PART 4: GDPR : where we are now
Having reviewed the changing role of the processor and controller, post GDPR, we look at some of the other changes and challenges, since May 2018.
Remember the GDPR-related emails that kept pinging up in your inbox throughout May 2018? Well, that flurry of emails is now well and truly in the trash, and your subscription list - as a provider or customer, probably significantly reduced.
Anxiety about GDPR compliance has trailed off since GDPR came into force, certainly in terms of large scale projects. But it’s probably fair to say that most organisations didn’t complete their GDPR compliance work in time for GDPR-day, and many organisations are still ploughing through existing contracts and standard terms with customers and providers to bring them into compliance with the GDPR and reflect the practical implications of the new law, updating privacy notices and mechanisms for obtaining consent (in the rare cases where organisations are still relying on consent as a legal basis), trying to recruit DPOs and EU representatives from a very small pool of people who can fulfil the GDPR’s requirements for these roles (neither of which offers the most tantalising job description!), trying to cobble together processing records, trying to improve cybersecurity and other information security measures, and trying to obtain or upgrade insurance policies to cover the increased financial exposure of failing to comply with the GDPR.
Too much or too little?
The GDPR is a EU legislative document comprising 99-articles and 173 recitals. It is not easy reading for a lay person, and even for data protection experts, the regulations are confusing and unclear. And despite the original aim of having one directly applicable, uniform data protection law covering every EU country, each country also has its own data protection law implementing the GDPR and filling out the permitted national variations (known as ‘derogations’). In the UK, we have the Data Protection Act 2018, which is a challenging read and meaningless unless read with the GDPR side-by-side, and amongst all the furore surrounding the GDPR, has tended to be overlooked and ignored. To top it off, the possibility of an impending no-deal Brexit has also made it necessary for the UK government to issue the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which amend the GDPR, Data Protection Act 2018 and Privacy and Electronics Communications Regulations 2003 in a desperate attempt to ensure everything still makes sense and works after B-day. This is a lot for UK organisations to try to take on board - some might say too much.
The ICO has offered broad stroke advice on complying with the law, which although reasonably reader-friendly and aimed at lay people, often falls short on helping with the nitty-gritty of what this means for individual organisations on a day-to-day basis or how to translate this into suitable wording in contracts and privacy notices.
Guidance from the European Data Protection Board (‘EDPB’, previously the ‘Article 29 Working Party) on specific compliance requirements of the GDPR is often wordy and long, non-reader-friendly, blurring the line between guidance and law-making, tending to default to an ‘if in doubt, assume you have to comply’ approach, employs circular reasoning along the lines of ‘to determine whether something is ‘large scale’, you have to consider how big it is and how far it reaches…’, and often seems to arrive at spurious, inadequately explained conclusions. The guidance was subject to extensive feedback and criticism during consultations on draft versions, with criticised elements often still present in the final versions. The fact that the EDPB can take 20 pages to try to explain one small nuanced compliance point of the GDPR only serves to highlight the inadequacy of the GDPR text itself and the extent of the challenge in applying it. It’s possible to read the entire EDPB guidance document on a subject and still not know how to apply the law to a given situation. The EDPB guidance is pretty inaccessible to most people, whether due to a lack of awareness of its existence or how to find it, or having the constitution and willpower to actually read it.
Then there is an over-abundance of ‘advice’ and ‘guidance’ from various individuals and organisations available online, much of which is either plain wrong or incomplete. Unfortunately, in the absence of timely, easily available guidance from the supervisory authorities or the EDPB or input from legal advisers, many organisations had to rely on that inadequate advice. For example, if the ICO had released its guidance confirming that legitimate interests could be used as a legal basis for continuing to send marketing emails to existing customers based on the ‘soft opt-in’ under PECR 6 months earlier than it did, thousands of companies may have avoided sending those GDPR-related ‘consent’ emails to their customers (which were possibly unlawful anyway according to the ICO enforcement action against Honda and Flybe) and losing valuable customer marketing lists and business as a result. You may have noticed that very few big companies (with in-house legal teams or external legal advisers on hand) sent those emails.
Despite the availability of official and unofficial guidance, many organisations are still relying heavily on their legal advisers to interpret the law and guidance and advise on how contracts and privacy notices need to be updated and what changes to practice are required – suggesting that the available guidance isn’t sufficient to enable organisations to implement GDPR compliance. Those that can’t afford legal advice just do the best they can and hope they’re small enough to stay under the regulators’ radars if they’ve inadvertently got their compliance wrong.
Some months on there are still many grey areas concerning data protection compliance. There are also huge areas that are still wide open for interpretation and commercial negotiation between contracting parties such as subcontracted processing and international transfers of personal data. Back in May, the GDPR document itself seemed more than enough to deal with. Now, with organisations dealing with the practical application of the regulations, the lack accurate, easily available official guidance and over-abundance of second-rate unofficial guidance on how to apply the law is more of an issue.