So the nation has spoken – and the UK has voted to leave the EU. So where does this leave the EU General Data Protection Regulation?
The ICO was quick to highlight three key points:
(1) The Data Protection Act 1998 (DPA) remains the law of the land.
(2) The upcoming EU reforms to data protection law will not directly apply to the UK.
(3) 1998 is a long time ago – so much has changed, that the need for an updated data protection law in the UK remains necessary.
Protecture attended the rather well timed meeting of the National Association of Data Protection Officers on Friday 24th June – and heard from the ICO’s Group Manager for Policy Delivery. Our take on his comments, and those of 40 fellow data protection professionals, were:
(1) Data Protection law remains critical
A functioning, relevant data protection law is part of a modern information economy. These sentiments echoed the closing line of the ICO’s statement:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
The current DPA is over 20 year old. It needs an overhaul to keep pace in both recognition of the growing importance of personal information and the rapid changes in technology that affect us all on a daily basis.
(2) Change will be coming…it is just the method and timescale that may have altered
There are various ways to deal with an overhaul of data protection law; we also have a new Information Commissioner starting soon, who is a non-European and whose views and potential approach we do not yet know.
There is a clear need to quickly set a direction of travel. For example, the UK government could
(a) simply replicate the GDPR….however, there are a aspects that the government would clearly look to amend (see (3) below).
(b) ask the EU to assess the UK as an “adequate” country – and be added to the list of countries that have already been assessed and signed off. However, this will mean substantial revision of the current DPA – to ensure it provides protections and standards equivalent to the EU’s General Data Protection Regulation framework.
(c) Implement a series of Statutory Codes of Practice – like the Data Sharing Code – to require organisations to make changes and deliver improvements in compliance with the current DPA.
(3) The ICO and Government are likely to agree on lots of the GDPR measures anyway
Only two planned GDPR changes – mandatory appointment of Data Protection Officers, and free Subject Access Requests within 30 days – were highlighted as not having the support of government.
There may be others, but the sense in the room on Friday was that the ICO (and government) see most of the GDPR measures as useful, practical measures that build on the existing principles and best practice of the current law…and will help drive the digital economy.
The following will likely come through into an updated data protection law in the UK:
- A matrix of rights balanced against a clearer legal basis for handling personal information – e.g. clearer consent and/or clarity on the lawful basis for the collection, use, sharing and holding of personal information.
- Enhanced transparency provisions – i.e. greater openness by Data Controllers in why and how they process personal information, and greater expectations that individuals should be able to know the measures that organisations are taking to protect their personal information.
- Imposing liabilities directly onto Data Processors – meaning the need to amend contracts with suppliers to better reflect the responsibilities for risk and liability for breaches.
- Mandating Data Protection Impact Assessments in certain circumstances – i.e. the need to consider the data protection and privacy issues at the start of any project.
- Mandating breach notification for all sectors – i.e. greater transparency when things go wrong, and accountability for putting things right.
- Providing data portability – i.e. there are economic benefits behind individuals being able to make organisation pass their electronic data onto other suppliers of services.
- Stronger provisions on profiling and automated decision making.
So the GDPR’s more prescriptive approach – with a long but clear list of compliance tasks; more detail guidance and more process-orientated means of delivering compliance – may not survive the day. The ICO’s less prescriptive approach may continue. But the ultimate aim – of ensuring that organisations treat people fairly and properly when it comes to their personal information – will remain central to the law and the ICO’s mission.
Managing data protection remains a key area of risk for all organisations. Everyone expects organisations to know what they are doing when it comes to handling personal information. The benefits of getting data protection right – such as getting the most out of an important asset; greater efficiencies and a solid foundation from which to innovate – remain high. The reputational and financial risks of getting it wrong remain great, and are growing rapidly.
Whilst it will not be the current EU General Data Protection Regulation that will update data protection law in the UK, change is inevitable. Those organisations that grasp this, and move to ensure compliance with best practice, will have an advantage and will meet the expectation of the customers, service users, donors and other stakeholders.