Gerald Brent reports on the event organised by SCL Privacy and DP Group event and hosted by Allen & Overy on 20 November 2018
Anita Bapat, Data Protection and Privacy Partner, Kemp Little LLP
After an introduction from Anita, our chair for the evening, Kasey outlined her very interesting background in what can be called ‘privacy engineering’. She went on to explain how she ended up at eBay and eventually Vodafone, the latter whilst the current data protection and privacy regime was emerging.
Her current role, at fintech payments company GoCardless, involves assessing the programmes the company implements to minimise risk associated with payments processing. Necessarily, this involves negotiating the opportunities of machine learning and automated payments in the regulatory context of the GDPR and DPA 2018.
Addressing the Go-Ahead Group’s more traditional role in the economy (passenger transport provider), John noted his move to the more innovative side of the business, with a particular focus on cyber security threats.
John also outlined the data protection challenges raised by such a broad diverse business. His aim is to achieve a uniformity of control across the business.
As a partner at Etic Lab, Alex deals in data and extracts all manner of value from often huge data sets on behalf of Etic Lab’s clients.
Interestingly, Alex has worked for clients with interests in political data and has worked on understanding behaviours in connection with the rise in the popularity of the Alt-Right. Alex confessed to having a cynical view of the future of regulating the use of data and protecting privacy.
Marta is dual-qualified in Spain and the UK and so views the GDPR from both a civil law and common law perspective. In noting that we now have apps, Marta opened by stating that the GDPR is now out of date. With these new technologies, Marta suggested that we faced four challenges:
The hurdle to innovation
Anita prompted the panel by presenting the notion that the law is a hurdle to innovation.
Kasey responded by saying her job is not to address the GDPR in itself, but the privacy risks. Therefore, in seeking to separate the wood from the trees, Kasey addresses the underlying concerns of the GDPR and thereby circumvents the overly formalised box-ticking exercises entailed by the letter of the law. At the end of the day, it is about outcomes and objectives, not box-ticking.
Kasey also noted that the concept of privacy impact assessments borrowed heavily from the very effective ideas behind environmental impact assessments; that is asking people who understand the product to answer questions about the law. In this way, getting the right people thinking about their product’s risks, and not just whether it complies, means you extract more information and hopefully obtain better compliance.
Anita then prompted the panel on the subject of blockchain.
John presented a very cynical view, making clear that from his perspective he does not, at present, see any real value in the technology as it is still ill-defined and needs to move beyond internet discussion groups in order to be taken seriously.
Kasey responded by noting the interesting non-currency applications of blockchain technology, such as authenticating data between entities. However, she also noted the inherent contradiction with the GDPR in a blockchain’s inability to have its hashes/data deleted/rectified due to its decentralised nature.
Marta chipped in by stating that the blockchain could be made compatible with data subject rights if the log in the blockchain was clear as to why deletions and rectifications are made.
Kasey and John then addressed the benefits and issues with using blockchain to authenticate tickets and purchases across a business, including possible conflicts with the GDPR.
Privacy considerations for business and product development
Anita then prompted the panel on what considerations businesses should consider when implementing new technologies.
John said that because these ideas were normally driven down by the top/board-driven, then it was crucial to have clarity of objective/purpose, as this will allow a better development process. He added that as soon as any idea is put on the table, data protection law compliance and privacy issues are considered alongside cost implications.
Asked by a delegate whether compliance stifled innovation, John responded that it was about outlining the red-lines in the resulting data protection/privacy risks.
Kasey added that we must approach the issue by saying “we have to do this because look at what happens if we don’t”; we must think about the risks and ask the questions at the right stage so that innovation will not be stifled from the ‘get go’. Marta reinforced this point: in private practice, she stresses the importance of delivering a “how” message as opposed to a “no” message to clients.
Indeed as Anita added the ‘how’ message is what a data protection impact assessment notice is supposed to flush out.
Other discussion points
A question from the audience was directed at the concerns from a marketing perspective; specifically the marketing team going off on a frolic of its own. John regularly meets with marketing in order to share information with compliance, while Kasey stressed the value of technical controls, for example cookie controls, offering an easily accessible level of control to privacy functions. Marta also mentioned training – across all functions in an organisation – being crucial to ensuring compliance across the board.
A very broad question from the audience asked the panel whether they agreed with the sense that regulators are uneasy about the abuses and risks of technological advancement. Alex responded by noting that regulators should acknowledge that there is a much wider range of stakeholders involved in technological advancement. Kasey added that a regulator’s advice given prior to the application of the rules is not as useful in guiding the behaviour of those subject to such rules as the application/enforcement of the rules themselves.
This developed into a general conversation about the competency and appropriateness of regulators. From there the discussion moved on to AI and algorithmic decision-making, with much made by the panel about the biases which are often built-in to automated-decision making.
All in all a hugely wide-ranging event that raised, and attempted to answer, some fairly fundamental questions for all those working in the sector.
Gerald Brent is a trainee at Flagate LLP