Anyone hoping that we would by now have greater clarity on GDPR will have been sadly disappointed. Large swathes of the Regulation have yet to be tested in a court, and many of the high profile fines that you may have read about were actually issued for contraventions of the pre-GDPR rules.
That’s partly because GDPR remains as I and others described it a year ago: descriptive, not prescriptive. Still, when I joined a recent debate on what’s emerged in the months since GDPR Day, we were able to identify several notable clarifications, consequences and caveats.
The biggest caveat for UK readers is yet another Brexiter own-goal that will see the UK giving up control, not taking it back, as and when it leaves the EU. Put simply, while inside the EU, national legislation such as the Investigatory Powers Act 2016 – the “snooper’s charter” pushed through by then-home secretary Theresa May – may be challenged in the European courts, but that doesn’t prevent UK companies moving personal data around the EU.
However, if the UK is outside the EU (or EEA), it will need the equivalent of the USA’s Privacy Shield* – a declaration from the European Commission that the UK’s data protection regime matches EU expectations. In other words, if you are an EU member the Commission can’t examine your laws under GDPR and declare them inadequate, but if you are a ‘third country’ it can.
So if Prime Minister May manages to get the UK out of the jurisdiction of the European courts – which frustrated her ambitions more than once as home secretary – the UK could actually end up with even less room for manoeuvre in the area of data privacy than it has now.
Recognising the importance of data governance
On a wider and more positive note, speakers in the debate noted that GDPR has been a boon for CIOs. It has made data protection and the value of data much more visible at board level – which is of course where the legal responsibility for data privacy sits. In doing so, GDPR has also brought a stronger recognition of the need for data governance.
That means there has been more budget and a greater impetus to get data protection and privacy sorted out from a process, policy and technology perspective. As one speaker put it, GDPR has been a catalyst for a lot of things we should have been doing anyway! Another added that it has empowered some of those responsible for data governance to rein in and cull projects which had run out of control.
And it’s not just European CIOs and data subjects who are benefiting. Increasingly, GDPR is seen world-wide as the ‘gold standard’ for data protection, with similar regulations appearing in other jurisdictions. Multi-national companies are choosing to implement GDPR world-wide too, with Microsoft the highest profile example. For these companies, not only does this demonstrate good faith, it also simplifies their data governance regimes.
Consent may be less important than you think
On the other hand, there’s still far too many people who don’t understand that consent is only one of the possible legal grounds for processing personal data under GDPR, and that in many cases, consent may not be the best one to use. There’s a need too for more and better analytics to help organisations understand the data they collect – what’s sensitive, what’s important, what they can safely discard, and of course which bits they should never have collected in the first place.
For now though, GDPR has made individuals more aware of their data and their rights, it has made privacy easier to define, and perhaps most importantly, it has ensured that data and privacy are seen as strategic issues within organisations. Overall then, the general feeling was that, even with elements awaiting clarification, GDPR has been a success.
*Though this too has been challenged as inadequate in both the European courts and in the European Parliament.
My thanks to fellow GDPR-watchers Renzo Marchini, a partner at law firm Fieldfisher who specialises in privacy and security; Joe Garber who heads the governance product group at Micro Focus; Horizon CIO Network host Mark Chillingworth; Johan Dreher, sales engineering director at Mimecast; and Alex McDonald, who chaired the debate and is both a director at SNIA Europe and an industry evangelist for NetApp.