The General Data Protection Regulation - A Two-Year Retrospective
The General Data Protection Regulation (GDPR) is celebrating its second birthday this week. Here we take a look at how things stand two years in and what the future may hold for data protection law in the UK.
Making Sense of the GDPR - A Principles-Based Regulation
Anyone reading the GDPR for the first time could be forgiven for being unclear as to what is required for compliance. The recitals, which make up the first 30 pages, are a preamble to the main part and there are different views on the extent to which the recitals are legally binding. The main body of the GDPR contains a multitude of principles and requirements often expressed using open ended and, frankly, nebulous language.
However, to dismiss the GDPR in these terms would be doing it a disservice. The GDPR is a principles-based regulation. This means that compliance is not achieved not through following a series of prescriptive rules. Instead it is about applying the GDPR principles to how personal data is used in practice.
Take information security as a case in point. The GDPR requires organisations to implement "appropriate technical and organisational" measures to safeguard personal data taking into account factors such as developments in technology, cost, what's being done with the data, as well as the risks to individuals.
This gives organisations a wide latitude with regards to how they meet the security requirements. For example, some organisations allow staff to use their personal phones for work whilst others insist that corporate devices must be used. Either approach is compliant in principle, so long as appropriate steps are taken to safeguard personal data, for example, staff training and policies as well as technical controls to protect work related data held on the devices.
This flexibility is particularly important bearing in mind the GDPR applies, for the most part, to any organisation that handles or uses personal data. The GDPR principles need to be workable for both a small charity and a large multinational. The GDPR must remain fit for purpose and the principles based approach should help it to keep up with the breathless pace of change and technological development.
Making Money from Personal Data
It goes without saying that personal data has enormous value and there are challenges in monetising it in a way that is compliant with data protection law.
This is particularly the case in an online context and we anticipate that the use and exploitation of personal data online will continue to be a key GDPR battleground for many years. Stories in the news about how much money well known social media platforms allegedly make from the personal data of their users serve to illustrate how high the stakes are here.
In 2019 the ICO (the data protection regulator) announced a review of adtech and real time bidding (RTB), although this is temporarily on hold following coronavirus (COVID-19). In essence, RTB allows organisations to compete in real time to place adverts on a webpage or in an app. The bidding process typically involves using personal data of an individual (often collected through the placement of cookies) to place a targeted advert on the webpage or app that the individual has navigated to. For example, if an individual has visited websites that relate to home insurance then the successful bidder may display adverts related to home insurance products. The entire process just takes milliseconds.
RTB plainly raises significant privacy issues given that it can involve sharing a substantial amount of personal data with a large number of organisations, in circumstances where individuals may be unaware what is going on. Furthermore, RTB will often involve processing 'special category' personal data, for example, information about political views, religion, ethnicity or health.
Viewed in these terms, it is not surprising that the ICO has taken an interest. There is a tension between regulators such as the ICO which wants to ensure legal compliance and organisations looking to innovate and to leverage personal data using technology in ever more clever and sophisticated ways.
The ICO has, perhaps optimistically, stated that companies do not need to choose between innovation and privacy. The ICO appears to be at pains to emphasise that they want to find workable solutions and have said they understand the need to allow organisations to generate revenue through their websites. Such a pragmatic approach is to be applauded, although the ICO is standing firm on key data protection compliance issues in a way that some organisations may see as a barrier to innovation (for example, around getting consent).
Rights in Personal Data
An article on GDPR two years in would not be complete without consideration of the new rights that individuals now have thanks to the GDPR.
These new rights were seen to be amongst the most significant changes introduced by the GDPR. At first glance, the new rights do indeed represent a significant shift in the balance of power from data controllers to individuals by giving people much more control over their personal data. However, in our view the impact of these new rights has been limited. We've set out a couple of examples below.
- The 'right to be forgotten' allows individuals to request that the data controller delete their personel data. However, the right comes with so many caveats and exemptions that in our experience most requests do not have to be complied with and will only assist individuals in limited situations. For example, the right does not apply where processing of personal data is necessary for the performance of a task carried out in the public interest, this is likely to cover a lot of processing, particularly for public authorities.
- Similarly, the 'right to rectification' allows individuals to have inaccurate data corrected. However, for the most part, the right only applies to factual inaccuracies and, for example, cannot usually be used as a backdoor to getting a professional opinion changed or struck off the record.
Whilst the new GDPR rights may have enjoyed a quiet start, the right that an individual has to access their personal data (a subject access request or SAR) continues to enjoy far more prominence. SARs existed under the old 1998 Data Protection Act but the right has been enhanced by the GDPR. SARs are often made in relation to a wider dispute or claim, and are powerful tools that can be used to force disclosure, particularly in relation to disputes and complaints. SARs can also take up a significant amount of time and resources so organisations should ensure that they have processes in place to manage them efficiently and that they are aware of the exemptions from disclosure available.
Brexit and Beyond
The GDPR is a European regulation and EU and UK data protection laws will remain aligned during the transition period. At the end of the transition, the GDPR will become part of domestic UK law.
Ostensibly, both the UK Government and the EU are committed to continuing close alignment on data protection. The UK is seeking an 'adequacy decision' from the European Commission. This would be a decision by the Commission that UK data protection law meets EU requirements and an adequacy decision will help ensure continued free flow of personal data between the UK and the EU. Whether such a decision will be forthcoming before the end of the year remains to be seen. In light of COVID-19 and the wider discussions around the UK's relationship with Europe, granting the UK an adequacy decision may not be at the top of the EU's priority list.
Unless the UK receives an adequacy finding, there will be more barriers when transferring personal data from the EU to the UK. For example, in many cases businesses will need to ensure that their contracts with European partners incorporate the European Commission's model wording for international data transfers.
However some steps will be required whether or not there is an adequacy finding, for example, some businesses will need to appoint a representative in Europe if they offer goods or services to individuals in the EEA or are monitoring the behaviour of individuals in the EEA.
As such, UK organisations that do business in Europe will need to comply with both the EU GDPR as well as UK data protection laws. This may become more onerous over time if EU and UK data protection laws diverge.
In a written statement to the UK Parliament in February regarding the government's approach to negotiations with the EU, Boris Johnson stated that the UK "will in future develop separate and independent policies" including in respect of data protection. It is not clear whether this is a long term aspiration or whether the UK will immediately forge its own path.
It remains to be seen whether UK data protection law will stay aligned with Europe or whether it will go its own way, with a more independent (and possibly light touch) approach to data protection regulation. The data protection landscape may look very different in two years' time.