SCL Chair Mark O’Conor reflects on an upcoming event and an ongoing mission
I can barely believe this as I write the next bit of this sentence but the GDPR finally comes into force next month.
The deep-seated changes the Regulation brings in, and the attempt to foster an entirely new culture surrounding data protection and privacy, have been deservedly newsworthy in their own right for the last few years.
And that was without the extraordinary insights into just what is happening to our data that the ongoing Facebook / Cambridge Analytics saga has revealed. This was not a hack, this was a hosepipe showering personal data seemingly to anyone who wanted it, with users unaware or unruffled by the consequences.
So the GDPR has become one of the few pieces of EU legislation that everyone has heard about and a frenzy of activity is underway across the country as organisations of all shapes and size prepare for the big day. Yet this frenzy, while understandable, is perhaps slightly misleading. One of the core philosophies underpinning the GDPR is accountability. At all times, data controllers and data processors must actively protect the data of the people who interact with them, whether they are customers, employees, patients, volunteers or connected in some other capacity. It is an active process, not a passive one, so talk of being ‘GDPR compliant’ by the 25th May risks offering a sense of false security.
This need for continuous compliance was a key factor in our decision to promote, with the help of the ICO, a Data Protection Hackathon the month after the GDPR comes into force. It underlines to our members, supporters and the public that data protection is ongoing and that getting everyone to embrace the new culture will take time. In parallel, the House of Lords Select Committee on AI launched its report and five-point code on 16 April, and its Chair, Lord Clement-Jones said that an individual's access and control over their data was one of the four themes underpinning the report. He said that fair and reasonable access needed to be balanced with privacy; requiring compliance with existing law and potentially new regulation to deal with data portability, data trusts and to avoid machine-learned prejudice. So 'data' is at the heart of much of what we focus upon as SCL members.
Specifically the Hackathon focuses on data protection for SMEs, a huge sector of UK business, many of whom are currently wrestling with the challenges presented by the new regulations. The target is to produce ideas and solutions that will help them manage the ongoing obligations of the GDPR and the best will be awarded prizes by the Information Commissioner, Elizabeth Denham. The rules, rationale and entry details are explained further here.
Businesses and organisations of all sizes are looking for just this sort of guidance so I think it is incumbent on us to help where we can. The Hackathon is only one element of something we would like to be our ongoing mission to explain, whether that’s training our members so we can advise our clients to the best of our ability or working with organisations such as the ICO themselves and others active in this sphere such as Privacy International.
An SCL event with Privacy International at The Law Society on 24th April is one such initiative and tackles connected devices, asking questions about whether and when the evidence they gather could be used in criminal litigation. Although not strictly about the GDPR, the subject is a classic example of how the data revolution that has given birth to the new regime impacts on everyone involved in legal proceedings as you never know when Alexa is listening (other ‘smart’ devices are available). ‘Alexa what Practice Direction allows me to use you as evidence in court?’ may be a bit of a circular question so could defeat this particular female avatar but it is one that needs answering, GDPR or not.