Comply with GDPR principles as best practices even when you are not based in the EU.
You need to inform your data subjects of the use of the data and give them the right to access and the right of erasure.
You must have security measures in place to protect personal data at a high level.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewingKim Chan, Founder and CEO of DocPro, one of the fastest growing next generation legal tech platforms. Kim is qualified in 5 common law jurisdictions and has worked with major international banks and law firms. He has over 20 years of legal experience in corporate, finance, securities, commodities and capital market transactions.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Hong Kong and Australia. Like many other Hong Kong families that migrated to Australia in the 1980s, we had to adapt to a completely new environment. I had to work really hard to go from speaking no English to getting first class honours in law. I graduated in the late 90s, when the internet was just taking off, and I have always believed in bringing law online. At that time, I have been offered a job at a top international law firm and it would be an enormous opportunity cost to give up a highly paid job as a lawyer to pursue something uncertain. At the end, I opted for the safer route — I worked for top law firms and major international banks, thinking that I will make enough money to start a LegalTech business in 10 years time. Then I got married and have kids, and my business plan has again been delayed. It took me 20 years to gain sufficient financial security to start DocPro.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
After having worked for 20 years, there has been little change in legal industry. Law firms still charge by the hour in the same way, and are mainly targeting the same big clients who can afford their high rates. SMEs have on average 8 legal issues a year but are Ignored because they don’t have the legal budget. Legal tech has made very little dent to the legal industry and accounts for less than 3% of the market.
I feel that I have sufficient legal experience and financial security to provide accessible and affordable legal solutions to startups and SMEs. At the same time, many of the boutique firms do not have a digital presence with clients generated purely by referral. I feel that I can bridge the gap between the two by helping the boutique firms with digital marketing and at the same time refer to them those SME clients that need further legal support.
It is tough to move from a high paying job to investing in a startup, and we need to be lean and flexible initially. We are very proud of DocPro’s growth in users less than one year after our official launch. We are very optimistic about the future since we are creating a virtuous cycle — the more documents we have would lead to more users, which in turn would lead to more law firms joining us.
Can you share the most interesting story that happened to you since you began your career?
Initially I was going to use the domain “BlueSites”, until a friend of mine asked me why I am quitting my job to set up a porn site. I thought of the colour blue as conveying trust and reliability and was unaware of the connotation of “blue” also being referred to sexually explicit content in “blue movies”. So I had to quickly switch to another name.
I was struggling between DocPro.com, which was taken and costed thousands of dollars to buy, and a lesser name that costed just a few dollars to register. Then I remembered Jack Ma paid USD 10,000 for the Alibaba domain name (an astronomical sum at the time and more than half of his net worth back in the 90s), I figured that the marketing effect from an easy to remember domain name is well worth the money.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
As I am actually a “senior” in the start-ups community, my mentors are actually people 10–20 years my junior who are much more technology savvy than me. There was a movie in my generation called “The Field of Dreams” and the motto was “Build it and they will come”. DocPro was initially built on this premises with the creation of more than 1,000+ commonly used document templates, but the traffic never came. The motto certainly does not work for the internet with billions of webpages competing for visitors.
I then consulted my next door neighbour at the co-working space, Raymond, who was running a successful online digital marketing agency, and he guided me through the SEO process. Since then, we have been trying to produce the best document templates possible focusing on less competitive keywords, and it is working like magic! Since the launch of our revamped site in April 2020, traffic has been doubling every month, and our COVID related documents have been doing spectacularly well. Raymond has since sold his digital marketing agency and is now my partner in DocPro.
Are you working on any exciting new projects now? How do you think that will help people?
Leveraging on the technology developed by DocPro and we are in the process of creating a one stop shop online for people to create Will, Advance Directives and Enduring Power of Attorney (“Enduring POA”). Having these 3 documents in place can help minimise the stress, financial issues, life or death decisions and disputes which your loved ones may face in times of crisis. The following are some of the positive changes that can be triggered by this service:
1. Ease of Burden — the documents ease the difficulties and distress that may otherwise be suffered by the family members in managing the patient’s affairs and avoid having family members to make difficult life and death decisions for the patient in time of crisis.
2. Self Determination — the documents respect the wishes of and allow for an individual to choose the person or persons who will look after the individual’s affairs if he/she becomes incapable of doing so.
3. Reduce Disputes — the documents reduce the number of expensive and potentially distressing court proceedings for the appointment of another person to look after the individual’s affairs / distribution of estate assets.
4. Efficiency — the documents provide an efficient and cost-effective way of administering the individual’s property; and allow professionals to proceed efficiently on the basis of the person’s wishes.
5. Education — Educate the public about the need for these documents.
6. Costs — creating separate Will, Enduring POA and Advance Directives could easily cost thousands of dollars at a law firm. Now people can DIY these documents for free.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
If you are getting bored on something or losing focus, just stop and do something more interesting. As a SaaS company, DocPro is very flexible on when to work and what to work on.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
In the day and age of technology, nothing is more valuable than data. Every day, millions of people willingly exchange their data for services on the internet. It goes without saying that because our data is so valuable, there is a need to have it protected. Data protection is getting more and more important as more and more of our private information is being made available online every day (whether knowingly through social media sharing or inadvertently through using online services or privacy breaches).
Companies around the world are scrambling to comply with GDPR, which stands for General Data Protection Regulations. It was implemented by the European Union (EU) in 2018. GDPR is an individual-centric regulation, where the law protects citizens within the EU by guaranteeing them certain rights relating to their personal data.
The purpose of GDPR is to protect the data of EU citizens and residents. Article 3(2) of the GDPR states that organisations which 1) control and process a large amount of data of citizens within the European Economic Areas (EEA), and; 2) offer goods and services to citizens within the EEA are liable under the GDPR. This means that the GDPR applies to all EU based entities (businesses and companies) even if the data are being used or stored outside of the EU.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Even if the GDPR does not strictly apply to your company, the 7 principles of GDPR are usually regarded as best practices for companies:
1. Lawfulness, Fairness and Transparency
That personal data should be collected and processed lawfully and fairly. There must be full transparency in the process of collection and processing. This means that you should give transparent notice to your user on what you are going to be using the data for, and use the data legally and fairly (only for the purpose your user has agreed to).
2. Purpose Limitation
That personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. This again relates to using the data fairly. The purpose of using the data should be specific and the use should be limited to the stated purpose. Further processing can only be done if not incompatible with the initial purpose.
3. Data Minimisation
That only the minimum amount of personal data should be collected in an adequate and relevant manner. The personal data should be limited to what is necessary for the purposes for which they are processed. Similar to the limitation of purpose, you should limit to collecting the minimum amount of personal data required for your purpose. You may need to create a data minimisation policy to justify the amount of data collected is adequate and relevant.
That personal data which is stored should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. If you are not keeping or it is not necessary to keep your database up to date, you should delete outdated and inaccurate data promptly.
5. Storage Limitation
That personal data is only kept for a limited amount of time and in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. You should set policy on the period of storage of personal data and justify such time limit with proper documentation, in particular, if the data need to be achieved in the interest of the public, science or research.
6. Integrity and Confidentiality
That personal data should be kept securely and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. You will need to implement protective security measures such as anonymisation or pseudonymisation systems to protect the identity of your data subjects.
That accountability and compliance should be ensured and that GDPR policies should be followed by the controller. You are responsible for, and be able to demonstrate compliance with GDPR. That is why you should have a suite of privacy, data protection and cookie policies. You should also justify all your data protection measures and document them in writing.
These seven principles form the basis and rationale for most laws within the GDPR and are fast becoming the universal data protection principles internationally. So when in doubt, it is advisable to follow the seven principles in making decisions regarding data protection.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Consumers provide personal information and other private data to different organisations whilst using the internet when they register. Even if they have not registered, most websites have cookies to track the behaviours of consumers. These data, while essential to use and operate the internet, serves a wholly different purpose to organisations. Upon gathering data, organisations can analyse and interpret it to form information which they can then use for different things. Some organisations may tailor their services to the user based on their information, others may sell targeted advertisements, and some organisations may even sell this information and data to third parties. These strategies are ultimately how organisations gain traction, maintain user satisfaction, and even make a profit.
In the past, most websites made it mandatory for consumers to accept all terms and conditions and privacy policies before being allowed to use their service. These terms are obviously very one-sided with little privacy protections for the consumers.
The GDPR gives some of these rights back to the consumers through the following:
1. Right to Access
Consumers have the right to request access to their personal information and any supplementary information from any organisation that is holding the information.
2. Right to Amend Data
Consumers can request for their information to be amended or updated if they are accurate.
3. Right to be Deleted / Forgotten
Consumers can request for their information to be deleted or removed upon the withdrawal of consent, or where the data is no longer relevant or accurate.
4. Right to Portability
Consumers can request for their personal information to be provided to them, and have them transferred to another provider.
5. Explicit Marketing Consent
Consumers who signed up to websites before GDPR were frequently spammed by marketing emails. GDPR requires explicit marketing consents by consumers (usually through an unchecked checkbox during registration) for the consumers to be sent marketing materials. The consent must be written in plain language and a lack of response by consumers does not indicate consent.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
We largely follow the GDPR in our policy on data retention and the length of retention. The following are the Important Policies:
The GDPR refers to organisations as either “controllers” or “processors”. Controllers refer to organisations which collect data, and processors refer to organisations which process data on behalf of the controller. Simply put, if you collect and/or process data of citizens in the European Union in a commercial capacity, rather than an individual capacity, the GDPR applies to you.
2. Definition of Personal Data
One thing to note is the definition of personal data under the GDPR. Rather than the traditional “personally identifiable information” definition, it has famously adopted a broader approach in order to protect European Economic Area citizens. Personally, identifiable information refers to data which can be traced back to a particular person, such as their name, social security number, or their email. Under the GDPR, aside from the above “direct” information, indirect information is also protected. This includes their IP address, any cultural or political identifiers and opinions, and even what time they come into work. Generally, as long as a person can be either directly or indirectly identified with the data given, it is protected under the GDPR. Do note that the GDPR only applies to natural persons and not legal persons. This means that you may collect data of a corporation in the European Economic Area without compliance with the GDPR. However, you may not do the same for a person in the European Economic Area.
3. When Data Can Be Processed
When discussing data processing under the GDPR, there are a total of six lawful reasons in which you may process data. Personal data can only be processed if:
- The data subject (owner of the data) has given informed consent to have their data processed;
- The data is processed to fulfil contractual obligations, or on the request of the data subject in order to enter into a contract;
- The data is needed to comply with the legal obligations of the controller;
- The data is needed to protect the vital interests of the data subject or any other individual;
- The data is needed to perform tasks in the public interest; or,
- The data is processed for the legitimate interests of the data controller or a third party.
It is important to note that if you seek the informed consent of the data subject, the consent must be explicit. The data user must know specifically how their data is to be collected and used and agree to the collection and processing of their data. The data user must also be allowed to withdraw their consent at any time. As such, not allowing a user to use the service if they do not agree to have their data collected and processed may be a violation under the GDPR. Having an opt-out structure to seek the consent of users as well as bundling different forms of collection as one general collection would also violate GDPR regulations.
4. Rights of Data Subjects
As stated previously, the GDPR offers a multitude of rights to European Economic Area citizens regarding their data privacy.
5. Right of Access
One such right is the right of access. It means that the data user should be allowed access, upon their request, to their own data, how it is being processed, with whom the data is being shared with, and how the data was acquired. Their data must also be in a “transferrable format”. This means that the data user must receive their data in a structured format which is clear and readable, and in a common electronic format. Thus, if a European Economic Area customer request to look at all the information you have been storing on them, the request must be obliged with. The request must also be delivered clearly and in a readable manner instead of providing raw data or encrypted data.
6. Right of Erasure
A right which is relatively unique and new to the data protection world is the right of erasure, which is similar to the right to be forgotten, but more limited. It allows the data user to request that their data be deleted within 30 days after the request is submitted. This means that if a European Economic Area citizen wishes for their information to be erased from your database, the request must be complied with and their data and information must be removed.
7. Duties of Controllers and Processors
The GDPR simultaneously places several duties on controllers and processors.
First of all, under the GDPR, pseudonymization is required for all stored data. The goal of this is that if there is a data breach, the data that is compromised cannot be linked back to a specific individual due to the process that was taken to make the data pseudonymous. This can be done through methods such as encryption or tokenisation.
Interestingly, the GDPR requires that data protection be a part of the business process. As such, any security measures to protect data must be at a high level. In the event of a data breach, data controllers and processors are required under the GDPR to notify relevant authorities within 72 hours. Generally, if there is a high risk of an adverse impact, the individual data subjects must also be notified. However, no notification is needed if the data is sufficiently protected such that the data is unreadable.
10. Data Protection Officer
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
In addition to the GDPR, the California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
In addition, countries from around the world are implementing similar regulations. So the principles of GDPR will become the norm, and not the exception around the word.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
We have developed our tools internally and not used any online tools from outside.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
No, we have been largely compliant with GDPR.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Comply with GDPR principles as best practices even when you are not based in the EU.
- Personally, identifiable information refers to data which can be traced back to a particular person, such as their name, social security number, or their email.
- Remember the six lawful reasons in which you may process data.
- You need to inform your data subjects of the use of the data and give them the right to access and the right of erasure.
- You must have security measures in place to protect personal data at a high level.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Take care of your personal data. Do not give away your data online easily. Raising awareness of the importance of protecting your personal data is of enormous importance as you will never know how they will be used.
How can our readers further follow your work online?
You can sign up to DocPro.com and read our latest news on:
You can also follow us on the following social media:
This was very inspiring and informative. Thank you so much for the time you spent with this interview!