Saturday, 16 September 2017

Scrutinising the Data Protection Bill: The case for a Keeling Schedule

Parliamentarianswho are tasked with scrutinising the Data Protection Bill have an inenviable job.  Can there be a less desirable appointment than siting on a Parliamentary Committee, scrutinising text that many seasoned data protection professionals have thrown their arms up in the air in despair over?   

Given that the Bill is intended to last a generation, (the current Act will have lasted 20 years by the time of its repeal) , surely we deserve something we can more readily understand. Not just something that will keep Robin Hopkins QC, Anya Proops QC, their other colleagues at 11 Kings Bench Walk  and many, many, many other data protection lawyers in clover for their rest of their working lives. 

Is it really necessary for this Bill to be such a gorgeous gift to the legal profession? 

Is it really necessary for hard working data protection professionals to have to work so much harder to master the details of such a complicated proposal?

Is it really necessary for citizens to have “rights” that are so hard to define and comprehend?

I appreciate, though, that turkeys don’t vote for Christmas.  And if we data protection professionals want to earn stratospheric salaries, which many of us do, (but not all, I grant you)  then obviously the secrets of privacy witchcraft must be restricted to a select few. 

I’m pretty sure, however, that the “select few” won't include the parliamentarians who will be charged with holding the Government to account with regard to the Data Protection Bill.

If my experience is anything to go by (my experience being limited to following the passage of many bills though Parliament and  being appointed specialist advisor to two joint parliamentary committees, one scrutinising the draft Communications Data Bill in 2012 and the other scrutinising the draft Investigatory Powers Bill in 2015-16) the parliamentarians doing the scrutinizing are going to need all the help they can get.

In my experience, as well as relying on evidence from government officials, a selection of the usual suspects (industry reps, civil society, lawyers, possibly a token celebrity & the ICO ) will be invited to give evidence – and the role of the parliamentary committee member (ably supported by the Committee secretariat) is to assess the evidence that is delivered to it. Evidence carries weight not in terms of how many witnesses make the same point, but whether that point is actually any good.

Witnesses were extremely generous in providing evidence to both parliamentary committees I was involved with. Civil Society and academics were particularly generous (ie verbose) in their comments – but fortunately as many of them had conferred in advance of submitting their evidence, a lot of the text submitted was remarkably similar / identical to that submitted by others among their cohort. So, quite a few submissions didn’t take that long to read and take note of.

But one of the most important pieces of evidence was a Keeling Schedule.

Keeling Schedules can be used to help explain to parliamentarians what are new bits of law, and what are restatements of existing law. They are very helpful when the Government is claiming that it is simply consolidating, or amending legislation.  At a glance the schedule will tell the reader what is already on the statute book  - and where it is - (which is something that parliamentary committee members may decide not to unduly concern themselves with), and what is new. It’s the new stuff that's critically important for Parliament to get right. 

Robin Hopkins QC, Anya Proops QC et al, will already almost certainly have a view on the meaning of the existing law. But the new stuff – that's the exciting stuff, and that's the area of law for which maximum clarity is most desirable.

So, what all Data Protection Bill scholars really want to know is what the new stuff is – amidst the 218 pages, 194 Clauses and 18 Sections of the recently released text.

How do parliamentarians get hold of a Keeling Schedule for the Data Protection Bill?

Easy. The parliamentarians appointed to the relevant Bill Committee, through the Committee Chairman, just need to ask the DCMS Bill team to prepare one (or, more likely, to share the version they already have). The minister may find he doesn't have that easy a ride if he can't provide a convincing explanation as to why the parliamentarians charged with scrutininsng the Bill can’t be provided with one. 

The bill is, after all, one of the most significant pieces of legislation facing Parliament this decade. I’m sure that the parliamentarians – and the DCMS – only want to get it right. 

But that requires clarity and transparency  - the sort of thing the Bill requires of data controllers and data processors.  

So, lets see how Parliament leads by example, and delivers to us a statute that we can both be proud of and understand.

For starters, lets take a look at the Keeling Schedule.

Sunday, 10 September 2017

The case for delaying the date the GDPR applies for a couple more years

A huge percentage of the organisations I’ve recently come into contact with have little chance of becoming “GDPR compliant” by May 2018.

To be fair, a good proportion of these organisations have spent the past decade or so ignoring the professional advice that's available on how to better comply with the requirements of the existing data protection legislation.

The task, which is (a) to understand just what is required of them by the GDPR; and (b) to implement the necessary measures, is simply overwhelming. 

Organisations with little or no concept of records management, and with little or no concept of how long they need to keep information for in order that they can met their own business requirements, will find “compliance” a particularly difficult challenge.

Some organisations appear to think that self-proclaimed (and yes, sometimes self-certified) GDPR “experts” will, for a not inconsiderable fee, apply their special brand of privacy witchcraft and, with a fistful of pre-prepared policies and procedures, sprinkle compliance stardust into areas that other policies daren’t venture.

Some organisations appear to think that all that's required is a quick visit from "experts" who will offer an outsiders’ view of issues they know nothing about, and that said "experts" will do their stuff  (and map those damn data flows) without anyone else ever needing to change the way they work.


The problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to comply.

Well, that’s too simplistic.

The real problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to appreciate what risk the organisation is running, as a result of its information management procedures, and to appreciate whether particular risks are within the organisation’s risk appetite.

So, the first step is for an organisation to define its risk profile. Then it can take a decision on the extent to which it will address data protection (and, more specifically, the GDPR’s requirements. Then, and only then, can it embark on a change programme to implement the relevant improvements.

Can most companies manage this by May 2018? Or can they evidence that they can meet their accountability obligations?

Especially when there’s so much scope for interpreting the GDPR in different ways?

I’m not optimistic.

I’m certain that many companies are trying hard, though. And I know that many other companies would like to comply, but they simply can’t obtain the professional support that's necessary to convert the language of the GDPR into terms that most people can readily grasp.

My sympathies are also with regulators who are put in a pretty dreadful position by the text of the GDPR. First, they have to decipher certain GDPR requirements and put their own spin on the meaning. Then, they need to contemplate taking enforcement action against organisations who disregard said spin.

Also, being in the position of (theoretically) being able to take significant enforcement action against virtually every data controller in the land for some GDPR transgression or other will present challenges as the more enlightened data protection regulators strive to foster a close and constructive working relationship with these data controllers.

Perhaps we need a further 2 year transition period so that the Data Protection Board can get its act together and issue clearer advice with regard to the new requirements (i.e. those that weren’t already enshrined in domestic data protection law), before national data protection regulators take it on themselves to contemplate enforcement action against organisations that breach the new requirements.

Saturday, 19 August 2017

Missing the GDPR deadline of May 2018: And then what?

As May 2018 looms, I’m aware of a growing number of companies that are seeking help with their GDPR compliance obligations. For most of them, it's a huge wake-up call.

Many (me included) have been sent a stream of emails from self-styled “GDPR experts” containing dire warnings of ginormous fines for non-compliance.

Many (me included) have been offered the opportunity to spend money on worthless qualifications from institutions I had never heard of to obtain some certificate of GDPR proficiency, entitling me to become almost as well qualified as the instructors claim to be. The principal “expert” of  an institute that contacted me recently had no idea whether his institute needed to register with the ICO, and had never heard of Nymity before. To the uninitiated, Nymity is a rather well known data protection solution provider.

But enough of these GDPR ambulance chasers.  If nothing else, they've raised awareness of the compliance problem. But how many are actually capable of delivering  compliance solutions that can be embedded within a workplace? Well, that's another matter.

The fundamental flaw in many of the “solutions” that currently appear to be on offer is that they are based on the premise that an appropriately experienced consultant can be embedded within an organisation for a short while in order that they can patch a bit (or a lot) of privacy tech into existing systems, create a library of GDPR-compliance policies and then disappear into the ether, leaving everyone to get on with their jobs, as they always have.

But this approach isn’t going to work.

Proper GDPR compliance requires a fundamental change in the behaviours of everyone in the organisation, coupled with an appreciation of just what is required. I really doubt that many organisations are really up for that.

Here are just two examples.

First, in the area of records management, the GDOR requires organisations to actually know what records containing persona data they have and where they are. This is not a new concept. After all, the ICO has been focusing on the need for effective records management for years. But what s new is the emphasis that the GDPR places on organisations knowing what personal information they have and how it is used.

For many companies I’m familiar with, this simply isn’t going to happen. They don’t have comprehensive Information Asset Registers and they won’t have comprehensive Information Asset Registers. Their IT infrastructure is simply too complex; it is perpetually evolving and new information assets are constantly being created by staff members who do not and will not follow corporate rules.

Second, in the area of experienced and knowledgeable Data Protection Officers, again most of the organisations I’m aware of have no idea how complex data protection law can be and so how best to recruit effectively for the role.  It’s not something anyone can just pick up in their spare time. And it distresses me no end to learn how much some people are being paid for what little technical knowledge they’ve actually acquired.

By next May, many public sector organisations will end up breaking the law by appointing someone with very little actual knowledge of their obligations  – or they will end up breaking the law because they didn’t realise that they had to appoint a DPO in the first place.

But I’m sure this is not just a “British” thing.  My international chums tell me that the level of awareness – or preparedness – is very low beyond Blighty, too.

Is the GDPR a stretch too far?

Right now, I think it is. While it contains standards that many responsible organisations would wish to aim for, I have no idea how many organisations within Europe really will be fully compliant by May 2018.  The larger companies  - and particularly those in the financial services sector - will of course strive every sinew to comply, and will commission scarce consulting resource to help them.  But will all he smaller organisations have the luxury of experienced support? Of course not.

It would be unfortunate if many organisations realised what a huge challenge GDPR compliance is, and simply give up, hoping that resource-poor data protection regulators won't go after them because they'll be too busy responding to complaints from individuals whose fundamental rights have evidently been infringed.

But this is a risk. Should non-compliance with a poorly written and over complex piece of legislation become too widespread through out Europe, and data protection regulators find it an overwhelming challenge to retain sufficient numbers of suitably experienced staff, perhaps some of the brighter EU policymakers will decide that the GDPR was a stretch too far, and that simpler – and yes, lower – standards, should be introduced.


Wednesday, 8 March 2017

Will the latest marketing and consent guidance result in a financial shortfall for charities?

Concern has been mounting that the attitude the Information Commissioner’s Office is currently taking towards charities will result in it becoming even harder to raise funds from supporters and potential supporters. New guidance about how charities should obtain consent to contact supporters, and how this consent should be used, has recently been published by both the ICO and the Fundraising Regulator.

But are the regulators really raising the bar? Or are they just reminding charities what the rules actually are?

In the eyes of some, the Information Commissioner, together with the Fundraising Regulator, are enforcing privacy standards that make life much more difficult than should be the case for reputable charities to carry out fundraising initiatives. Pre-ticked boxes are out. Consent for direct marketing must clearly relate to each of the different methods that charities plan to use. Silence does not indicate consent.

In the eyes of the regulators, however, it is important that charities should be observing the rules that have been place for many years, as well as preparing for new requirements, to be introduced in May 2018 by the General Data Protection Regulation. Specifically, much more light needs to fall on the opaque practices of marketing, data matching and tele-appending.

As far as the ICO is concerned, data matching and tele-appending are different practices to those of purely direct marketing. So, supporters must be informed about these practices. Such views were met with considerable alarm by some charities, who were concerned about what their supporters might think (and how they might act) if they were really knew how their personal data was being used.

When speaking at a Fundraising & Regulatory Compliance Conference in February 2017, Information Commissioner Elizabeth Denham reminded delegates that:

“The Data Protection Act is a principles based law. It doesn’t address the legality of particular activities. You won’t find a clause that says wealth screening is against the law, for example. But you will find principles that say data must be processed fairly and lawfully.

Some of the activities that we investigated charities for will never be accepted as being fair. It’s hard to imagine, for example, a circumstance where searching out phone numbers or addresses that have not been shared could be fair.

Wealth screening, as least how we have seen it being done, is not fair either.

Let me be clear. It’s not that the activity is against the law but failing to properly and clearly tell your donors that you’re going to do it, is.”

So, whether charities like it or not, the transparency bus has rolled into town. For good.

A number of charities have recently started to revise their contact preference strategies, and to be more transparent about how they use their supporters’ details.

Before doing so, however, the lack of empirical evidence as to the likely effect of changes in existing contact strategies, or in being more transparent, caused some fundraising executives great concern.  Fortunately, evidence is emerging to support the contention that a transparency-based agenda is not such a disastrous strategy - for highly-regarded organisations, at least.

In 2015, for example, the RNLI decided to change the way it raised money for its lifesaving service. Initially, it was concerned about the potential adverse financial impact when changing its practices and moving to opt-in communications for its supporters. 

By late 2015, the RNLI’s supporter database held about 2m contacts. But, many of these contacts had not been active for some time, and it only had regular communications with and responses from around 885,000 people. So, would a change to an opt-in model ensure that the charity would continue to be able rely on sufficient numbers of engaged supporters?  It had braced itself for a potential reduction in income, after all mitigating factors were taken into account, of £35.6m over 5 years.

That’s a lot of money, potentially, to lose.

However, the RNLI had a pleasant surprise. The original assumptions proved to be wrong. The opt-in rate did not drop to 25% of the original database, the actual rate was closer to 40%.   The charity exceeded its original intention of opting in 250,000 supporters by the end of 2016. By February 2017, over 375,000 have said that they still want to keep in touch.

And, it wasn’t just their existing supporters that responded –the charity also attracted new support, with over £175,000 in unsolicited donations via the opt-in marketing campaign.

As far as Elizabeth Denham is concerned, what charities now have to do is to find a way to excel within the boundaries of the rules. They can cling to the belief that regulators have got the law wrong, or that it doesn’t apply to the charitable sector, or that the regulatory burden is too great. Or, they can commit to positive change.

Change that, in her view, is not only achievable, but will reap its own rewards.


Sunday, 29 January 2017

What (currently ignored) privacy area might result in early enforcement action when the GDPR is in force?

We have 480 days to go before the General Data Protection Regulation is “in force”.

And then what?

That's the question I’m being increasingly asked these days.

Does it really mean that in 481 days, European privacy regulators will be heralding the first megafine for non-compliance with one of the GDPR’s more obscure requirements?

I think not.

But it will undoubtedly lead to greater unease amongst the audit committees of many firms, particularly those in the (regulated) financial services sector, who will note, from the data protection compliance reports that have been commissioned, the difficulties that are being encountered in ensuring that sufficient evidence is available to demonstrate how the organisation complies with the GDPR.

Many of the organisations I’m currently working with are still trying to understand just what it is that they are supposed to be complying with. And also, what standard of evidence is necessary to be generated, just in case privacy regulators exercise their Article 30(4) right to request it.

Each professional consulting firm I’ve come across carries out data protection audits / health checks in different ways. And, in assessing data controllers through different privacy prisms, I’m confident that some organisations might well “pass” a privacy review that was carried out by one consulting firm, yet “fail” the review that was carried out by another firm. Why? Because the other firm had decided to focus on some obscure GDPR issues that the original firm didn’t think were particularly relevant.   

Does this matter?

Well, it would if it led to the organisation performing poorly in a review that was carried out by a national privacy regulator.

So, what should be done to reduce the likelihood of such an event?

In the UK, the ICO has provided organisations with a great deal of guidance as to precisely what controls they would expect to see in place and operating effectively. I don’t see this degree of guidance readily available in other EU countries. I have not had an opportunity to review all the webpages of each national data protection supervisory authority, but my cursory checks have certainly not unearthed the level of detail that has been published by the ICO. Perhaps this will be a task for the Data Protection Board.

But, in the short term, what new areas of non-compliance might European privacy regulators focus on?

If I were a privacy regulator, I would focus on records management and, in particular, the greatly ignored area of records retention. So many organisations find it hard to develop, let alone implement, comprehensive records retention policies. Are they in for an unwelcome surprise? The GDPR is (apparently) going to require data controllers to be more transparent about their records retention policies.

The potential fine for not informing individuals, as their personal data is being collected, about retention periods is of course significant. But do (even) regulators take the issue of data retention that seriously?  Outside the communications sector, how much interest, or formal enforcement action, has ever been taken against data controllers with regard to breaches of the Fifth Data Protection Principle?

I’m not aware of many cases. Over retention may have been an aggravating factor when the ICO considered the level of a fine for some incidents involving security breaches, but there are very few recorded cases of enforcement action being taken just because a data controller retained data for longer than the regulator considered necessary.

Perhaps this will change.

But, since most data controllers have paid no more than lip service to the difficult issue of the period for which the personal data will be stored, I doubt that many currently feel that the ICO’s attitude will change significantly in 480 days time.