GDPR - forcing organizations to wake up to data protection basics

After more than 30 years in the business, Jonathan Bamford believes that data protection has finally become a subject that people take seriously.

For Bamford, Director of Strategic Policy (Domestic) at the UK Information Commissioner’s Office (ICO), one piece of evidence for this was that there were two questions on the topic in a recent pub quiz he took part in: one was on GDPR [General Data Protection Regultation], and the other on Cambridge Analytica. In his estimation, this shows that data protection has now “entered the public consciousness in a different way”.

But a more serious realisation has dawned on Bamford since GDPR’s introduction in May last year: the new rules are forcing organisations to think about the basics of data protection as much as the finer details – often for the first time.

He shared these thoughts in two keynote speeches at a Westminster eForum event in London last week - GDPR In Practice: Progress on Lessons Learnt and Next Steps. So what have the key learnings been so far?

The confidence trick

For the ICO, the prime goal has been to improve public trust and confidence in how data is used, said Bamford, something he believes is core to improving information rights practice in the UK. He said:

We don’t just see regulation as taking action, imposing what some might regard as draconian penalties and enforcement notices. It’s very much carrot and stick. We only get the stick out when we need to. The carrots manifest themselves by us producing effective guidance.

Since May, the ICO has published more than 50 separate pieces of guidance, which have received more than 10 million unique views online, he said.

In 2019, that advice will become more focused in key areas, with guidance due on children’s information access and design, seeking redress from media organisations, and best practice for direct marketers, among others. The ICO is also evolving a regulatory ‘sandbox’ approach with UK companies – working with them, not against them.

According to Bamford, one thing it has noticed over the past few months is that some organizations believe data protection is now solely about GDPR compliance. Many fail to realise that there is an even more prominent feature on the UK’s regulatory landscape: the Data Protection Act 2018.

That said, GDPR has been useful in one major respect, he suggested:

One of the most interesting things we’ve noticed is how many organizations woke up to data protection for the first time with GDPR. And a lot of the work we’ve had to do in terms of advice and complaints-handling has been on what I regard as core data protection issues. Not new things that have cropped up under GDPR, but data protection basics that organizations should have been on top of for a long, long time.

A lot of our effort hasn’t been on the minutiae of changes under GDPR or the Data Protection Act 2018, it’s been on core issues like subject access. A lot of the enquiries we’ve received have been about these data protection basics.

According to Bamford, there has been a 93% year-on-year increase in enquiries to the Office, as many organizations try to get up to speed. At the same time, there has been a 94% surge in the number of complaints about data protection breaches: the ICO received some 43,000 between May and the end of 2018.

To date, most complaints have been about core privacy and protection issues – those “basics” again. Complaints about subject access to personal data are up by 98%, said Bamford, while complaints about wrongful disclosure have increased by 131%. “Inappropriate security” complaints have soared by as much as 179%, he added, while those about data retention (holding records for too long) are up by 81%.

So how many of these does the ICO uphold? As a percentage, rates have remained roughly the same as under previous legislation, such as the Data Protection Act 1998: roughly one-third are upheld. Indeed, in many cases the ICO is still working through cases brought under the 1998 Act.

But with complaints soaring to 43,000 in less than eight months – a notional rate of more than 64,500 a year – our own calculations from Bamford’s figures suggest that as many as 21,500 could be upheld annually. That’s a lot of fines, warnings, or rapped knuckles.

On that point, Bamford said:

We focus on things that we believe pose the greatest risk or the greatest harm to individuals. It’s important we take a robust approach. There’s no incentive for people to do things properly unless there are penalties for breaks.

But we don’t want people to think we are using our enforcement powers disproportionately. That was never going to be the case. We focus on where there have been repeated offences and action is important to persuade people to behave better.

There have been over 8,000 self-reported breach notifications to date, said Bamford, so GDPR is demonstrably having an effect. In an aside, he reminded data protection officers that breaches need to be reported in 72 hours, not 72 working hours. Then he added:

The issue is how we make sure we are responsive to changes that are taking place in society, and technological changes, lifting the veil on practices that the public doesn’t really understand.

And in 2019, there are some major changes coming for the UK – not least in the country’s relationships with Europe and the rest of the world.

The B-word

One goal for the ICO’s data protection strategy is to maintain the UK’s standing in the global information rights community, explained Bamford. With Brexit on the horizon, that may be no easy task, something I put to him at the event. He said:

The simple truth is that, in a global regulatory environment, we really need to cooperate. [...] Things that affect people here are no respecters of national boundaries. It’s important that we make sure we work closely with other data protection authorities around the world.

We think in the ICO that we have a lot of expertise that the wider community profits from. Not every data protection authority is as mature or as well resourced as we are in the UK. And it’s important that we bring that resource to bear to help that global community, because we’re all in this together.

Something that is a breach over here could be a breach in the States or in Australia too. We’re very keen to make sure that as the UK looks beyond the boundaries of Europe we look beyond those boundaries too, to make sure we’re joined up.

But will that challenge be more difficult when – or perhaps if – the UK leaves Europe? Bamford said:

I don’t think it’s more difficult, it just requires a different focus.

That said, organizations do need to consider the impact of Brexit on the data management and transfer aspects of their business – particularly if the UK crashes out of Europe with no deal. With GDPR absorbed into UK law, come what may, Bamford said that organizations need to have “some thoughts and contingencies” in place.

This is because ‘no deal’ would not only affect those who send/receive data to/from customers or subsidiaries in the EU. For example, the ICO sees “plenty of organizations” that use EU-based data hosting, processing, or cloud services, he said. With the EU accounting for three-quarters of the UK’s cross-border data flows, it’s likely that the majority of UK organizations host data in Europe.

The current free flow of personal data between the EU and UK will no longer exist if the UK leaves Europe without an agreement that specifically provides for it. (At these times it’s useful to remember that there is no such thing as ‘the cloud’; cloud computing is all about data centers built on land, under national and supranational laws.)

The British government has made clear its intention to permit data to flow between the UK and countries in the European Economic Area (EEA), but transfers of personal information from the EEA to the UK will be affected until an actual agreement is put in place. That’s according to the ICO’s website.

Accordingly, the ICO has published detailed guidance on what organizations should do in the event of a no-deal Brexit.

But are these just groundless scare stories, which bring to mind the global paranoia about Y2K? Bamford shared some thoughts for anyone who believes all this to be a trivial concern:

Some people think that there’s going to be some magic [data] adequacy agreement coming from the European Commission by 29 March. I don’t think that’s going to happen, and the European Commission and the UK government don’t think that’s going to happen. So you really do need to think about that.

My take

So: Where’s your data? That’s the question that all UK data managers need to ask themselves. In some cases, even our most-compliance focused organizations, such as the NHS, don’t know the answer – as a separate diginomica report from the Westminster eForum will explore.

It’s this not knowing that’s the problem, as much as the European dimension. Either way, no-deal on Europe may have repercussions if your data does turn out to be hosted on the continent. If the ICO believes no adequacy agreement is coming – for the foreseeable future, at least – you’d be well advised to follow its advice on what practical steps to take.

As for GDPR, that’s just one part of the data protection picture, one that’s now enshrined in a much bigger set of UK rules. Read up on them as soon as possible, as they’re not going away.

With a huge spike in enquiries about the core principles of data protection, it’s clear that few organizations bothered to find out what the UK’s own data laws were, or understood the concepts behind them, until Europe brought in GDPR.

That’s something for all those Eurosceptics and critics of red tape to think about. Put another way, the people who complain most about superstates and bureaucracy may be the ones who pay least attention to their own country’s laws.