Saturday, 16 September 2017

Scrutinising the Data Protection Bill: The case for a Keeling Schedule

Parliamentarianswho are tasked with scrutinising the Data Protection Bill have an inenviable job.  Can there be a less desirable appointment than siting on a Parliamentary Committee, scrutinising text that many seasoned data protection professionals have thrown their arms up in the air in despair over?   

Given that the Bill is intended to last a generation, (the current Act will have lasted 20 years by the time of its repeal) , surely we deserve something we can more readily understand. Not just something that will keep Robin Hopkins QC, Anya Proops QC, their other colleagues at 11 Kings Bench Walk  and many, many, many other data protection lawyers in clover for their rest of their working lives. 

Is it really necessary for this Bill to be such a gorgeous gift to the legal profession? 

Is it really necessary for hard working data protection professionals to have to work so much harder to master the details of such a complicated proposal?

Is it really necessary for citizens to have “rights” that are so hard to define and comprehend?

I appreciate, though, that turkeys don’t vote for Christmas.  And if we data protection professionals want to earn stratospheric salaries, which many of us do, (but not all, I grant you)  then obviously the secrets of privacy witchcraft must be restricted to a select few. 

I’m pretty sure, however, that the “select few” won't include the parliamentarians who will be charged with holding the Government to account with regard to the Data Protection Bill.

If my experience is anything to go by (my experience being limited to following the passage of many bills though Parliament and  being appointed specialist advisor to two joint parliamentary committees, one scrutinising the draft Communications Data Bill in 2012 and the other scrutinising the draft Investigatory Powers Bill in 2015-16) the parliamentarians doing the scrutinizing are going to need all the help they can get.

In my experience, as well as relying on evidence from government officials, a selection of the usual suspects (industry reps, civil society, lawyers, possibly a token celebrity & the ICO ) will be invited to give evidence – and the role of the parliamentary committee member (ably supported by the Committee secretariat) is to assess the evidence that is delivered to it. Evidence carries weight not in terms of how many witnesses make the same point, but whether that point is actually any good.

Witnesses were extremely generous in providing evidence to both parliamentary committees I was involved with. Civil Society and academics were particularly generous (ie verbose) in their comments – but fortunately as many of them had conferred in advance of submitting their evidence, a lot of the text submitted was remarkably similar / identical to that submitted by others among their cohort. So, quite a few submissions didn’t take that long to read and take note of.

But one of the most important pieces of evidence was a Keeling Schedule.

Keeling Schedules can be used to help explain to parliamentarians what are new bits of law, and what are restatements of existing law. They are very helpful when the Government is claiming that it is simply consolidating, or amending legislation.  At a glance the schedule will tell the reader what is already on the statute book  - and where it is - (which is something that parliamentary committee members may decide not to unduly concern themselves with), and what is new. It’s the new stuff that's critically important for Parliament to get right. 

Robin Hopkins QC, Anya Proops QC et al, will already almost certainly have a view on the meaning of the existing law. But the new stuff – that's the exciting stuff, and that's the area of law for which maximum clarity is most desirable.

So, what all Data Protection Bill scholars really want to know is what the new stuff is – amidst the 218 pages, 194 Clauses and 18 Sections of the recently released text.

How do parliamentarians get hold of a Keeling Schedule for the Data Protection Bill?

Easy. The parliamentarians appointed to the relevant Bill Committee, through the Committee Chairman, just need to ask the DCMS Bill team to prepare one (or, more likely, to share the version they already have). The minister may find he doesn't have that easy a ride if he can't provide a convincing explanation as to why the parliamentarians charged with scrutininsng the Bill can’t be provided with one. 

The bill is, after all, one of the most significant pieces of legislation facing Parliament this decade. I’m sure that the parliamentarians – and the DCMS – only want to get it right. 

But that requires clarity and transparency  - the sort of thing the Bill requires of data controllers and data processors.  

So, lets see how Parliament leads by example, and delivers to us a statute that we can both be proud of and understand.

For starters, lets take a look at the Keeling Schedule.

Sunday, 10 September 2017

The case for delaying the date the GDPR applies for a couple more years

A huge percentage of the organisations I’ve recently come into contact with have little chance of becoming “GDPR compliant” by May 2018.

To be fair, a good proportion of these organisations have spent the past decade or so ignoring the professional advice that's available on how to better comply with the requirements of the existing data protection legislation.

The task, which is (a) to understand just what is required of them by the GDPR; and (b) to implement the necessary measures, is simply overwhelming. 

Organisations with little or no concept of records management, and with little or no concept of how long they need to keep information for in order that they can met their own business requirements, will find “compliance” a particularly difficult challenge.

Some organisations appear to think that self-proclaimed (and yes, sometimes self-certified) GDPR “experts” will, for a not inconsiderable fee, apply their special brand of privacy witchcraft and, with a fistful of pre-prepared policies and procedures, sprinkle compliance stardust into areas that other policies daren’t venture.

Some organisations appear to think that all that's required is a quick visit from "experts" who will offer an outsiders’ view of issues they know nothing about, and that said "experts" will do their stuff  (and map those damn data flows) without anyone else ever needing to change the way they work.


The problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to comply.

Well, that’s too simplistic.

The real problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to appreciate what risk the organisation is running, as a result of its information management procedures, and to appreciate whether particular risks are within the organisation’s risk appetite.

So, the first step is for an organisation to define its risk profile. Then it can take a decision on the extent to which it will address data protection (and, more specifically, the GDPR’s requirements. Then, and only then, can it embark on a change programme to implement the relevant improvements.

Can most companies manage this by May 2018? Or can they evidence that they can meet their accountability obligations?

Especially when there’s so much scope for interpreting the GDPR in different ways?

I’m not optimistic.

I’m certain that many companies are trying hard, though. And I know that many other companies would like to comply, but they simply can’t obtain the professional support that's necessary to convert the language of the GDPR into terms that most people can readily grasp.

My sympathies are also with regulators who are put in a pretty dreadful position by the text of the GDPR. First, they have to decipher certain GDPR requirements and put their own spin on the meaning. Then, they need to contemplate taking enforcement action against organisations who disregard said spin.

Also, being in the position of (theoretically) being able to take significant enforcement action against virtually every data controller in the land for some GDPR transgression or other will present challenges as the more enlightened data protection regulators strive to foster a close and constructive working relationship with these data controllers.

Perhaps we need a further 2 year transition period so that the Data Protection Board can get its act together and issue clearer advice with regard to the new requirements (i.e. those that weren’t already enshrined in domestic data protection law), before national data protection regulators take it on themselves to contemplate enforcement action against organisations that breach the new requirements.