Tag Archive for GDPR

GDPR – the phoney war is over

FOIMan launches a new resource to help practitioners and others get to grips with the General Data Protection Regulation (GDPR).

Data Protection Reform and GDPRThose interested in privacy had been waiting for years for the European Union to agree its new rules on data protection. Finally, in May of this year, the General Data Protection Regulation (GDPR) became law. Cue party poppers all round.

The party was well and truly pooped though a month later. Instead of starting a long campaign to educate colleagues and businesses about their new obligations (which take effect from May 2018), practitioners have been forced to spend the summer and early Autumn speculating about what BREXIT means for GDPR. Even if they wisely chose to continue their preparations, their words fell on stony ground as those in charge looked to government for a decisive message more informative than “BREXIT means BREXIT”.

Thankfully we now have more clarity. During a committee hearing last week, the Secretary of State for Culture, Media and Sport, Karen Bradley, stated that:

“An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (Oral evidence to the Culture, Media and Sport Select Committee, HC 764, 24 October 2016, answer to Q.72)

So whilst there’s still a possibility that the rules will change again in a few years, at least we now know that GDPR is coming to stay and will be with us for a while. Long enough for us to give it a bedroom and clear some drawer and wardrobe space. Maybe even to cut it a set of keys.

In the meantime, the hands of the clock have been moving apace. There are now just over 18 months to get your house in order, which is not long given how much you need to do to make sure that you meet GDPR’s exacting requirements.

Thankfully there are lots of places to look for help. And now I’m adding to the list. I’ve added a new section to the FOIMan site dealing specifically with data protection reform and GDPR. There are free resources to help you understand your obligations, and suggestions as to where to start your preparations. There’s also a link to the GDPR itself in case you need it. I’ll be updating this page from time to time and adding new links, resources and suggestions so keep popping back for more as your preparations continue.

Valuable information

FOIMan on literally giving your information value.

coinsWe often hear people talk about information or data being valuable. But in the last 24 hours I’ve heard two separate speakers, ostensibly on two separate topics, discuss attributing actual monetary cost to information. So perhaps there’s something in it.

First, yesterday evening David Ryan, who was hired several years ago to establish the National Archives’ digital preservation department (and a declaration of interest, he also gave me my first information management job 20+ years ago – don’t hold it against him), was talking about the future of records management at the Information and Records Management Society’s London Group meeting. Amongst other things, David noted the move of many organisations to cloud storage, meaning that there is a noticeable increase in cost if more data is stored each month. He gave the example of Amazon’s cloud storage service, AWS, which now offers customers a retention scheduling tool to help them manage the cost by ensuring that stored data is automatically deleted or archived. He asked if anyone included a monetary cost for record series identified in their records retention schedules. Nobody did, but he speculated that that might become a feature of retention schedules and information asset registers in the future. An invoice might have an intrinsic value to a business in much the same way as a chair.

Which was fascinating but to some probably seemed a long way off. Then today I attended the Direct Marketing Association’s (DMA) Data Protection update, a conference aimed at informing marketers in particular about the General Data Protection Regulation (GDPR). It was an enjoyable event and I found it useful to hear about GDPR from a different perspective.

One session was delivered by Nicholas Oliver, a youthful entrepreneur who talked about “Unified decentralisation & the future of a consumer-led data economy”.

Yes, I know – I was fully prepared to spend that half-hour catching up on email. But it was very interesting.

Nicholas identified that most of us are rather unnerved by the growing trend towards creating unified profiles of us. The fact that Facebook appears to know what we just bought from Amazon and suchlike. He compared this practice to what Edward Snowden revealed about the US security services and concluded that there was little difference between that and what companies are doing to better target their marketing. Having collected all this data, the companies think they own it, and there have even been suggestions that individuals who try to prevent its use are somehow at fault (John Whittingdale, former Culture Secretary, being a notable proponent of this view in relation to ad-blocking).

Nicholas is a businessman and having identified the problem, was there of course to provide us with the answer – or at least his answer. His company, people.io, provides an online platform for people to choose what marketing they receive. And interestingly, given what David Ryan had to say, they actually get paid for their personal data. So you sign up, indicate your preferences, and at some point you or a charity of your choice, receive a payment. Meanwhile, the advertising you receive is more targeted (so in theory less irritating), and more likely to result in you spending money on products so the companies who sell things to you get more value from their advertising budget. What’s more, Nicholas stressed the fact that consumers have control over their data at all times – once they decide not to receive marketing anymore, their data is deleted. We’re used to our data being a valuable commodity to the companies that collect it. We’re maybe not so used to the idea that it might have monetary value to us.

I haven’t looked at Nicholas’ service and I’m not endorsing it (there may well be other products out there that do something similar), but I did think the approach he described was interesting and seemed very much in line with the GDPR’s emphasis on individual control over data. Elizabeth Denham, the new Commissioner, said yesterday that it’s not about privacy OR innovation, it’s about privacy AND innovation, and this sounded a lot like the kind of thinking that she has in mind. Put together with David’s talk yesterday, it has made me think about how literally to take the phrase “valuable information”.

GDPR is coming – BREXIT or not

FOIMan points to a comment from a BREXIT campaigner which reinforces the message that a vote to leave the EU would have little effect on the adoption of the new General Data Protection Regulation in the UK.

On my data protection courses I’ve come to expect the obvious question whenever I mention that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will apply across the European Union (EU). Which is, of course:

What happens if we vote to leave the EU on 23 June?

I’m no constitutional expert, but I’ve been reassured by the fact that my usual answer has been in line with what many other commentators have said on this question. GDPR is coming whether we leave the EU or not. The latest comments from the BREXIT camp if anything seem to me to reinforce this view.

Firstly, one of the most likely flavours of BREXIT is that the UK would join the wider European Economic Area (EEA) – the group that Norway is a member of. Nations in this group still have to comply with many EU laws, and this would include GDPR. Result of this option: GDPR would apply.

Secondly, if the UK goes for another flavour of BREXIT, then it wouldn’t have to adopt GDPR itself, but following the European Court’s decision on Safe Harbor last October, if UK businesses were to continue to do business with European companies and public bodies then it would almost certainly have to adopt an “equivalent” level of data protection. Result of this option: a new Data Protection Act that is to all intents and purposes the GDPR by another name.

One complicating factor is that it has previously been assumed that post-BREXIT negotiations would take two years to complete. This would mean that however we vote, the GDPR would apply for a matter of months after 25 May 2018. If businesses and public bodies have to do enough to comply with the regulation for a few months, what would be the point of lowering standards that they have already worked to meet?

Now comments by one of the leading BREXIT campaigners seem to me to make it even more important for businesses to assume that GDPR is on the way – and will be here to stay. Michael Gove recently suggested that negotiations post-BREXIT would be unlikely to be complete by the time of the General Election in 2020. If BREXIT happens more than 2 years after GDPR has been brought into force, it seems less likely than ever that BREXIT would affect GDPR.

The bottom line is: whatever the outcome on 23 June, the GDPR is on the way and organisations need to prepare for it now.