GDPR Six months on – an initial appraisal
As readers will no doubt be aware, the General Data Protection Regulation (GDPR) has applied from 25 May 2018. Six months on, Daradjeet Jagpal carries out an initial appraisal of four key aspects of the GDPR and provides his thoughts on what lies ahead.
At the nucleus of the GDPR are the concepts of transparency and accountability.
Transparency requires organisations to be open and upfront with individuals by informing them of what personal data is handled by the organisation, what it will be used for and who it will be shared with (amongst other things).
Accountability is about organisations having an effective information governance framework in place, which demonstrates their compliance with the GDPR to the outside world via appropriate staff training, policies and other documentation.
Both these concepts appeared to be the key priorities for all organisations in the run up to GDPR day, and individuals were bombarded with “privacy notices”, “privacy policies” and “data protection statements” (I personally prefer to call them “transparency statements” because that sits better with the GDPR concept of transparency) from most, if not all, of the organisations that had ever handled and used their personal data. These transparency statements generally assumed a similar format, with some being based on templates developed by sector specific membership bodies.
Some poor drafting aside, I consider that this compliance element has been accomplished with success across the board. Individuals are generally more informed of what personal data organisations hold on them, why and where it goes.
However, the desire to “keep up with the Joneses” and to perhaps keep public relations sweet means that the shelf-life of these transparency statements will be shorter than the average mobile telephone. This is because in the rush to get ready for GDPR day, some organisations chose to rely on the comparatively easy route of template documentation or to “copy and paste” what other organisations were doing.
While I am not opposed to the use of template documents and do not believe in unnecessarily reinventing the wheel – indeed, I have developed my own templates, based on my knowledge, understanding and experience of working with specific sectors over the years – there needs to be a recognition that one size does not fit all and such documents are rarely interchangeable between, among or even within sectors.
A good transparency statement will emanate from a detailed data mapping exercise and audit of personal data handled and used by an organisation undertaken on either a systematic or functional basis. In other words, like the discipline of mathematics, the result requires underlying background workings to be able to evidence how the answer was arrived at.
My concern is that should the Information Commissioner’s Office (ICO) ever have cause to investigate the organisations using templates or the work of others, what would they be able to produce by way of background workings against every claim made in the transparency statement? I am already receiving enquiries from organisations, who have adopted this approach and are concerned that what they have in place now is no longer fit for purpose – if it ever was in the first place, that is.
For this reason, I believe that version 2.0 of some of the transparency statements that were issued in May 2018 is forthcoming soon.
The GDPR heralded in a new era in the information rights sphere, reinforcing pre-existing rights to access and rectify personal data and introducing new rights to have personal data erased and ported over from one organisation to another. There are also enhanced and new rights in relation to automated decision making and profiling, respectively.
The initial fear post GDPR day was that the floodgates would open to rights requests (as was the case with freedom of information) and that organisations would have to battle with an overflowing inbox of requests, exercising new-fangled rights that would need to be diagnosed appropriately (believe me, it is not always easy to distinguish an access request from a portability request on the face of it).
The reality is that there has been a slight increase in rights requests, particularly in relation to access (due mainly to the removal of the £10 fee – in most cases) and erasure, which is normally the afterbirth of an access request, but it is still very much business as usual. This is at odds with the increased transparency that the GDPR has brought about regarding individual rights. Surely, if individuals know what their rights are, and it costs nothing to use them, they will be more inclined to exercise them? The raison d’être of this is that individuals have perhaps not had the time to review the numerous transparency statements that they received in the lead up to GDPR day. I must confess that I have not either.
It appears that while individuals are better informed on paper, they are not better informed in fact. A “spring clean” of e-mail inboxes during the festive break might lead to more transparency statements being read and a small influx of requests during January 2019, but the forecast of a flood may only amount to a continuous trickle at best.
There has been an increase in the number of data security breach notifications to the ICO since GDPR day. This can be attributed to the new GDPR breach reporting requirements, which necessitate certain breaches to be reported to the ICO (and in serious cases, to affected individuals) in restricted timescales.
But I also believe that a reason for this increase is that some organisations have become overly “trigger happy” and feel the need to report to the ICO in all cases, irrespective of whether there has been a breach and the materiality of it. Indeed, even the ICO has noted that some organisations are reporting minor incidents, wrongly classifying them as reportable breaches under the GDPR.
Organisations need to draw a line between an incident on the one hand, and a breach on the other. Captured early and addressed appropriately, a data security incident need not escalate to the level of a data security breach. Even if it does, many such breaches can be contained timeously to avoid the need to report to the ICO. The requisite threshold need not be surpassed.
In my experience, the genesis of many data security incidents is human error. After all, it is the individual inputting the e-mail address into the “to” field in a Microsoft Outlook message who sends it to the incorrect e-mail recipient, not Microsoft Outlook itself. To this end, the value of effective staff training, particularly in data security, cannot be underestimated. Staff should be provided with the tools to be able to recognise incidents as early as possible and be encouraged to inform the responsible officer as a matter of urgency. A supporting data security breach management procedure can also be useful in ensuring that the procedure to be followed is defined and made clear to staff and is consistent in approach.
The period leading up to GDPR day brought with it scaremongering, consisting of headlines centred around the high financial penalties for organisations that failed to comply with the GDPR’s apparently more stricter requirements.
These fantastic claims have not subsequently borne fruit, as the ICO has not yet fined an organisation for a GDPR breach (the first GDPR enforcement notice was only issued in July 2018), having a considerable backlog of Data Protection Act 1998 complaints to deal with first. A certain social media platform has also kept the ICO busy.
My personal experience of engaging with the ICO on behalf of clients is that the ICO is a reasonable regulator, who is more focused on putting “right” the “wrong” than engaging in the meaningless penalisation of organisations, provided, of course, than the organisations are willing to co-operate with the ICO during investigations and do what is necessary to comply.
It is estimated that the number of complaints received by the ICO has doubled since GDPR day, but not all of these will automatically lead to fines. Although a lackadaisical attitude towards compliance is not to be condoned and will not be viewed favourably, the prospect of fines – and their scale – must not, at the same time, be blown out of all proportion.
What lies ahead for the GDPR?
As the ICO put it earlier this year, GDPR day was “not the end”, but “the beginning [of] a long haul journey [and] its going to be an interesting ride.” The GDPR will not disappear, and like any other regulatory and compliance law, the relevant requirements must be met on an ongoing basis by organisations.
Six months later, there is still much GDPR work left to do and plenty of organisations are recruiting for data protection officers. GDPR day was widely viewed as the target date to have all the necessary external documentation in place, and the time since then has been used to work on the necessary internal policies, procedures and controls. Data processors are still being chased for signed contract “addendums”; data protection impact assessments are being undertaken for new technologies and projects that impact on individual privacy; and the “data cleanse” following on from the adoption of new data retention policies remains ongoing. The unremitting natural propensity of the human to err means that data security incidents will continue. New matters will always come out of the woodwork, existing transparency statements will need to be reviewed and there will never be a dull moment for a data protection adviser or officer. Acting as the data protection adviser or officer to a number of client organisations, I can confidently say that no given day is quite like the other.
Brexit has also put its own pressures on data protection law, and the Withdrawal Agreement contains specific provisions on what will happen once the UK leaves the EU. As part of this, the GDPR will continue to apply in the UK until it is regarded as an “adequate” destination for EU personal data in terms of the GDPR. A decision on this is expected before the end of 2020.
The long and short of it is that the GDPR is here to stay and will not go away any time soon!
Daradjeet Jagpal is legal consultant and director of Information Law Solutions, an independent consultancy providing advisory, training and audit services in Data Protection and Freedom of Information