I attended Thomson Reuters’ annual Data, Privacy and Cyber-Resilience Forum last week. This year’s event marked a real contrast to the 2017 edition which was focused on getting ready for the 25 May implementation deadline for the General Data Protection Regulation (GDPR).
With us now approaching six months since the GDPR and Data Protection Act 2018 came into effect, the sense was the world had moved on quickly. Recurring themes throughout the day were “maturing the model” and “privacy as the new normal”. Inevitably, Brexit reared its head too.
The “B word”
The keynote was given by Kevin Adams of DCMS who gave an upbeat assessment of the UK’s data protection posture as it sets out to leave the EU on 29 March 2019. Adams’ optimism about a quick post-Brexit EU adequacy decision for the UK rests on:
- The UK’s good laws, especially the GDPR and DPA 2018 aligning the UK with the EU to an unprecedented level.
- The fact that these laws are implemented fully, well communicated to and understood by the public, and enforced fairly.
- The UK’s deeply-ingrained cultural respect for privacy.
Adams also pointed to the recent election of Information Commissioner, Elizabeth Denham, to chair of the ICDPPC as well as the UN Rapporteur on Privacy, Joe Cannataci’s praise for the UK’s recent improvements to its system of oversight of its intelligence services, leading him to say the “UK jointly leads Europe and world on privacy”.
Others shared this positive outlook with Roxanne Morison of the CBI confident that work behind the scenes by civil servants, politicians and businesses will pave the way for an adequacy deal. Interim compliance measures to be taken by businesses including use of model clauses were talked of as a short term hassle but not the end of the world (see Papering over the cracks: preparing for Brexit’s impacts on data protection).
Maturing the model
A key challenge discussed throughout the day is avoiding the “we’ve done privacy now” trap following 25 May, keeping privacy at the top of the corporate agenda and further improving its governance. Key suggestions:
- Reinforce the message internally that ICO enforcement has certainly begun and the scale of potential fines.
- Focus minds with an “expect the unexpected” mantra. For example, the recent Morrisons case opens the door for class actions on a big scale.
- Make quality data a positive, monetising it where possible.
- Continue the GDPR working group’s work and ensure top level engagement.
- Have a vision and present requirements as “actions”. Very often the business wants to be told what to do.
- Focus on the harder tasks, such as data retention to comply with data minimisation / storage limitation requirements. GDPR readiness programmes tended to focus on low hanging fruit.
Globalising the programme
A breakout panel discussed the proliferation of new privacy laws across the world and discussed ways of leveraging the hard work preparing for the GDPR. While the GDPR is in many ways the global benchmark, it is not as straightforward as rolling out GDPR-aligned policies and procedures globally. Data subject rights vary especially widely by regime, for instance.
Panellists had found it essential to establish common global privacy principles, building on the likes of Convention 108 and the OECD principles, allowing local risk-assessed room for manoeuvre. It was felt the GDPR, however, does offer excellent principles in key areas: accountability (Article 5) and security (Article 24), which should ideally be absorbed into any global programme.
In terms of getting buy-in globally, one speaker spoke of the value of leveraging the existing corporate compliance programme as well as translating abstract data risk concepts to approaches and terminology more familiar to the business; for example, HSE in the construction sector.
E-Privacy Regulation
Whilst we’re still at fourth draft stage, panellists expressed their concern with the way things are shaping up. Of particular concern is the focus on consent and effective removal of legitimate interest, a key feature of the GDPR (equating to the “soft opt-in” under PECR), as a safety net for businesses. Perhaps the post-Brexit UK will have room to water down some of the more onerous provisions?
Breach reporting
Whilst the number of Google searches for “GDPR” reached a high peak around 25 May and has since sharply declined, the equivalent for “data breach compensation” is trending upwards. People still care about the GDPR but with a different emphasis, insights which began an interactive session on breach reporting.
Simply sending an email to the wrong person may be a breach and all breaches should be recorded internally. Reporting to the ICO and data subjects within the 72 hours permitted is a complex equation (see our practice note).
Key learnings from the workshop:
- We still operate in a vacuum with no case law and limited guidance on breach reporting.
- This necessitates the promoting of ethics – a “do the right thing” culture.
- Having an audit trail recording how a decision to report or not report is arrived at is essential.
- Establish the facts carefully with a multi-disciplinary team before deciding to report but be prepared to act quickly to mitigate damage to data subjects.
The importance of transparency
We focused on the privacy policy with the panellists highlighting the need to explain to data subjects clearly what it is you are trying to achieve. Rapidly emerging technology such as biotech (allowing machines to understand, profile and act on human behaviour) underlines the need for careful language to meet the GDPR’s transparency principle.
One of the panellists introduced a simple transparency test question: “Are you comfortable explaining to the data subject exactly how and why their data is used?”. If it’s too hard to explain, try harder. If you’re not sure the data subject would be comfortable, don’t do it!
Tech, privacy and ethics
The audience was filled with a measure of both excitement and fear as Adam Green of Equiniti talked us through some recent tech developments that raise big questions for privacy professionals. Among these are the role of biometric profiling in law enforcement. In the UK, Westminster City Council and others are already trialling facial recognition technology. Other developments covered included:
- Skydio, a self-flying personal camera designed to take the perfect selfie.
- The internet of things as part of smart city developments in China and elsewhere.
- Affectiva, which claims to offer human “Emotion as a Service”.
- Cayla, a kids’ talking doll whose software could be hacked, posing a security risk and allowing personal data to be revealed.
Speakers throughout the day urged businesses to engage with these big issues and the ICO’s regulatory sandbox provides one such opportunity.
Peter Brown of the ICO left us with a reassuring message about the regulator’s role at the forefront of tech and cyber regulation in the UK and as a leader internationally. He highlighted in particular:
- The Information Rights Strategic Plan 2017-2021, especially Goal 4 (keeping abreast of evolving technology) and Goal 6 (effective regulation on cyber-related privacy issues).
- The Tech Strategy 2018-2021 which lists cyber security as its priority area #1.
- Close liaison between the ICO and the National Cyber Security Centre in fleshing out what “appropriate technical and organisational measures” means in the context of cyber security.
- Hot off the press updates to the ICO’s Guide to the GDPR on encryption and passwords.