When I wrote recently about the agenda for Relativity Fest London, taking place on 21 May, I neglected to mention that I am taking part in one of its panels.
It is called Whose data is it anyway? Data Privacy and Data Subject Access Requests. The other panel members are Mark Anderson, Senior Project Consultant at CDS, Jonathan Armstrong, Partner at Cordery, and Meagan Sauve, eDisclosure Consultant at Special Counsel. David Horrigan of Relativity is the moderator.
There were those who predicted that the GDPR would be like the Y2K or “Millennium Bug” situation, where everyone predicted disaster and then sneered when nothing much happened on the due date.
I criticised that approach on two grounds. One was that a great deal of work by some very clever people went into making sure that nothing happened as we moved to the new millennium; there was not much of that in evidence in advance of the GDPR’s introduction last May.
The other was that the worst predicted effects of Y2K would have appeared instantly – your plane would drop out of the sky or the entire computer-related business infrastructure would collapse instantly; GDPR was never going to be like that. Although enthusiastic marketing departments liked to imply that every organisation would face instant fines of 4% of turnover with effect from May 2018 for the slightest shortcoming, the reality was always that the GDPR was a slow burner. It would begin with a gradual change of attitudes and nudges towards better policies and better conduct, leaving only the most recalcitrant organisations, as well as the obvious bad eggs, at risk of high penalties.
A more sane prediction was that fines would be the least of the implications arising from data breaches or from failure to comply with the GDPR requirements. What would grind companies down, I suggested, was the cost of compliance – direct costs, remedial works, and more insidious expenses such as the loss of customers, investors and staff. We learned this week, for example, that Equifax has spent nearly $1.4 billion cleaning up after its 2017 data breach and overhauling its information security program.
Digital Subject Access Requests, and the expense of dealing with them, were easily overlooked in the misplaced furore over fines. DSARs are easily made, perhaps by disaffected former employees or customers, and have tight deadlines and the same implications as any other discovery / disclosure requirement.
Our panel is a mixture of those with expertise in both the legal and the technology side of dealing with DSARS. Not the least of our ambitions is to make it clear that DSARs are being made daily, and causing wider implications than mere disruption and expense. They are, for example, often the precursor to litigation and may help trigger a regulatory investigation. Dealing with them can be like litigation with go faster stripes. Some anticipatory understanding of their implications is prudent.
Do come along and hear us talk about them.