Forum Magazine: Beyond GDPR — What Does Best Practice in Data Privacy Mean?

Topics: Compliance, Corporate Legal, Forum Magazine, GDPR, Government, Regulation & Compliance, Thomson Reuters, United Kingdom

forum magazine

The European Union’s General Data Protection Regulation (GDPR) has been one of the biggest regulatory concerns of the decade, across the EU and beyond, forcing companies to grapple with their data privacy, as well as their digital relationship with their customers. But now that the implementation date for GDPR has passed, what is the next frontier for data privacy, particularly after high-profile data scandals at major technology companies? Forum recently spoke with Hazel Grant, the head of Privacy at Fieldfisher, one of the UK’s leading firms for data protection.

FORUM: How much do you think companies learned about data, data infrastructure and privacy through their efforts to be ready for GDPR implementation?

HAZEL GRANT: It was a huge learning curve, and still is — the learning process continues. As an external lawyer, you have an interesting perspective on things; for example, as recently as two or three years ago, it would have been unheard of for a specialist lawyer advising on data protection to have contact with a business at the board level. But once implementation was approved, we were being asked to produce presentations for the board, or even to turn up and give them. That would not have happened in the past.

The profile of data protection has definitely been raised. Businesses have found out a lot about their data and their data practices, often discovering they’ve been keeping data for long periods without knowing why. What we haven’t done yet, and would be interesting, is to see businesses take this whole project of updating their processes and use it as an opportunity to improve their data – not just to become compliant, but to achieve data processes that are better for the business. That means smarter data collection and more efficiency.

At the moment, most businesses are simply trying to be compliant, but there are real opportunities for businesses to be smarter, be more efficient, gain an advantage and add value.

FORUM: In the post-GDPR world, what are the main concerns clients have about data privacy?

GRANT: Over the years, we’ve arrived at a position where more than 100 countries worldwide have some form of data protection law. After the regulation, we’re seeing various jurisdictions and states looking to implement something similar to GDPR, so there’s a general legislative upgrade happening all the time.

From a European perspective, we have a separate piece of EU legislation that deals with cookies and email marketing. That law hasn’t been updated yet, so the next big change will be the update to that law, which affects a lot of businesses. Another likely issue in Europe is that we’ll see similar developments to those that have happened in the US, meaning more litigation and more individual claims for data deletion and data access, due to the profile of data privacy being raised.

Finally, there’s the likely explosion in breach work. Europe has had a very stringent data protection law, but not a breach law applying at the EU level. Those laws exist in the US, but we’ll see that coming to the fore in the EU. That means we’ll see more data notifications required not only to the regulators but also to the affected individuals, and it’ll be a huge workload for businesses.

Businesses are made up of human beings, and generally humans are the point of failure that causes the breaches. This makes it very difficult for businesses to be able to respond adequately to the scale of the challenge they face. Not only is there new law to be considered, but there are the practical steps to remedy the breach, notify affected individuals and have an effective communications plan. In the US, there are providers who offer a service to help respond to breaches — it’s much more “business as usual” over there, so that some of the analysis and notifications are done in-house — but that’s not the case here.

forum magazine

Hazel Grant, the head of Privacy at Fieldfisher

The task is entirely new, as is the law, so there will be a period of time, which could be months or even years, where businesses need to seek external advice to deal with breaches. It will encourage businesses to invest in security and to improve their monitoring of data handling.

FORUM: Aside from legislation, how have scandals like Facebook/Cambridge Analytica affected companies? Is reputational risk on their minds just as much as compliance?

GRANT: That’s a very good point. I do think it raises the profile of data privacy, as it’s in the headlines all the time, and it forces management to think about privacy holistically, rather than as a box-ticking exercise. Companies must ask, “What is my relationship with my customer and how do they feel about me?” That’s definitely how the regulators would like businesses to see it.

If companies are prepared to invest in compliance and data handling, they could see real benefits to the business, as they’d have created a group of followers who are really engaged and therefore will forgive them errors, respond to their campaigns, participate in their activities and show that trust.

There’s a real tension between having a big email marketing list of people, some of whom wouldn’t even recognize your business name, and a list of people who are engaged and want to participate in your campaigns, games or whatever activities it might be.

The whole “re-consenting” process has been very contentious. A lot of businesses have gone out and tried to re-consent, but what they’ve sent hasn’t actually been GDPR-compliant and has created more problems than it’s solved. The end result should be a better list, and you can start to re-collect the data on everyone else, in the correct manner.

The problem is that lots of businesses have collected lots of data over the years without a proper audit trail; you often hear “we’ve had this data for years, but we don’t know where it came from” – that’s very common. Lots of the re-consenting that went on didn’t need to happen. For example, some member associations have been sending opt-ins; but a level of ongoing communication is part of the member agreement, so was that really necessary? There must be a smarter way to do that based on the terms of existing memberships.

FORUM: After Cambridge Analytica and after GDPR, what does “great” look like? How do companies become consumer champions for data privacy?

GRANT: Some of it comes back to seeing this as an opportunity to refresh your data and update the way you handle it in order to engender trust with your customer community. That means not being defensive about data, but instead looking for opportunities to improve.

Businesses are made up of human beings, and generally humans are the point of failure that causes the breaches. This makes it very difficult for businesses to be able to respond adequately to the scale of the challenge they face.

We’ll see lots of new services and tools begin to appear — for example, tools that log consents and keep them, or that help you if someone makes an access request, or that carry out data-mapping. There will be opportunities to use technology to stay ahead.

It seems slightly strange that we have very few businesses that make a big deal out of being privacy-compliant. That’s surprising. Some of the big tech providers do make a big deal out of being compliant and getting you to trust them in holding your data, but as other types of business move increasingly online, why aren’t more businesses — for example, in retail — making a bigger issue out of that?

There’s an opportunity for businesses to change how they think about their data. Instead of a basic attitude that says, “I sell shoes and want to know who’s buying them,” they can move to “I can have a relationship with these people, and I think they’d be interested to know we sponsor an athlete who uses these shoes to race.”

Ultimately, we’ve had two years to prepare for GDPR; but let’s be honest, most people ignored it for the first year, and I think it will take another couple of years for most businesses to actually think about, create and implement their GDPR compliance project. It’ll be 2020 by the time everything is done.

The volume of data passing through the infrastructure of these businesses in the future will be bigger; people live online, and businesses want to connect with them there, so the risks increase alongside that. In many jurisdictions, people never got fined for data privacy mistakes; now it can be 4% of global annual turnover.

The potential downsides going forward are huge, but the potential upsides are too.