SBA

GDPR

In April 2016 I wrote here that the new EU General Data Protection Regulation (GDPR) had finally been passed into EU law and that organisations would have two years to comply. Many organisations failed to start work on GDPR immediately, which was a shame because they’re having to rush now. 

On the upside, what needs to be done is a bit clearer - EU, UK and IoM Information Commissioners have published lots of useful guidance, as have lawyers and consultants hoping to cash in on the GDPR bonanza. The UK Information Commissioner has recently been proactive in attempting to dispel myths about the complexity and business cost of GDPR, and about the status of GDPR in the context of Brexit. The IoM Information Commissioner has confirmed the Isle of Man’s intention to implement GDPR-equivalent legislation by 25th May 2018 - which is the date that the GDPR comes into force across the EU (including the UK). So we all know where we stand - right?

Probably not. I want to cover off a few pointers, from my little experience since 1982 when I first read in one of the UK IT industry newspapers of the UK’s plans to introduce legislation to implement the Council of Europe’s (COE) Treaty 108 “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”. The new UK law became the Data Protection Act 1984 - duly repealed and replaced with the UK Data Protection Act 1998 (and the Isle of Man Data Protection Act 2002) - but UK and IoM law reflected our culture and contexts, it was poorly aligned with European intent and is a poor basis for understanding what GDPR is about.

The whole thrust of the COE Treaty 108 was driven by the Germans. Basically you can trace European data protection law back to the crimes of the Nazis. In the late 1950’s, well within the memories of the wartime residents of Germany, computing started to take off. By 1963 the UK Prime Minister, Harold Wilson, was speaking of the economic and social advances to be made through the “White Heat of Technology”. The new technology was big news and the potential for government abuse of automated data processing of personal data to profile people justifiably frightened those Europeans who had lived through the Nazi regime and the jackboots of the Gestapo. They sought protection from state processing of personal data about race, religion, employment, income, political allegiances etc. The world’s first data protection act was adopted in the German state of Hessen in 1970; and the German Federal Data Protection Act applying to all of “West” Germany was passed in 1977. COE Treaty 108 was ratified by most EEC countries in 1981 and came into effect in 1985. The UK Data Protection Act 1984 was passed to achieve compliance with COE Treaty 108. 

Pointer #1 then: the primary purpose of EU Data Protection law was to prevent automated monitoring and profiling (decision-making) of individuals to their potential detriment by “authorities” - whether those authorities were businesses, employers, or regional or national governments - and it still is. Governments across Europe, including the UK (and the IoM) did their best to water down the implications of this purpose for their “legitimate” activities and most of the legal exemptions in place are designed to allow governments to keep records of and enforce laws and taxes upon their citizens.

Pointer #2: aside from updates necessary due to the emergence of new technologies and greater computing power, the purpose of replacing national data protection laws with GDPR is to achieve harmonization with a single law and a consistent adjudication process applicable to the personal data of all EU residents to prevent national regulatory arbitrage and deviation. Thus the GDPR “regulator” is essentially the European Data Protection Board (EDPB); the old national regulators whether UK, Irish, French et. al., will basically become the local agents of the EDPB. Technically it can be argued that the UK Data Protection Act 1998, and by implication the Isle of Man Data Protection Act 2002, did not comply with the intent of the EU Data Protection Directive which preceded GDPR (fortunately for businesses I think the most serious UK non-compliances were in the exemptions for government purposes).

Pointer #3: while the new UK Information Commissioner, Elizabeth Denham (a Canadian), may claim that compliance with GDPR is a relatively modest upgrade from the previous data protection regime, she is only half right.  Any approach to GDPR as being “Data Protection Act Plus” is probably flawed and risks being non-compliant. More to the point, the probability of any large UK or IoM organisation actually being fully compliant with the old Data Protection Act(s) is very low - so when designing your GDPR compliance you should ideally take a clean-sheet approach.

Pointer #4: the single biggest data protection compliance failure of most organisations is, in my opinion, that at an institutional / directorial level, they don’t actually know precisely what personal data they hold or why or how they use it. The second biggest failure is in keeping this stuff (which they don’t know they have) when they no longer “need” it. As the new GDPR requires “Accountability” and organisations cannot account for the gathering, retention and processing of data they don’t realise they have, the starting point for all organisations should be a ground-up audit of all personal data held, the purposes they use this data for, and the evidence of the data subject’s consent that the organisation holds and processes this data for the specified purposes.

Pointer #5: The UK Information Commissioner, in her myth-busting blog “GDPR – sorting the fact from the fiction“, has denied that “The biggest threat to organisations from the GDPR is massive fines”.

She missed the point, as regulators so often do. GDPR is already costing organisations a huge amount of expense - far greater that the sum total of the fines which might ever be imposed - because whereas only a tiny minority of organisations will ever be fined for data protection breaches, all organisations are having to audit and put in new GDPR “accountability” compliance documentation and process for all personal data they hold. This is hugely expensive, and compliance is driven by the potential for massive fines - the risk of an organisation being fined for a data breach is very, very low, but the scale of fines is so high that every organisation must evidence compliance “just in case”. So pointer #5 is: do your personal data audit, clean out all personal data you don’t actually need, and prepare your compliance documentation. Irrespective of the organisation’s or the data subject’s other interests this is probably more important to organisations than spending a fortune on cyber security to prevent a breach.

Pointer #6: this huge data audit and compliance process is not a one-off cost; organisations and their customers are going to be paying for it forever. GDPR says: 

“In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.” 

So you need to treat GDPR evidence as an ongoing compliance burden. Failure to maintain evidence showing compliance is of itself a de-facto breach of GDPR.

Pointer #7 and finally, leading on from Pointer #6. The UK Information Commissioner, at the UK Archivists and Records Association Annual Conference last month, said apropos of a particular UK government data protection investigation in her keynote speech titled ‘Challenge the Past. Set the agenda’ 

“Duty to document” “….  d2d in street parlance.

The duty to create records in appropriate circumstances, often called the “duty to document” has been on information managers’ and regulators’ minds for a decade or more.

I am talking about a positive duty in law to create records of significant decisions, actions and events. That means records explaining and providing context to why a specific course of action was taken. 

Minutes of important meetings, decisions, that led to policy change and new initiatives.

D2d is fundamental to the process of information management and eventual archival preservation.

Proper documentation, retention and accessibility also nurture reputation and trust.” 

Historically the IT industry has not designed data processing systems to keep detailed records of why we store specific data, or why or how we have changed or maintained that data or processed it to make automated decisions. Most big off the shelf enterprise software packages - CRM, ERP, Financials, Sales Order Processing etc. - are a bit rubbish at keeping audit logs, and most hold data which may be classed as “personal data” under the scope of GDPR. If Elizabeth Denham’s words above on Duty to Document reflect the mindset and expectations of a majority of European data regulators then we will all be looking at a very new, and challenging, agenda for data accountability as GDPR matures.