A note before we start. As always, be aware some of the links will take you to third party sites where cookies and some questionable cookie management may be present. I try to avoid sites with them on, but they are everywhere and I need to reference the statements and sources I include.
While we are all in lockdown the Data Protection world does indeed keep on turning. After a bout of relative silence, my workload as a freelance DPO has indeed started to pick back up again. However, in the land of the Information Commissioner’s Office (ICO), it would seem that the world has indeed stopped turning.
Now first off I want to acknowledge that I’m going to talk about the effect negative press around Data Protection in the UK at the moment while at the same time pointing you to it. The ‘negative’ press is rightly there as there are some key concerning things afoot currently and it highlights that, fundamentally, Data Protection in the UK is indeed in trouble. That doesn’t mean it is doomed to be clear dear reader, we aren’t there yet. Emphasis on the word ‘yet’.
In a recent article from Nicole Kobie it outlines the position from the ICO on enforcement and operational matters, citing Covid19 as the cause.
To summarise the article, it outlines how the ICO is ‘presuming’ that organisations are ‘too busy’ or are ‘inactive’ due to Covid19 circumstances therefore is either pausing or not even starting investigations into complaints. Writing to many complainants to advise them of a delay (or not in some cases as people have started to highlight) or writing to them to state that they cannot contact the controller in question at all, according to some of the correspondence Wired has seen and quoted in the article.
As someone that has worked as a complaint investigator, a question purplexes me on that stance. How can you not write to an organisation about concerns raised, when they are about the handling of data during this time, without first contacting said organisation to determine if they are indeed ‘open for business’ and the complaint has any merit? That’s one big presumption on the ICO’s part and one that sends a very clear message out to the world (intentional or otherwise) that not even the ICO thinks Data Protection is important enough to be looked at, when a number of organisations are operating a ‘new normal’ with relative ease.
I appreciate some aren’t, but how can the ICO know that without contacting them in the first instance? This wide ranging ‘presumption’ is a little too in favour of ‘the regulated’ as has, quite rightly, angered a number of organisations, groups, citizens and professionals – myself included.
The ICO has since clarified, as outlined in a tweet from Matt Burgess, stating that from their point of view, less than 10% of cases have been affected. Taking into account that the complaints are always louder than the compliments, this still doesn’t seem to sit right with that people are reporting and their other statements.
Before lockdown started, across various events I attended, there was a growing sense from various people across various sectors that Data Protection was slowly but surely working its way down the priority list with organisation’s Executives. Discussion were often then centering around how to maintain momentum and focus in such challenging times.
One area that was referenced as a help, rightly or wrongly, was enforcement from the regulator. While the carrot is better (and it can be if done properly), the stick always has its place (if also done properly). Even Elizabeth Denham herself has said as such many times in her early days. However, since GDPR came into force, enforcement action has been woefully falling behind according to many sources and in comparison with action across the EU.
So after the ICO announced a scaling back of operations during COVID19 it is widely expected that the BA & Marriott enforcement action is also at risk of being delayed (yet again). Now Covid19 wouldn’t be a consideration for either enforcement action if this was dealt with correctly last year. So, while it may well be a factor right now (and it is a fair comment in the current climate), it has only become a factor because of the previous delays.
Now even if you take a different view of how the enforcement has been handled, through into your calculations another factor thrown into the mix by Central Government. In the Telegraph on the 9 May it was publicised that the Department of Culture Media & Sport (DCMS) would be reviewing the ICO after doubts were raised over the ICO’s ability to enforce against large tech firms. While this could be an opportunity to ‘enhance’ the ICO and get it the resources it needs, to have a review (planned or otherwise) in the middle of everything else going on, with no public comment from DCMS on the matter so far other than to confirm the review, sends another clear message on the ICO’s competence (intentionally or otherwise).
To add to the already fairly negative set of circumstances, the Government and the EU released details recently of the Brexit negotiations and where we are at the moment. One of the areas where no consensus has been reached is on the area of Data Protection and the fundamental rights and freedoms of Citizens. This is a below extract from Michel Barnier’s speech on the negotiations:
Here the British position is for the UK back out of the commitments made in the political declaration (Boris’ ‘golden hour’ deal) in order to not commit to protecting the fundamental rights and freedoms of citizens and lower standards of Data Protection. It is even, according the EU, asking the EU to ignore its own laws on Data Protection and things like Passenger Data in order to enable data exchanges with the UK.
Now, dear reader, with your reasonable hat on as yourself this. On what planet would a democratically accountable ‘free’ union of 27 countries knowingly breach of its own fundamental laws just to please 1 outside nation? (A nation, may I add, that seems to be making little in the way of compromise itself in favour of politic posturing and soundbites and continues to allow unfounded and inaccurate abuse to be hurled at the EU by its media and citizens).
So, unless there is a dramatic change in position from either the EU or UK, the likelihood of the UK being seen as ‘adequate’ by the EU for the purposes of Data Protection are looking pretty slim. I’ll summarise the factors against for you;
- Allegations of ineffectiveness against the regulator, regardless of the personal standing and track record of the previous or current commissioner (see above)
- No legally binding commitment on Data Protection standards as part of a trade treaty (see above)
- Threats from leading ministers (Michael Gove as one) to shed ‘red tape‘ like the Data Protection
- The Snoopers Charter which the EU has questioned the legality of but can’t do anything about while the UK is a member of the EU and national security is ‘off limits’ from the EU
- The 5 eyes international sharing with countries like the US (which the EU has always opposed)
- A Government also committed to reforming and watering down the Judiciary in soundbites and as part of their election manifesto (see also various articles from the Secret Barrister on this).
Ask yourself, would you strike a deal with such a quagmire? This is a lose/lose situation for the EU if the UK doesn’t change its approach. Strike a deal and be accused of compromising one of the core areas of law for the EU and face all sorts of legal cases in the future. Don’t strike a deal, stay true to your key laws, and suffer the criticism of losing a key partner.
Now while all this is lovely from a geeky information professional and/or political point of view, what does this mean to your everyday DPO or even your everyday organisation/Executive?
In short, if they are not totally sold on the benefits of Data Protection right now, this whole fiasco is sending a very clear message that Data Protection isn’t as important as GDPR led you to believe. And on your long list of things to worry about as a organisation’s senior management this is now lower than many of those other things that will land you in far more hot water.
You can be ‘a puritan’ about it, theres nothing wrong or right about that position, and say those organisations deserve what they get. However like doesn’t work like that and the fact remains is Data Protection is one pressure in a whole range of pressures organisations face. Some align with Data Protection, some don’t. So, unless an Executive is sold completely on this 1 area, to the detriment of the other areas that may cause them issues, basic human behaviour says any logical human being is going to prioritise those areas. That is the path of least resistance, something which all human beings prefer at an unconsious level (more on that another time).
I’m not talking about the obvious players like Facebook etc. I’m talking about all the other organisations out there. The every day ones outside of the ‘big boys’ or ‘headline grabbers’. They are a whole seperate conversation we could very easily have (and probably should have). I’m talking about everyone else. All that millions of bits of data across the organisations that don’t get the attention of the pundits and press but none the less process a lot of Personal Data and can, when it goes wrong, have serious impacts on their Data Subject’s lives.
So, what can we do, as Information Professionals, to change minds, keep this on the agenda and carry on with our work to protect and utilise information? There are loads of things out there and each organisation will respond to different ones. However, the top 3 things that I’ve found that seem to grab attention and are a potential ‘hook’ for keeping it on staff minds are as follows.
Customer trust. Fact is, regardless of political nonsense and the law, if customers cannot access their data, make corrections or have their data compromised they will be coming for you. From Social Care to Banking, poor trust in how you look after their data does have knock on effects for how that ‘customer’ interacts with you or if they even continue to use your services. There are a number of reports and studies out there that consistently rank trust to handle data as a growing, if not already an important concern when using services. On the flip side, you can also find studies that say the opposite, so find out what ‘sources’ your Executive respects and use their studies if you can as this helps you gain traction.
Data quality. Everyone bangs on about quality data to make better decisions, but very few actually know what means or indeed what commitments they have to make in order to get ‘good data quality’. It isn’t something you create overnight. As any good plumber will tell you, ‘you gotta take good care of ya pipes’. Same with thing with your data plumbing and Data Protection requires you to do that. To look at the personal data you are using and take steps to ensure you keep it accurate, factual and professional. Something which causes organisations all sorts of headaches when staff don’t. Or, when shortcuts are taken in the design and build of systems. Paying the wrong person’s rent, taking money from the wrong account, sending details to the wrong recipient are all things that alongside Data Protection can also be costly for you in other areas as well.
Better business processes. Every single time I’ve ever done a review of an organisations personal data handling processes (formally or informally), we have found areas of process improvement and just better ways of working for all concerned. It’s rare that you’ll get an excuse to do such a ‘drains up’ exercise to determine if you really are working as efficiently as you can and making most of the data and information you should (and can) legitimately be using. From getting data sharing arrangements setup to accommodate emergency foster placements at 3am on a Saturday morning through to more efficient event management and customer journeys. Personal Data mapping, while a lot of work which isn’t the most exciting thing on the planet, is worth its weight in gold once complete effectively.
In short, be aware. With all this ‘negative’ noise around about Data Protection at the moment I can see the challenge to keep it high up on the agenda with organisations being more difficult for a while. Who knows where Data Protection will go post Brexit? In ‘normal’ times you could predict with relative certainty what a Government would do but in recent years, as we have found, things are getting more and more difficult to accurately predict. That doesn’t mean, however, that we should stop our promotion and advocacy of excellent information handling!