of all the good news is, I'm describing a situation that practically every organisation finds themselves in at some point. Discovering or realising that you've been doing this and using apps without checking their terms and conditions first, even if you find some unacceptable terms and conditions, it does not mean the Information Commissioner's Office is going to be sending people in windbreakers down to your office to seize computers and slap you with a fine of €20 million or 4% of your turnover.
DR: Remember how I said I imagined this? Guys coming down from helicopters?
TF: (laughing) Yes, exactly! A lot of GDPR compliance scaremongering that's been going on over the last three or four years gives you that image like, if you put your toe over this line your toe is going to get chopped off, and that's absolutely not how it happens.
However, that doesn't change the fact that you need to be looking at these things. You are responsible for demonstrating that you've turned your mind to it, that you've actually looked at the terms and conditions and thought through what are the risks involved in using this vendor, or in allowing data to be used this way, or in allowing the vendor to reuse the data in some other way? You need to be thinking that through.
And the first step to that, I think, is asking yourself, who are these people? If this is just a website when you first get there, do you know who runs that website? Do you know where they're located? Do you even know the name of the company that you're dealing with?
DR: Wait, so let me write this down. Who runs the website? Who owns it? I'm guessing you need, if it's in the UK, you need a company number and where their base is?
TF: Yeah, and sometimes that is sometimes the biggest flag is the fact you don't have that information, or even a postal address! A lot of websites, particularly from North America, don't include a postal address – it’ll say something like, you know, “copyright, thewebsite.com” – but thewebsite.com is not a company name. There is a company behind that site that owns thewebsite.com, but who is that company? Where is their office? Where are they registered? You're dealing essentially with an anonymous service provider.
Until you can identify who owns this thing and who's running it, and until you've done at least that and then figured out who you’re dealing with, what are the terms and conditions, what am I agreeing to, you shouldn't be putting any data into that website at all. You might sign up for the trial, but the second you put your customer data in there, you've just handed it all over to a total stranger. That’s what a lot of us are doing today and we have to stop it.
The enforcement of GDPR been relatively light touch and been relatively focused on seriously problematic vendors doing really offensive things. But you look at news coming from across the EU and the UK itself, and you're seeing that gradually the enforcement is getting more and more, you know, turning their eyes to sloppy practices basically. It's not that by doing these things you're doing something malicious, it's just you need to be more diligent.
You need to be more careful about who you're giving your client data to. It's just a matter of time before a growing number of data protection authorities start asking why are you doing that and asking you to justify what it is that you've done with that data.
And I know we've left the EU and I know I've brought up EU data protection authorities. But the fact is, if you're doing business with people in the EU you still have to comply with the EU's version of the GDPR, which is basically the same as the UK's. It means you can't just say ‘Oh well, I don't have to worry about the French data protection authority’. Yes, you do. If you've got customers in France, you have to worry about them.