Managing privacy and compliance risks, in an increasingly formalised digital space

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
on
April 16, 2020
Max G. Sørensen

Max G. Sørensen’s legal journey started over 20 years ago on the Danish west coast in Esbjerg, Jutland. After 12 years as an attorney with admittance to present cases for the Supreme Court in Denmark, he made a big career change; moving in-house to the LEGO Group. At the LEGO Group, he spent six years working with GDPR, Ad-tech, and acted as the dedicated legal counsel to the LEGO Group Brand, Marketing and Digital Department. He then relocated to Copenhagen and today works at Gorrissen Federspiel law firm specialising in GDPR and Ad-tech, as well as an external lecturer at Copenhagen Business School.

With more than 20 years of experience with privacy and Ad-tech, we wanted to speak to Max and hear more about the balance between compliance, risk mitigation, and ensuring marketing results. This is what he had to say.

Question: Question: Having worked as an in-house counsel as well as an attorney, how have you experienced that GDPR has impacted Danish companies?

To be honest, when the GDPR came into force in 2016, Danish companies generally didn’t take notice. And then in 2018, when the laws became enforceable, we lacked guidance from the data authorities. Many companies were not clear on what to do and how to prioritise, many companies started working with e.g., Data Protection Impact Assessments instead of doing an Article 30 inventory.

In my view, GDPR is just another compliance discipline, where you need to find out where your risks are, and how to mitigate them - it’s basic risk compliance. Many companies went straight into solution mode and started implementing things without knowing if it was the right thing to do. Companies faced considerable pressure to act, which was coupled with the worry of fines if they didn’t. So I think the expectations and lack of guidance have a lot to do with companies going into action mode, rather than keeping the scale of the compliance action relative to the risk.

“GDPR is just another compliance discipline, where you need to find out where your risks are, and how to mitigate them - it’s basic risk compliance.”

Question: If you were back as an in-house legal counsel, what’s the first thing you would look at when it comes to privacy and increasing a company’s online compliance?

I would start by creating a risk assessment of where the risks are and what could hurt the company most. Then I would begin prioritising. GDPR is high up on the list now because of the risk of fines and complaints.

A good place to start in a risk assessment is to look at the technology companies use. These have generally been designed to; collect as much data as possible, for as many people as possible, to keep for as long as possible. This directly contradicts the principles in Article 5 in the GDPR. However, changing the entire-IT infrastructure in a business can be a huge task, both financially and timewise.

Another focus area I would look at is IT-security, as it is also a big risk these days. An area that is typically front-loaded with technical solutions and a very specialised language, which can be difficult for many people to grasp. Having basic IT-hygiene prevents 90 % of cyber-attacks, this can be simple things such as changing passwords regularly. All companies, including small ones, should have their basic IT-hygiene like this in place to minimise their risks.

“A good place to start in a risk assessment is to look at the technology companies use. These have generally been designed to; collect as much data as possible, for as many people as possible, to keep for as long as possible.”

Question: How do you usually guide smaller companies who want to be compliant but don’t know where to start?

If I was going to help a smaller company with compliance today, I would start by looking the CEO straight in the eyes and warn him that the tech world is becoming steadily more regulated. The days of the wild west are over.

“If I was going to help a smaller company with compliance today, I would start by looking the CEO straight in the eyes and warn him that the tech world is becoming steadily more regulated. The days of the wild west are over.”

At the same time, though, it is important to remember that we don’t always have to build a Rolls Royce - a smaller car can get you from A to B. Similarly, the GDPR doesn’t have to be an extensive exercise for smaller companies. At the heart of it, it is about mapping the risks in your company and then covering these weaknesses. It isn’t much different from drawing up an insurance, where you want to cover a known risk.

A big issue is that the language in a lot of publicly available documents is very legal and technical, and can be inaccessible to the majority. The guidelines aren't helpful for smaller companies, who don’t necessarily need a Data Process Impact Assessment or to map out fancy data flows. They often just need counsel to help them to implement the GDPR, without becoming overly compliant.

“At the heart of it, it is about mapping the risks in your company and then covering these weaknesses. It isn’t much different from drawing up an insurance, where you want to cover a known risk.”

Question: What are your thoughts on the cookie rules as a former in-house attorney?

The purpose of the cookie rules (e-privacy + GDPR), is to give the user the ability to control their data, and cookies as we know them are facing a real challenge. Consumers now have to give active consent, and getting them to see the benefits of opting-in, can become a real challenge. The businesses need to focus on and present the up-side for the consumer so they will accept cookie use. But, right now there is a lack of clarity on this and things like the cookie walls, e.g., if you want to read a newspaper, you have to opt-in. The issue is whether consent could be seen as being freely given. Some European countries would say that this is illegal, as consent was not freely given if you have to opt-in to view a website or content.

Another issue is that we have some very big American Ad-tech players and social media platforms, where the question is whether they can continue to require a cookie consent as a form of ‘payment’ for use. This is being weighed against these platforms’ importance for our freedom of expression, and democracy. So we are asking ourselves these big questions, and until e-Privacy regulation clarifies things better, companies are left with a broken cookie solution. As it stands with the opt-in set-up, we will get a lot less information from cookies than we have in the past few years.

Question: What impact has the Planet49 ruling had on the use of cookies (in your opinion) in Denmark?

We have seen a big focus on which boxes should be ticked, but much less so on which information we give to the users. And honestly, if you read a cookie description, you are often none the wiser. This lack of transparency makes it hard for the end-users to understand, and why would they then give consent. I have seen companies implement a standard cookie solution very quickly, and then the information they usually collect drops. Some companies are trying to solve this by making the UI design of the cookie consent form more appealing and nudging towards accepting cookies. It will be interesting to see how authorities respond to the use of design and if this contradicts the rules around transparency.

The Danish authorities are likely to be inspired from what countries like France, the UK, and Germany do. So it is a good idea to keep an eye on the findings and rulings in those countries when assessing the risks.

As an advisor, the best advice I can give people out there is to:

  1. Avoid pre-ticked boxes
  2. Understand and explain what you are doing when it comes to cookies. Many companies just purchase or download freely from vendors and don’t actually know what is being implemented.