To paraphrase the old campaign slogan, the GDPR is not just for Christmas (or more precisely May 2018) but for life.
That was the key lesson in an exceptionally useful breakfast session on the GDPR organised by the South West Group on 28th November. Three expert Bristol-based speakers examined the key principles of GDPR, how they can be implemented in a corporate environment and where the principles encapsulated in the GDPR may lead us in the future.
Christopher Coughlan, Senior Associate at Ashfords LLP, kicked off the session and was at pains to emphasise that, while he thinks the regulation is already being outstripped by technology, the GDPR is not about compliance and ridiculously overblown obsessions with consent, but about a culture of accountability. He has to remind colleagues in his corporate team of this when they undertake due diligence and ask him whether a business is compliant. He tells them there is no tick box for compliance as the GDPR is about accountability at all times, citing Elizabeth Denham, ICO chief, who has described accountability as the ‘cornerstone’ of the regulation.
This culture needs to extend throughout an organisation so that everyone, and particularly senior management, knows what data is being collected, where is it being stored and why it is being retained.
Heidi Thompson built on that discussion of accountability by describing how the GDPR is being implemented in her multi-national corporation. Heidi is Corporate and Commercial Counsel at Imperial Brands, which trades in 160 territories worldwide and has recently become more involved with B2C issues as its e-vapour business expands.
Again her message was that GDPR is about so much more than mere compliance. She herself admitted that in hindsight they should have picked a different starting point. She and her project manager decided the first step was to map their data but now she thinks they should have started with their privacy by design stage, looking at all issues where data might be a risk going forward and implementing policies to deal with those risks. That way there was more time to change the culture and get staff to buy into the additional controls now being brought into, for example, their procurement policies. In this example, data and privacy audits of new suppliers are now required before any business is transacted. She also gave us the tip that there is nothing that concentrates the minds of senior managers more than asking them to budget for data protection.
Which brings us to evergreening.
Andrew Charlesworth, from the University of Bristol, concluded the event with a fascinating overview of data protection worldwide. Much of what he said arose from a project he was commissioned to complete for the Privacy Flag Project. They wanted to see what overarching principles or themes could be deduced from data protection regimes globally in what Andrew described as the Third Wave of Data Protection (the First Wave being the DPA 1984 and the Second Wave being the 1995 Directive).
As a result of his research, he has identified 18 principles that he thinks underpin the Third Wave (see below), all of which contribute to what he called the ‘evergreening’ of data protection: that is moving from a tick-box regime to a continuous transparent, accountable one.
Helpfully he highlighted some of the newer, trickier principles. Data Portability was one, posing the question of “who here is ready to hand over all their data on a client to another law firm”. The Restriction Principle could also prove interesting as, in theory, it could be used by a data subject to prevent an organisation from deleting data.
Andrew finished off with a whistle-stop summary of the general approaches to data protection in the key economic regions of the world which can be summarised as:
- Europe: GDPR is the Third Wave
- US: ground up pressure from consumers is leading development of data protection
- Canada: the leader in data protection innovation and has had accountability for years (there is a reason why our current ICO Chief is Canadian)
- Asia Pacific: basic wish is to be more or less ‘adequate’ in GDPR terms
- Latin America: heading towards European approach as current constitutional right expensive to enforce for claimants
- Africa: where it’s happening the French influence using GDPR principles is evident
- China / India: data protection is driven by the need for trust in e-commerce, for example see China’s move to create trust rankings for individuals
- Russia: in principle the Council of Europe Guidelines but in practice?
Finally, moving away from GDPR, this excellent event was above all a reminder of the crucial role that the regional groups can play in connecting and educating our members and of the widespread expertise we have to call on. Long may they thrive.