At election time, surveillance and anti-terrorism are quite rightly high on the political agenda. The EU Data Protection Regulation (GDPR) is not. However, for readers of this IRM blog, the GDPR is much more significant than the workings of the police, MI5, MI6, GCHQ and indeed, the NSA, the FBI and the CIA, in that it will affect the way that your organisation collects and uses personal data. The result of the 8 June election in the UK will make no difference to your new and heavier legal duties.
Chief Executive, Privacy Laws & Business, [email protected]
There is now less than a year until 25 May 2018, when the GDPR will apply across the European Economic Area and, yes, it will apply in the UK regardless of the Brexit negotiations, as the government has confirmed. It could also apply far beyond March 2019, as among the hundreds of subjects on which the government must negotiate, data protection law will not be in the first group. In any event, all parties agree that the UK must continue an active trading relationship with the rest of Europe and wherever there are goods and services, personal data accompanies them.
The ICO’s Regulatory Role
A constant in this legal environment is the Information Commissioner’s Office which, since July last year has been headed by Elizabeth Denham. She was formerly Information and Privacy Commissioner, British Columbia, Canada and Assistant Privacy Commissioner at the national level in Canada. Not only is the first time in the world that a foreign national has been appointed as head of a national Data Protection Authority but also she is the best qualified and most experienced Commissioner to have taken this post in the UK.
She marked 25 May last week, exactly a year before the GDPR enters into force, by a whirlwind of activity:
1. A 5 minute video to all company boards about their responsibilities under the GDPR’s accountability principle https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/05/businesses-warned-to-prepare-with-one-year-until-data-protection-law-change/
2. Launch of her new Information Rights Strategic Plan 2017 – 2021. She explains: “Consumers aren’t concerned about the details of the GDPR, or what legislation might follow it. They’re asking questions such as: “Is my data properly protected? Who’s holding organisations to account? What privacy rights do I have? … These interesting times are a powerful opportunity to demonstrate our relevance by having a positive and direct impact on public trust … It’s not about paperwork, or policies, or procedures. It’s about how we make the work we do … make a difference to the trust people have in what happens to their personal data.” https://iconewsblog.wordpress.com/2017/05/25/interesting-times-and-how-we-navigate-them/
3. A reminder of a valuable self-assessment toolkit on the ICO’s website: “Getting ready for the GDPR” https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr/
Your action plan
What emerged from Privacy Laws & Business’s exchange of peer group experience? At Help! Roundtable: Reviewing Progress (hosted by Google in London in March), it was clear that top management determines whether the rights-based data protection principles are either achieved by design or defeated by neglect. There is always a need for cooperation between different parts of a team. You will need one person to interpret the law in a way which makes sense for your specific organisation, and another person to be the project manager to make things happen. These roles can be combined but it is normal for a person to excel either at the legal end or the project manager end of the spectrum. Project managers play a vital role, such as ensuring that audits and training happen on time. Data Protection Authorities will seek evidence of these actions if (or when) you suffer a data breach or hard hitting complaints which you do not resolve yourself.
The PL&B Recruitment Service is being used by an increasing number of companies to find specialist managers and lawyers. Finding the right person depends on a clear understanding of the role you want the person to fill – www.privacylaws.com/Recruitment/
At PL&B’s Retailing and the GDPR Conference, held in co-operation with DWF in London on 4 May, we covered both online and offline shopping. The participants found stimulating and useful the parallel roundtable discussions on consent and profiling – the principles apply to all sectors.
The consent session group agreed that companies should avoid over-reliance on consent and should build the case for making legitimate interests their legal basis for processing personal data. Under the GDPR, organisations need to figure out the legal basis in each case, document it and have this evidence available for the Data Protection Authority in case of an audit. Documentation is also needed to satisfy the GDPR’s accountability requirements. The UK ICO’s fining of FlyBe and Honda Motors in March www.privacylaws.com/Publications/enews/UK-E-news/Dates/20171/3/Flybe-and-Honda-fined-for-not-respecting-marketing-opt-outs/ has caused some confusion as it is not clear how organisations can send service messages fearing that they will be interpreted as marketing messages.
The profiling session group discussed that a piece of data which allows you to treat an individual differently from others, even if it appears to be completely anonymous, is personally identifiable information. Evidence suggests that the marketing spend on micro-targeting (which involves using social listening – scraping information from social media – to profile and target marketing to specific individuals) is increasing significantly. This marketing technique for commercial and political purposes is an area which the ICO is currently addressing both in political and marketing contexts.
Wickes is guided by a moral compass
Matthew Gaunt, Marketing Director, Wickes (the UK-based large home improvements retailer), was exceptionally positive about the GDPR when speaking at our retailing conference. He said that the GDPR gives precise rules to help him manage appropriate marketing for his company’s different market segments. He is constantly being invited to spend his advertising budget on increasingly intrusive social media companies, sometimes partnering with popular apps. He said that in these situations, it is his duty to protect the company’s reputation by being consciously aware of working along a path guided by a moral compass and declining certain offers where the links between the marketing partners was opaque to the customers.
PL&B’s 30th Anniversary International Conference
See the programme for Promoting Privacy with Innovation, PL&B’s 30th Anniversary International Conference 3-5 July at St. John’s College, Cambridge at http://www.privacylaws.com/ac30 where you can also see a 3 minute conference video with an introduction by Elizabeth Denham. Sessions will show how the apparent car crash between innovation and privacy does not need to be a disaster. This conference seeks willingness on both sides to connect with each other in a civilised manner and to find solutions. At one end of the spectrum, innovation can be the enemy of privacy and at the other end, innovation can be an enabler. This conference will address how to ensure that the golden age of innovation does not become the dark age of information privacy.
In Cambridge, we will welcome as speakers heads of the national Data Protection Authorities of the United Kingdom, Spain and Ireland, senior staff from DPAs in Germany and Hong Kong, the European Data Protection Supervisor, the European Commission, and many companies and their legal advisors, a total of almost 50 speakers and chair persons from 15 countries. The PL&B team looks forward to meeting you in Cambridge in 5 weeks from now.
Stewart Dresner has written on data protection/privacy and freedom of information since 1975 when he initiated a research project on this subject at the UK Consumers Association. He established Privacy Laws & Business in 1987. Its first service was the Privacy Laws & Business International Newsletter which has now developed to become the hub of a comprehensive global information service, currently on 120+ countries. Privacy Laws & Business services include consulting, conferences, training, recruitment, the Privacy Laws & Business UK Report (which also covers the Freedom of Information Act), and the Privacy Officers Network. Privacy Laws & Business has clients in over 50 countries. Stewart has spoken on data protection/privacy law at conferences in around 20 countries. The Privacy Laws & Business website, www.privacylaws.com provides details of the firm’s services and links to privacy information worldwide.
Copyright Stewart Dresner, Chief Executive, Privacy Laws & Business