GDPR is for life not just the 25th of May

April 17, 2018

I can barely believe this as
I write the next bit of this sentence but the GDPR finally comes into force
next month.

The deep-seated changes the
Regulation brings in, and the attempt to foster an entirely new culture
surrounding data protection and privacy, have been deservedly newsworthy in
their own right for the last few years.

And that was without the
extraordinary insights into just what is happening to our data that the ongoing
Facebook / Cambridge Analytics saga has revealed. This was not a hack, this was
a hosepipe showering personal data seemingly to anyone who wanted it, with
users unaware or unruffled by the consequences.

So the GDPR has become one
of the few pieces of EU legislation that everyone has heard about and a frenzy
of activity is underway across the country as organisations of all shapes and
size prepare for the big day. Yet this frenzy, while understandable, is perhaps
slightly misleading. One of the core philosophies underpinning the GDPR is
accountability. At all times, data controllers and data processors must
actively protect the data of the people who interact with them, whether they
are customers, employees, patients, volunteers or connected in some other
capacity. It is an active process, not a passive one, so talk of being ‘GDPR
compliant’ by the 25th May risks offering a sense of false security.

This need for continuous
compliance was a key factor in our decision to promote, with the help of the
ICO, a
Data Protection Hackathon the month after
the GDPR comes into force. It underlines to our members,
supporters and the public that data protection is ongoing and that getting
everyone to embrace the new culture will take time. In parallel, the House of
Lords Select Committee on AI launched its report and five-point code on 16
April, and its Chair, Lord Clement-Jones said that an individual’s access and
control over their data was one of the four themes underpinning the report. He
said that fair and reasonable access needed to be balanced with privacy;
requiring compliance with existing law and potentially new regulation to deal
with data portability, data trusts and to avoid machine-learned prejudice. So
‘data’ is at the heart of much of what we focus upon as SCL members.

Specifically the Hackathon
focuses on data protection for SMEs, a huge sector of UK business, many of whom
are currently wrestling with the challenges presented by the new regulations.
The target is to produce ideas and solutions that will help them manage the
ongoing obligations of the GDPR and the best will be awarded prizes by the
Information Commissioner, Elizabeth Denham. The rules, rationale and entry
details are explained further here.

Businesses and organisations
of all sizes are looking for just this sort of guidance so I think it is incumbent
on us to help where we can. The Hackathon is only one element of something we
would like to be our ongoing mission to explain, whether that’s training our
members so we can advise our clients to the best of our ability or working with
organisations such as the ICO themselves and others active in this sphere such
as Privacy International.

An SCL event with Privacy
International
at The Law Society on 24th April is one such
initiative and tackles connected devices, asking questions about whether and
when the evidence they gather could be used in criminal litigation. Although
not strictly about the GDPR, the subject is a classic example of how the data
revolution that has given birth to the new regime impacts on everyone involved
in legal proceedings as you never know when Alexa is listening (other ‘smart’
devices are available). ‘Alexa what Practice Direction allows me to use you as
evidence in court?’ may be a bit of a circular question so could defeat this
particular female avatar but it is one that needs answering, GDPR or not.