Brexit complicating already complex data protection
GDPR impact is yet to be felt and data protection is set to become increasingly complex, with Brexit adding even more complexity that could be overwhelming, warns head of international privacy association
Even the EU’s General Data Protection Regulation (GDPR) – which was aimed at simplifying data protection law – is adding to that complexity, J. Trevor Hughes, CEO and president of the IAPP, told Computer Weekly.
There is “significant variability” in the GDPR across the EU, he said, due to fact that member states are allowed to pass derogations to the GDPR. As a result, the GDPR is “not a common standard” across the EU, he added.
“This variability due to derogations, such as those that the UK has, creates more complexity,” said Hughes. “When you add Brexit into the mix, the amount of complexity is overwhelming.”
The number of possible outcomes, he said, is too great for most organisations to manage risk effectively. “What we are seeing now is good faith effort to comply with what is understood to be applicable law at the moment, and good faith effort to assess risk management into the future,” he added.
However, Hughes said there is little evidence of massive investment into an expected future state six months from now because it is so difficult to predict.
The “good news” for privacy professionals, he said, is that data protection is a fairly long way down on a long list of priorities for most organisations struggling with Brexit.
“Depending on the industry, there are far more critical issues, such as avoiding supply chain disruption, before they think about data protection,” he said. “The ‘bad news’ is that, like many other issues associated with Brexit, data protection is incredibly complex and challenging.”
In response, the IAPP has been identifying the issues relating to data protection, mapping them against the current potential outcomes for Brexit negotiations and providing guidelines for members on how to navigate those outcomes.
Topping the IAPP list of issues is the challenge of data transfers. “The EU has made it clear that without a negotiated provision within a Brexit agreement, the UK would not automatically receive adequacy for purposes of data transfers from the EU,” said Hughes.
“So if you are transferring data from Europe to the UK, that transfer would not be permitted unless there is a mechanism in place to allow for that transfer. This means the UK would be in the same position as countries like the US and China, but most organisations do not have that mechanism in place right now because they have not needed it before as a member of the EU, so this is a massive challenge.”
The EU has made it clear that without a negotiated provision within a Brexit agreement, the UK would not automatically receive adequacy for purposes of data transfers from the EU
J. Trevor Hughes, IAPP
The second big issue identified by the IAPP is the need for a supervisory authority. “All of those organisations that are based in the UK and have nominated the Information Commissioner’s Office as their supervisory authority under GDPR, they need to find a new supervisory authority,” said Hughes.
“Some organisations may not have operations in Europe, and so they will have some decisions to make about how to do that and where they establish that relationship. Organisations that have an office in the EU could switch to that supervisor authority, but that is a process that will take time.”
In light of this issue, some organisations are pre-emptively relocating to EU countries and have sought out supervisory authority relationships there, said Hughes.
“One of the sad realities for the UK is that even in the event of a second referendum and a decision to stay within the EU, those companies are not likely to bring back those supervisory authority relationships. And that means jobs, tax revenue and engagement with regulators has likely moved out of the UK permanently for those companies.”
“Many of these tools were developed more than 50 years ago and they fall into the category of ‘fair information practices’ that are anchored in notice and choice – the idea that you inform people and give them control over their data and they make choices about how their data is allowed to be used,” he said.
“In an analogue economy where my data relationships are simpler and fewer than they are currently, that may have been attainable and manageable, but when I visit a major website today, I may encounter dozens of different entities that are engaged in a manipulation of my data for the purposes of delivering that website.”
While many of those entities are serving the purposes and preferences of the user, Hughes said some may be entirely opaque to the user. “They may be data brokers, ad exchanges and others who are transacting in the delivery of ads to those sites, and I have no understanding of those processes or the ability to make choices, so we need better tools,” said Hughes.
“We need innovation in how we respond to this crisis of trust. I firmly believe that there is not going to be any silver bullet. The work is in the engine room of organisations. It is operational and tactical; it is difficult; it is focused on understanding how data exists, flows and is managed within an organisation and increasing the level of scrutiny, attention and accountability that exists over that data.
“It’s about being good stewards of data as it goes through an organisation, and ensuring that when we use data, not only are we accountable for any harm that may occur as a result, but we are accountable to engendering trust and making sure that we are using data on behalf of the data subject.”
Hughes said consumers of online services do not want to make decisions about the use of their data day by day. “They want to trust that the system is working on their behalf and that there are solid regulatory forces in place that will hold the actors in the marketplace accountable,” he added.
Asked who will drive this change, Hughes said that because the risks associated with privacy are increasing, “irrespective of what any law says, business executives are looking at those risks and saying they can’t tolerate them – that they need to mitigate and manage them”.
In the past 20 years, Hughes said there has been a steady rise of risk management tools and architectures. “A marketplace force has increasingly moved us towards privacy programme management to address risk associated with privacy,” he said.
“At the same time, we have started to see some policy emerge that also moves in that direction, notably under GDPR, of requiring the implementation privacy by design and requiring organisations to demonstrate accountability in their data protection practices.”
There is a growing realisation, said Hughes, that good data protection does not just happen. “It requires people, processes and technology to help make it happen. There is an evolution of maturity towards a broader, more comprehensive response driven by a marketplace response and public policy,” he added.
Growth in the privacy profession
Asked about the impact of the GDPR and GDPR-like legislation worldwide on the privacy profession, Hughes said the community continues to show strong growth.
IAPP membership has doubled in 23 months and is up more than 20% in the past year to 48,600 members worldwide, with a current growth rate of around 1,000 members a month.
That pace has been steady for just over a year, and while the IAPP expects a gradual slowing of the current growth curve, Hughes said there has been no sign of that slowdown yet.
“Organisations are realising that it is one thing to build your compliance programme, but then you actually have to run it,” he said.
At the same time, Hughes said there is a “massive number” of organisations that have not yet fully implemented their GDPR compliance programmes and many organisations that are only just starting their journey towards GDPR compliance.
The organisations that have been doing the work for some time, he said, are now moving into an operational and process management phase. “They are recognising that all of the build up in staff and resources that they had for the build phase needs to be continued, and investments need to be expanded because the work is challenging,” he added.
There is also potentially more work ahead, said Hughes, once the GDPR enforcement era really begins. “Despite the €50m fine for Google by the French regulator and a few minor enforcement actions, we have not yet seen the full force and effect of the GDPR enforcement tools and there are still many unanswered questions about how enforcement actions will work and what their focus will be,” he said.
