A few months on from the enforcement of the General Data Protection Regulation (GDPR), Laura Irvine, partner at BTO solicitors, looks at the changes introduced and what they mean for individuals and organisations.
The profile of data protection law (and some data protection lawyers) was raised significantly earlier this year when the GDPR began to be enforced on 25 May 2018. For some this meant being inundated with ‘re-consent’ emails, but that was not what the GDPR was meant to be about. Almost six months on from GDPR-day, and not forgetting the new Data Protection Act 2018 (DPA) which came into force at the same time, data protection lawyers are still working through the changes with organisations and trying to predict what impact they will have on our clients and our own firms.
Facebook: Fairness and transparency
I cannot talk about data protection just now without talking about Facebook. The issue of Facebook and Cambridge Analytica (in which UK and US lawyers alleged misuse of more than 71m people’s personal data) came to light before GDPR-day, but the issues raised were reflected in the changes that the GDPR was seeking to make in Europe. The Information Commissioner said this in her introduction to the ICO’s report into the use of personal data in political campaigning:
"My aim as Information Commissioner is to improve public trust and confidence in how personal information is used, by ensuring that organisations work to the highest possible information rights standards. Although accountability and transparency are not new concepts in data protection law, the General Data Protection Regulation (GDPR) that took effect on 25 May 2018 puts them centre stage by providing individuals with a greater degree of control over how their data is being used and for what purpose."
Fair processing, or a lack of it, had already attracted the attention from the ICO who fined a number of high profile charities in 2016 for using our personal data in ways that we would not expect. Facebook and those who bought data from Facebook have also been accused of this.
Did we expect our Facebook data to be used to send us targeted advertising based on our perceived preferences? There are still concerns about that, but we are aware of it.
Did we expect our Facebook data and our perceived preferences to be used to influence politics and election results? I would suggest that we did not and that this is a more disturbing use of social media data and not one that we expect or are at all comfortable with.
The GDPR seeks to address this issue by obliging organisations to tell us what they are up to with their data.
The transparency principle
For me, this was the most significant change created by the GDPR. No doubt the ICO will continue to impose fines for security breaches, but the cultural change that the GDPR should bring about is in relation to transparency through individuals exercising their personal data rights and challenging what organisations are doing or what organisations say they are doing.
Data Subject Rights
Although most of the rights provided by the GDPR existed before, it was inevitable that the heightened awareness provided by the introduction of the new laws would lead to more people exercising their rights. And, anecdotally, I can say that it has.
From those who receive marketing emails to those who are simply annoyed at an organisation, individuals are using the right to access their data; the right to object and the right to erasure. The rights exist to hold organisations to account for their processing. And that is a good thing.
For organisations however, dealing with requests is annoying, expensive and time consuming. But it encourages thought about data processing: in particular, it asks if we can improve our data governance practices and ensure we take a fair approach.
Lawyers process a lot of personal data. There are some very useful exemptions for lawyers under the DPA, but we are not off the hook entirely. We must think about fair and transparent processing and how to achieve this. Think about privacy notices and how to deliver this information to your clients. Clients are becoming more aware of how their personal data should be processed, and will seek reassurance from professional advisers, such as solicitors, who often have access to substantial and very sensitive information about their lives.
Laura Irvine tweets at @poshcrimescot. She will chair a session on 'GDPR and data breaches: The impact so far on our legal and business environment' at Leading Legal Excellence, our 2018 annual conference.