Quizzes are powerful marketing tools for collecting personal information from potential customers. However, data privacy is growing more strict globally, with regulations like the EU’s GDPR and California’s CCPA. Data Privacy Officer Alexander Claasen shares how to collect customer data safely with quizzes.
If you want to reach out to Alex to inquire about his services, send him an email.
Hello, and welcome to “The Quiz Makers” podcast. Our guest today is Alexander Claasen. Alex is an external data protection officer, who’s also working for Riddle. And we’re going to chat today about privacy, the European privacy laws, and the most recent cancellation of the Privacy Shield agreement and what that means for doing business globally.
Hi, Alex – welcome to the show!
So let’s start – actually a little background. What got you into the business of being an external data protection officer? Do you just love privacy so much, or what got you to this job?
Well, I was studying law and I was about to write my exams when, in 2016, a mentor of mine brought me up to the idea.
“Hey Alex, you’re IT friendly and you know this stuff. Why don’t you try privacy protection or data protection? It’s a crossover from law and protecting personal data – it could be some interesting field for you.”
And so we started to educate ourselves about the whole subject and then I got certified with TÜV Süd. So since 2016, I’ve been in the data protection business.
So that was really good timing with GDPR coming!
That first passed two years before, but the cut-off date was on the horizon. So we were informed about the mechanics which would come into use – so I could get some experience before GDPR.
So as a business owner, when the GDPR came out and the first lawsuits happened, people got scared. We started to hate GDPR more and more to an extent. So from from an end user point of view, have you seen any benefits of GDPR? Or is it making life harder for everyone?
Ah, in part.
On one hand, I think it’s a regaining of privacy.
Personal data has become more and more a commodity. So you went from a human being to a trading good. Something, the GDPR wants to turn back. So under the concern of privacy, the GDPR is something pretty good. For every customer, even for us ourselves because we are customers to any other company.
But from the companies’ point of view, it’s hard because all those mostly cheap services can’t be used anymore or can’t be used in the way you would want to use them – because they always cause some problems.
So you have to make the decision as a company owner – “Do I want you to pay money for GDPR compliance service? Do I want to risk maybe getting fined?”
So both positions are hard to bring into level because they’re contradict each other.
But I think in the end, the need to obey the European privacy protection laws will bring a wider range of internet or software based services in favor of the customers. Also European countries which get the chance to provide the services to the customers and can bring in some new ideas.
Right. So you mentioned European companies. At Riddle, you know, we have a lot of customers outside the EU. And we altered lots of tools in Riddle to comply with GDPR.
Do you think it’s important for a US company to comply with GDPR or can they just ignore it?
It’s, of course, very important for US companies, because we have two ways in which the GDPR applies to you as an US company.
On the one hand, we have the geographical scope of the GDPR. So, that means we have two principles: the establishment and the marketplace principles.
The establishment principle means that the GDPR applies whenever the data processing body has at least one establishment in the EU. So, if you process your European data in at least one branch office, you’re under under the control of the GDPR. In conclusion, you shouldn’t care about being a non-EU business because you’re this or that way. You are affected by the GDPR – and you have to be compliant if you want to take part and participate in this very strong financial market, you have to play by the rules.
So the only option really, if you’re a US company, and you don’t want to comply, is you have to essentially block all European traffic. We’d expect you to lose a lot of business.
That’s the point exactly.
And the good thing for everyone is that more and more countries are establishing similar rules. Canada has a very similar rule to California, very similar laws. So if you comply with the European privacy regulations? You pretty much automatically comply with the Canadian and the California privacy regulations.
Yes. Because the European Data Protection Law GDPR is a model for for many other countries, like you mentioned. And the regulations are, in some cases pretty harsh, I think. But on the other hand, you have to see why they are that harsh.
In Europe we consider the right of privacy as a European human right. So that’s why it’s being regulated so hard these days. So if you comply to the GDPR, in most cases, I think you can be compliant with the other laws because they just took the best from the European law.
Right. That makes sense. But now that we mentioned the US – a recent development (we’re recording this in August of 2020), the Internet world got shocked because the Privacy Shield agreement, which regulated data exchanges between the US and Europe, got cancelled.
Essentially, if you are a European company or if you want to comply with GDPR, now you cannot transfer any data to a US company. Is that a correct statement?
More or less. Maybe under very difficult conditions, you maybe could still transfer data to the US, but that’s not practical.
All right. So is that the end of me using Amazon hosting Google hosting, Google services, Google Analytics, Facebook ads, Facebook for business and so forth?
You could say that with a short “yes”.
By now, it depends on what all those companies will do in the future to the services, how they will recreate them (if they are able to create them) to be GDPR compliant. So then you could use them again.
But not for now, because we have no way to transfer data safely to the US and back. Because the US are now marked as an unsafe state under the view of the GDPR concerning the US security laws.
And they’re unsafe, because the US government reserves the right to access any data stored on servers in the US.
Yeah, that’s the point. Because you have no functional protection against these possessions of the US government. So the European High Court of Justice said “Okay, under these circumstances, you can’t transfer European personal data to the US.” It’s not possible.
And I just want to pick up on something we said earlier about these laws making way for new and potentially better services, just out of our personal experience at Riddle.
Until Privacy Shield was cancelled, we used Intercom to power our support chat. But a support software naturally needs to capture lots of personal identifiable information, like someone’s name and email so we can communicate. And we just had to quickly swap out Intercom because they were not compliant anymore.
So we found a software from France called Crisp.chat, which is actually lightyears better than Intercom. So we’ve already benefited, and our customers will benefit from a much better experience thanks to the cancellation of Privacy Shield.
I’m pretty sure there are going to be more examples of this. Now, European companies with less funding than some of the Silicon Valley players stand a much better chance.
That’s what I what I mentioned with the wider range of new new solutions and services. Because like you said, those companies may get the funds they need to make the business be very appealing to every user.
Let’s step back to the ‘EU <> US Privacy Shield’ to say one last thing.
Even so if you if you don’t worry about getting fined directly by some some European authority, you can at least get fined indirectly. At least your European Customers are being forced to switch to GDPR compliant services. So even if you don’t get fined in a direct way, you will lose a lot of money because you lose your customers. You will have to get ready in a pretty short amount of time, otherwise the EU market will be closed for you.
I wanted to wrap this up with one more question. We introduced you as our data protection officer. Would you recommend every company having an external or internal data protection officer?
It depends on the size of the company. At least, you must have a person inside your company who is able to deal with all the technical subjects coming up about data protection, you have to always to to understand the technical informations of the services and hardware you’re using.
On the other hand, you have to the law component side as a data protection officer. So if you don’t have a person inside your company who can deal with both of these sides, you better should get an external person. An external consultant like me is very into the subject and interested in all the questions coming up – in that case, hire someone and you’re good.
And I can agree to that. We were having a lot of fun discussions whenever we launched a new feature.
We run it by Alex, and he usually annoys us a lot by telling us “no”.
Sorry for that but I have to give good advice.
But in the end, we always come up with a solution that was probably better than what we initially envisioned.
So thank you for being on the show, Alex. If any of our listeners needs an external data protection officer, you will find Alex’s email down there in the show notes.
Send him a note and he will connect with you. Okay, thank you so much for being on the show Alex.