London law firms are discussing how to build a market for litigation as a result of the data protection laws introduced by the European Union (EU) General Data Protection Regulation (GDPR).
“Several law firms and barrister chambers are having their monthly meetings to plan the litigation attack,” according to Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC).
The best, fiercest lawyers in London, he said, are gearing up to challenge the privacy practices of the most powerful organisations that process any personal data of EU citizens.
PwC is looking to understand what is being planned to ensure the correct defensive strategy for clients, he told a seminar for privacy officers in London.
Based on past experience with things such as the Freedom of Information Act (FOIA), which came into force in the UK in January 2005, Room predicts that there will be a storm of requests to data controllers as soon as the GDPR becomes into force on 25 May 2018.
Just as the FOIA unleashed a million information requests in the UK on 1 January 2005, he expects that the GDPR will unleash a deluge of access, portability and right to be forgotten requests by privacy advocates, consumers and members of the media.
That in turn will result in a lot of complaints to the regulator about data controllers’ failure to respond satisfactorily.
“In preparing for the GDPR, organisations should take a lesson from the FOIA and think about what the burning platform is likely to be, and act now to ensure that measures are in place so it doesn’t ignite in the first place,” he told Computer Weekly.
Although Room has long held this view, he said there is now evidence that this GDPR-related wave of litigation is on its way, and it is a reality that boards and leaders of government departments should be aware of and preparing for now.
GDPR compiant profiling
The first targets for GDPR-related litigation, said Room, are likely to include big targets with huge financial resources that will be concerned about the potential damage to core business.
Profiling is likely to be one of the areas that litigation will target, said Room, with 98% of organisations analysed by PwC having “no idea” what they are going to do to ensure they are GDPR compliant.
“Profiling is a complex topic and one of the toughest areas of the GDPR,” said James Drury-Smith, partner at PwC Legal.
“But it is important not to try to boil the ocean over profiling, and instead focus on understanding the requirements outlined in the GDPR for any automated processing of personal data,” he said.
By understanding exactly what brings profiling activities into the scope of the GDPR, he said organisations can often limit or eliminate liability.
At a basic level, Drury-Smith said if profiling does not result in an automated decision, or if there is some human intervention or it does not produce a legal effect, it is not covered by the GDPR.
Read more about the GDPR
- With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant
- The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.
- Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
- The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.
By ensuring that any profiling activities fail to meet one or more of those requirements, organisations can reduce or avoid liability under the GDPR and avoid the tricky issue of data subject consent.
This is also a much simpler approach than proving that free, informed, specific and unambiguous consent was obtained and proving the ability to respond if consent is withdrawn at any time.
It is also an easier option than proving that profiling activities are required for the performance of a contract or that they are authorised by the law of the EU member state in question.
Drury-Smith said each profiling activity needs to be assessed by conducting what amounts to a mini privacy impact assessment (PIA) to see which processes fall under the GDPR and which do not.
Organisations then need to decide which of those processes that fall in the scope of the GDPR and cannot be modified to take them out of scope are essential to the core business.
By eliminating as many profiling processes as possible, an organisation should have relatively few profiling processes that need to be worked through carefully to understand the risk.
“Once you have built your risk profile, you need to ensure the profiling is adequately described in privacy notices,” said Drury-Smith.
“You need to assess if you need to amend contracts or build consent mechanisms, and you need to have technologies and processes in place for dealing with objections to profiling and responding to data subject access requests,” he added.