As readers will no doubt be aware, the General Data Protection Regulation (GDPR) has applied from 25 May 2018. Six months on, Daradjeet Jagpal carries out an initial appraisal of four key aspects of the GDPR and provides his thoughts on what lies ahead.
At the nucleus of the GDPR are the concepts of transparency and accountability.
Transparency requires organisations to be open and upfront with individuals by informing them of what personal data is handled by the organisation, what it will be used for and who it will be shared with (amongst other things).
Accountability is about organisations having an effective information governance framework in place, which demonstrates their compliance with the GDPR to the outside world via appropriate staff training, policies and other documentation.
Both these concepts appeared to be the key priorities for all organisations in the run up to GDPR day, and individuals were bombarded with “privacy notices”, “privacy policies” and “data protection statements” (I personally prefer to call them “transparency statements” because that sits better with the GDPR concept of transparency) from most, if not all, of the organisations that had ever handled and used their personal data. These transparency statements generally assumed a similar format, with some being based on templates developed by sector specific membership bodies.
Some poor drafting aside, I consider that this compliance element has been accomplished with success across the board. Individuals are generally more informed of what personal data organisations hold on them, why and where it goes.
However, the desire to “keep up with the Joneses” and to perhaps keep public relations sweet means that the shelf-life of these transparency statements will be shorter than the average mobile telephone. This is because in the rush to get ready for GDPR day, some organisations chose to rely on the comparatively easy route of template documentation or to “copy and paste” what other organisations were doing. While I am not opposed to the use of template documents and do not believe in unnecessarily reinventing the wheel – indeed, I have developed my own templates, based on my knowledge, understanding and experience of working with specific sectors over the years – there needs to be a recognition that one size does not fit all and such documents are rarely interchangeable between, among or even within sectors.
A good transparency statement will emanate from a detailed data mapping exercise and audit of personal data handled and used by an organisation undertaken on either a systematic or functional basis. In other words, like the discipline of Mathematics, the result requires underlying background workings to be able to evidence how the answer was arrived at.
My concern is that should the Information Commissioner’s Office (ICO) ever have cause to investigate the organisations using templates or the work of others, what would they be able to produce by way of background workings against every claim made in the transparency statement? I am already receiving enquiries from organisations, who have adopted this approach and are concerned that what they have in place now is no longer fit for purpose – if it ever was in the first place, that is.
For this reason, I believe that version 2.0 of some of the transparency statements that were issued in May 2018 is forthcoming soon.
The GDPR heralded in a new era in the information rights sphere, reinforcing pre-existing rights to access and rectify personal data and introducing new rights to have personal data erased and ported over from one organisation to another. There are also enhanced and new rights in relation to automated decision making and profiling, respectively.
The initial fear post GDPR day was that the floodgates would open to rights requests (as was the case with freedom of information) and that organisations would have to battle with an overflowing inbox of requests, exercising new-fangled rights that would need to be diagnosed appropriately (believe me, it is not always easy to distinguish an access request from a portability request on the face of it).
The reality is that there has been a slight increase in rights requests, particularly in relation to access (due mainly to the removal of the £10 fee – in most cases) and erasure, which is normally the afterbirth of an access request, but it is still very much business as usual. This is at odds with the increased transparency that the GDPR has brought about regarding individual rights. Surely, if individuals know what their rights are, and it costs nothing to use them, they will be more inclined to exercise them? The raison d’être of this is that individuals have perhaps not had the time to review the numerous transparency statements