Last year I moderated the panel which launched the ACEDS UK Chapter. Our subject was predictive coding, and the combination of the subject-matter and the organising skill of the ACEDS UK committee got us a large audience by London standards. Last night, ACEDS did it again, this time with the pending General Data Protection Regulation. Mayer Brown let us use their extremely fine auditorium. Yerra Solutions sponsored the event and, once again, James MacGregor of FRONTEO kindly asked me to moderate.
As with predictive coding, it would be fair to say that this subject has had a lot of attention, and on both sides of the Atlantic. The difference is that the GDPR has a pending deadline, and our theme was that if you wait until the deadline expires, you have almost certainly left it too late. When confronted by a problem requiring an understanding of predictive coding, you can engage experts at short notice to help you. The finest GDPR experts in the world will not get you to achieve GDPR readiness overnight. Besides, they are all likely to be rather busy when that day comes in May 2018.
The panel consisted of Sue Knox of Mayer Brown, Will Wilkinson of Yerra Solutions and Dan Cooper of Covington (seen in that order in the picture below with me at the end).
Sue Knox drafted an excellent hypothetical case which touched on many of the points which companies should be considering. We decided to set the discussion in June 2018 to add a note of urgency, and many of my questions to the panel were phrased in the form “What should the company have done in advance to avoid the problems it faces now?”.
The session was called Is the GDPR Europe’s wall? Walls are topical at the moment for one reason and another. The “wall” from our session title might be taken at face value as protection against misuse of our personal information. Rather cynically, perhaps, I suggested that the wall was something over which clients with valuable transatlantic work would scramble en route for Dublin if the UK did not get its house in order. The Information Commissioners Office is doing stalwart work to get us ready, with an astute mixture of information, positive inducement and the hint of threats. The government has more than enough on its hands as it bullies and blusters its way towards Brexit, and is plainly ignorant of the basics of data and its implications for privacy (see the Snoopers’ Charter for example). I suggested that it was down to people like those in the room to try and ensure that the UK measures up to EU standards by May 2018.
There is plenty of information out there is to what companies should be doing. The ICO, for example, issued this handy infographic this week (bigger version here – thanks to Matthew Grant at Epiq for pointing me to it):
…. and added to its already useful collection of advisory blog posts one about the GDPR implications of big data, artificial intelligence and the rest.
I will not attempt to summarise the whole course of our discussion, but the points which emerged included the following:
You need to appoint a Data Protection Officer (the DPO of my title), and you need to do it now, not least because there are few people with the relevant skills and they will be much in demand. We might at last see Legal and IT talking to each other.
Collecting data for transfer to the US is hard enough as it is. Dan Cooper referred to the Sedona Conference International Principles saying (as I often do) that it is the best primer for those walking the narrow line between US demands and EU constraints. This will all get very much more difficult after the GDPR, with the extension of the definition of personal data, the wider geographical extent of the GDPR, the enhanced duties of data controllers and data processors, and, not least, the very large penalties faced by those who get it wrong.
Taking proper care of personally identifiable information is not relevant only for foreign transfers. I referred to reports in 2014 of ICO criticism of the Treasury Solicitor, no less, for handing over disclosure data without regard to the personal information contained in it – see Litigation Futures report here and the ICO’s follow-up action here.
However much it may be frowned upon, there is tactical use to be made of the GDPR obligations, whichever side you are on. Data regulators do not approve of using Subject Access Requests as a means of putting pressure on a party or proposed party to litigation, but that disapproval cannot deprive the data subject of existing SAR rights. Subject Access Requests will become a more potent weapon once the GDPR is in place – it may seem a trivial point, but the removal of the £10 fee may well lead to an increase in SARs, quite apart from any other reasons for making them.
Tactical benefits work the other way as well – if the GDPR requires you to blank out names, or otherwise remove references to the personal information of individuals, then you cannot be criticised for doing so, and this may save embarrassment, to say the least, when you hand over documents in litigation. Equally importantly, it ought to be a complete answer in US litigation, when challenged as to the destruction of documents, to say that the company was required to destroy them under EU data protection laws (don’t bank on this in every US court by the way). This, of course, can cut both ways when the documents which should be destroyed are ones which the company might actually need to rely on.
Who will be the first victims of a regulatory probe? It might well be, as somebody in the audience suggested, the biggest companies. My own suspicion (i.e. what I would do if I were the regulator) is to pick off likely subjects with different “qualifications” for attracting suspicion. Those who regularly engage in US litigation would be one example; companies like the one in our hypothetical whose business involved keeping data which by its nature was specially protected (religion and sexual preferences in our example), could expect a higher level of attention than others.
If it really is impossible to comply fully with the GDPR by May 2018, that is not a reason for not making a start, picking off the areas of most risk or (slightly less creditably), going for those where maximum benefit may be achieved by minimum effort and investment. I suggested (but don’t hold me to this) that companies which had tried to do something would face a better reception than those who had done nothing.
The ICO is not the only regulator who may have an interest in your data and how you keep it. Our hypothetical envisaged the Financial Conduct Authority taking an interest in statements made before an IPO. Litigation timescales can suddenly seem generous. What are you entitled to withhold from the regulator on data protection grounds? Will that change with the GDPR? Could you find such information anyway?
Of all the elements in the GDPR, those relating to data security and data breaches offer both the biggest challenges and the biggest risks. Much of our talk was about knowing what data you hold and, specifically, how to find personal data; the requirement to notify the regulator within 72 hours of a data breach was the one most likely to expose holes in your preparation.
The recurring theme throughout our session was that many of the steps which companies should be taking fall under the broad heading of “information governance”, that elusive concept which has hitherto foundered on the rock of ROI. The standard response has been “What return do I get on an investment in pre-emptive identification when there are so many other things to spend money on and finite resources?”
The GDPR may provide the answer to this question.