The long awaited reform of the European data protection laws will be implemented in 2018. Dan Raywood talked to Tim Turner and Jon Baines from the National Association of Data Protection Officers (NADPO) about how changes are affecting those doing the job.
The GDPR will be put upon data protection officers (DPO) from 2018, how ready are they for it?
JB - "Data Protection Officer" is not (currently at least) a defined role. Consequently, the term covers a hugely varied set of people and jobs across a hugely varied range of industries and services. What the GDPR will bring is some level of standardization for the role, at least for those data controllers who will be required as a matter of law to appoint a DPO (broadly, that will mean all public sector bodies, all entities employing more than 250 people and those entities whose core activities involve the monitoring of data subjects).
TT - It depends how good their knowledge of the current legislation is, and how well their organization is complying at the moment. For an organization that is transparent with people, has relatively good security and culture of investigating incidents, and which is conscious of risk, there is still plenty of work to do but it may not be a significant culture change. An organization that takes data protection seriously could see it as more of the same – a lot more, actually, but based on very similar principles to what we have now.
JB - That "standardization" will take the form of requirements that DPOs must, inter alia: have expert knowledge and "professional qualities"; be provided with necessary resources to perform their role; be appointed for at least two years and not dismissed unless they fail to fulfil the conditions required for the performance of their duties; report to the organization's management; must undertake specified tasks, in accordance with Article 37. None of this is in the current European Data Protection Directive (nor the domestic Data Protection Act 1998), and as the GDPR takes the form of a binding legislative instrument which must be applied uniformly throughout the EU, these DPO functions and designations will come into force.
TT - The problem is, as I’ve described above, the minority of organizations. Many have interminable privacy policies written to suit the lawyers and hoodwink the individual. Security is complacent or weak. The basics like consent are deeply flawed – many organizations don’t obtain meaningful, freely given consent and probably don’t want to because that involves people saying no.
One of the challenges that has not had enough attention is the consistency mechanism. The Information Commissioner issues a relatively small amount of fines on a narrow strand of data protection breaches – there are very few on accuracy, none on subject access to data, one on the basic justifications for using data. This is despite breaches all over the place in these areas. I think the ICO, and the rest of us, are going to find it difficult to be consistent with a European culture of enforcement where Facebook get fined hundreds of thousands of Euros over the use of a cookie.
With ICO fines, Snowden leaks and now the Panama Papers, are data protection officers now under more pressure to comply with regulation that they do not understand?
JB - I certainly think there's a lot of pressure, but when it comes to understanding the legal and regulatory regimes, I come back to my point above that there's a huge range of people in the UK undertaking the role of DPO. In my opinion some DPOs understand the law better than some people at the ICO! That said, in an era when data processing often involves global transfers and transit of data, it can be extremely difficult to understand simply what is happening with data for which one is responsible, let alone the relevant legal and regulatory regimes applying.
TT - I haven’t met many data protection officers who have read the regulation yet. I think if they dig into it, they’ll find principles and concepts that they’re more than familiar with. The problem is, the IT press and privacy lawyers are hyping the regulation up as being incredibly complicated and difficult, which discourages people from actually picking the text up and reading it. Having said that, I’ve met quite a few data protection officers over the years who have never read the Data Protection Act.
If you’re looking at the underlying principles of data protection, they’re exactly the same and the idea that they’re difficult to understand is nonsense. The difficulty comes in the practical work – giving more information to individuals in a format they understand (even if they’re not interested), carrying out proactive risk assessments, reporting breaches to the Commissioner. It’s not hard to understand what the work is; the problem is how much more work there is.
Does the average data protection officer know what “sensitive data” is regarding their business?
JB - To the extent that there is such a thing as an "average" DPO (see above), I would say that they, more than anyone else, should and will know what sensitive (personal) data their business is processing. It's really data protection 101 that a DPO should be up to speed on this, and relevant standards like ISO 27001 and BSI 10012:2009 effectively mandate it.
In practice, in organizations where good data protection practice is not embedded, a DPO will often be left uninformed or unsighted about activities, and this is clearly a big area of professional and corporate risk.
TT - Yes. I think the issue is that the average board and senior managers don’t really think about the risks associated with sensitive data. They only want to take action to protect sensitive data after something goes wrong.
I spotted a competition to “explain the difference between unambiguous and explicit consent” offering a £200 prize! Is the wording the problem, or is there a total lack of definition?
TT - That’s my competition and I have to admit an element of trolling some of my data protection colleagues. The regulation is drafted to draw a distinction between normal and sensitive data, with sensitive data requiring ‘explicit’ consent. The current Data Protection Act does the same thing – it says ‘consent’ and ‘explicit consent’. I think there is a shared delusion that somehow if it doesn’t say ‘explicit’, you can get some kind of half-baked, accidental consent and rely on it for years. That isn’t true now, even if some well-known privacy lawyers claim that the current arrangements are ‘decaffeinated consent’, but it’s definitely not true of the Regulation.
While some of those who enter the competition may be able to demonstrate a practical difference between unambiguous consent and explicit consent, the point I am trying to make is about unambiguous consent – it’s a very high threshold anyway. The Regulation makes clear that opt-outs don’t count, inferring consent from silence doesn’t count. The person has to have a free choice, they have to understand what they’re agreeing to, they have to be able to change their mind and be told that they can change their mind. Many organizations just don’t meet this standard now, and they have to face up the challenge that people have a choice, and they have to be allowed to exercise it.
Speaking purely personally, I think the difference between the two is very narrow (the word 'explicit’ is part of the dictionary definition of ‘unambiguous’. Beyond making mischief, my real message is that organizations handling data need to face up to the fact that they don’t get consent at the moment. They have some impenetrable terms and conditions, consent boxes that are mandatory fields, and tricky opt-outs. Unless you have a legal obligation or a contract with the person, in most cases using a person’s data is a privilege you have to earn, not an entitlement you can exploit.
Just to emphasize though, it is a real competition and if anyone can draw meaningful distinctions between the two, that would be in everyone’s interests, and you can win £200.
JB - Tim asked me to be one of the judges for his competition, and I agreed because, as well as it being a bit of fun, I think it raises a really important point: the notion of consent, and consequently the mechanisms data controllers will use to get consent, is going to be hugely significant under the GDPR. I think too many people think they know what "consent" means (and what "explicit" and "unambiguous" consent mean) but don't appreciate that their interpretation might differ from, say, a data subject's. I don't think this ambiguity is properly addressed in the current text of the Regulation, so anything that can prompt debate on the issue is to be welcomed.
What does Government need to do to improve the life for the data protection officer?
TT - Fund the Information Commissioner properly, and promote a UK quality standard for the role. If the ICO has the resources to take on serious breaches beyond security issues, organizations might take data protection more seriously, and might look to the data protection officer as someone of value. At the moment, I think some organizations will tweak the job description of some low paid data protection or information governance person, and haul them in front of the board every year so that they can say everything’s fine. It won’t be.