I’m conscious I seem to have been inundating this blog on the subject of data protection. I promise to move on soon but I’m at least heartened that there’s a well-defined market for my posts: insomniac lawyers. With the advent of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) around the corner, data protection is making its steady climb towards the top of the charts of the things keeping in-house counsel awake at night.
So, for my last instalment for now, I wanted to share with you some key messages from Practical Law’s fifth annual Future of Data Protection Forum last week.
Matthew Hancock MP, the Minister of State for Digital and Culture, spoke of the UK government’s commitment to privacy in the post-Brexit world. Jonathan Bamford, Head of Strategic Liaison at the Information Commissioner’s Office (ICO), provided plenty of reassurance that the ICO will continue its pragmatic and supportive role with further guidance on Big Data, consent, profiling, contracts and liabilities, and children and privacy on their way.
Last week’s blog post provides a little more depth on Mr Hancock’s and Mr Bamford’s key points.
But there was also a large distinguished panel of privacy industry experts grappling primarily with the big issue of our time, GDPR, which provoked some lively discussions in and around the conference floor. Here are the key takeaways:
1. A “perfect storm” of change: GDPR and May 2018 are looming and businesses should now be in the process of significantly reshaping and enhancing their privacy compliance programmes. In spite of ministerial assurances, Brexit undoubtedly casts some uncertainty on the UK’s future role in shaping the regulatory landscape.
At the same time, we are living in an era of unprecedented technological innovation, with artificial intelligence already with us in many spheres of our working and private lives. Designing this tech with privacy in mind will be a recurring challenge.
2. Operationalising GDPR compliance will take “a lot of work and a lot of time”: If it is not already near the top of the pile for allocating resources, it should be. Designing a compliance programme should mean prioritising activities based on risk and exposure. For example, a war-gamed table top plan to deal with data breach events is a priority.
3. “Know where your data is”: In order to plan strategies for future compliance, a thorough audit of the personal data you are holding, the legal basis on which it is held, and how it flows around is essential. Poke holes in the map you produce and design a new map that is compliant but minimises disruption to the business and the data processed.
4. Accountability: This is not only the job of the data protection officer, compliance officer or legal counsel. All areas of the business need to own privacy compliance. Champions should be identified across the business but all employees will need some level of awareness.
It is also vital to look outside the organisation – accountability also rests with suppliers, clients and so on throughout the supply chain.
5. Privacy AND innovation: the new world means privacy impact assessments, privacy by design and privacy by default are the new normal. The business needs to be designing its products within the new model as soon as possible.
6. The complementary relationship between privacy and cyber security: Mr Hancock and Mr Bamford both emphasised the importance of treating these two vast fields in a joined-up way.
7. “Do not expect to do this alone”: Facilitating the above is much easier said than done. Executive level support, including appropriate investment, is essential. The legal and compliance team should be part of a much wider project team involving, amongst others, IT security experts, project managers and trusted champions across business functions.