So now we know. The populace have had their say, and what they have said is
we hate foreigners more than we like having jobs and houses we’re going to leave the EU. It’s a fool’s errand to predict with any certainty what kind of settlement we’re going to achieve with the EU (if any), and in any case, the world and his dog have already tried.
To write about Data Protection when the UK is going to break apart and a substantial portion of the population thinks we’re about to put hard working Poles into internment camps for deportation is probably an immense exercise in missing the point. But I’ve got a fiddle and I can smell burning, so fuck it. Very little about the referendum campaign has been edifying, but one of the irritating undercurrents in the Data Protection world is the unceasing refrain that even if we leave the EU, the General Data Protection Regulation is inevitable, without ever explaining how.
As it happens, I agree – I think sooner or later, the GDPR will replace the DPA. However, it is impossible to say when. It might be later. Nobody knows how the GDPR will land for organisations that process data solely in the UK. At least one influential politician (OK, I’m exaggerating, it’s Daniel Hannan) has said we’ll be opting out altogether so that pricks with man-buns in Hoxton can lose money making apps. I went to Hoxton this week and I saw six cowboy hats in 15 minutes and a “business incubator” with table football in the reception, SO ALL OF MY PREJUDICES ARE JUSTIFIED.
I suspect that the GDPR will come mainly because those large international businesses who will continue to trade wth the EU will end up having to comply with the GDPR in Europe and the DPA at home, and they will moan about this so loudly and influentially that the Government will acquiesce and bring the GDPR in for the rest of us. I have no evidence for this – I’m guessing. Nobody knows anything for sure. The ICO have been merrily tweeting a succession of ‘Get Ready for GDPR’ messages, but they don’t have a clue how this works now. The collective certainty that we know the destination isn’t remotely the same as certainty on how we get there, how long the journey will take, or whether we will need sandwiches*.
Of course, Scotland will presumably be re-joining the EU fairly soon, but I imagine the second Indy referendum will take a bit of organising first (it’s been lovely to have you, Scotland, thanks for all the haggis, and can we talk about me having a passport when you’ve got the paperwork sorted?). For the rest of the UK, it’s entirely possible that GDPR will be sorted quickly but this assumes that anyone in government has a clue what we’re doing now. The Tories may decide to re-enact that Goya painting of Saturn eating his children for a while, and I’m not persuaded that DP will be highest of high priorities. You have to be an optimist of Pollyanna proportions to assume that the onset of GDPR will be quick and painless, but equally, you’d be an idiot to operate on the assumption that Daniel Hannan is the voice of authority. He’s a disappointing novelty toy from a Kinder Surprise Egg but with opinions.
So what should you do now?
If you’re a business that offers services to EU citizens or monitors their activities, the EU says you have to comply with the Regulation. Don’t ask me to describe exactly how they will force you to do so because frankly, I’m not entirely sure if I believe them, but it would be foolhardy to ignore it. For your EU based activities, you need an action plan. My strong advice is to start by working out whether you need a Data Protection Officer (not everyone does, only those involved in monitoring or the routine processing of sensitive data). If you do, start thinking seriously about who it should be. From there, there are three things you should prioritise immediately.
First, look at how you get consent and consider whether it can honestly be said to be freely given, specific and informed. Second, find out where your company carries out profiling – analysing and predicting people’s behaviour or actions using computerised or automated techniques. Rights and responsibilities over profiling get significantly expanded in the GDPR, so you’re going to need to know where you’re doing it. There is no need to stop, just find where it is going on. Third, look at the systems which hold personal data, and work out – if you had to – could you delete data from that system? Not make it invisible, remove it altogether. If deleting data is difficult is impossible, you have a problem with the Right to be Forgotten and you need to start working out what to do about it. I suspect that forgetting about the DPA will make sense – complying with the Regulation will definitely ensure compliance with the DPA, and a twin-track approach is just stupid. Kill the DPA – read the Regulation now.
I’m going to make an assumption that businesses that trade in the EU are aware of this, so probably have plans in place. The thing I woke up this morning wondering is what of those organisations who languish in the apocalyptic wasteland of the UK? Where should they start? It is sensible to go forward with a plan for implementing GDPR, but may I suggest that you prioritise some items over others?
ITEMS FOR LATER
Until we know what the timetable for the GDPR is post-Brexit (and I will happily delete this blog the instant the Department for Culture Media and Sport announce that GDPR will be UK law on May 25 2018), there are some items you just shouldn’t waste time with. They are entirely creatures of the Regulation and they can wait.
- Profiling – people only get special rights to challenge profiling under the GDPR, so it’s no more a priority than anything else. Forget about it.
- Data Protection Officer that is independent, reports to the board, nobody can tell them what to do – stick with what you’ve got and who you’ve got. Wait for the guidance from the EDPB, learn from the experience of our neighbours. You don’t have to make this change now, so don’t.
- Mandatory breach reporting. Honestly, I don’t know why you’re all busily telling the ICO about every time you send an email to the wrong place. I never have, and I still don’t. It’s not mandatory unless you’re Government, NHS or an ISP. Contain the incident, put it right with the subjects, learn the lessons. If you tell the ICO, it’s because you want to. The only good thing about a *possible* timetable blip is that mandatory breach reporting isn’t necessarily imminent.
- Subject access charges and timescales – for now, it’s £10 and 40 days. That’s it.
- Data Protection by design – OK, it’s an excellent idea, but the need to *demonstrate* it isn’t for now a priority. You have other things to do.
ITEMS FOR NOW
- Impact assessments – get the ICO’s code on Privacy Impact Assessments and follow it if you don’t already. If you do, ensure that the practice is deeply embedded. It’s what ICO says you should do now, and it’s excellent preparation for the Impact Assessments of the future.
- Consent – the ICO has taken enforcement action over poor quality / non-existent consent multiple times already (Pharmacy 2U under DP, Leave.EU and Optical Express under PECR). Their view of how consent works now is very close to the supposedly revolutionary approach of the Regulation.
- Data Processors – find every contractor and agent in your organisation. Make sure there is a binding legal agreement between you and them. I can’t believe that I am saying this after nearly 20 years of DPA being in force, but every time I say it on a training course, people treat it as a revelation. So get out there and look.
- Deletion – the Right to be Be Forgotten is a different beast to anything that the European courts have created. As above, you need to be looking at all of your systems and processes to find out where deletion / overwriting of data is difficult. Because this is going to be really hard to deal with when the GDPR lands.
- Don’t call the ICO helpline asking them what to do about the GDPR. This is good advice now, as they don’t have any more of a clue than anyone else does, but let’s be honest, it was good advice last week when people thought we were going to remain.
Nobody knows where this is all going. Nobody knows what the future holds. I’m not optimistic about where this country is headed. But to stick to DP, it’s pointless to pretend that May 25 2018 is quite as significant a date as it was, unless you trade in Europe now. Data Protection is still relevant and present, but some assumptions should be challenged. One thing you need to realise is that some of the Regulation is here now in one form or another, and much of the rest of it evolves from what we have now. If you’re crap at data protection now, you’re going to be even worse at the Regulation. It’s still coming. Do nothing at all, and you’ve got another problem to add to all of the ones we just voted ourselves.
* With apologies to Arnold Brown.