“Remember, remember the fifth of November, GDPR, personal data and whatnot”. On Friday 5 November, Ropes & Gray hosted a discussion on the strengths and weaknesses of the GDPR at the firm's 'The Future of Global Data Protection' digital conference.
The discussion was led by Edward Machin, of Ropes & Gray's data, privacy & cybersecurity practice, with Ravinder Roopra, of Kantar, Jo Gibson, of Morgan Stanley and Simon McDougall, former deputy commissioner of the UK Information Commissioner’s Office, making up the panel.
Beginning the conversation, both Jo and Ravinder recognised that since coming into force, the GDPR has truly proved itself to be a colossal piece of legislation which touches all aspects of their respective organisations in novel ways. Personal data has become “the crown jewels for most businesses” stated Ravinder, with companies dedicating a great deal of time, finances and resources to ensure GDPR compliance. This can only be a good thing, requiring businesses to take personal data seriously.
However, the GDPR also presents challenges especially with regard to budgets, as credible compliance comes at a heavy cost. A recent challenge Ravinder flagged is the fact that we are seeing increasing fragmentation and localisation of data protection requirements, both of which require a strong budget to address.
Touching on this point, Simon commented that this is a challenge with all pieces of legislation. Indeed, the idea that the GDPR will be optimised and applicable in all areas around the world, at all times, is not a logical one. Considering budgets, Simon stated that the ICO faces similar issues, as although “it would be lovely to have indefinite resources and investigators”, that is not how things work and so the ICO targets large scale acts of non-compliance, as these cases impact the most individuals and “hopefully force other corporates to pay attention”.
Another issue that organisations are finding increasingly challenging under the GDPR is that it allows individuals more control over their personal data which has had the unintended consequence of being weaponised by individuals. For example, disgruntled unsuccessful job applicants who use data subject access requests (DSARs) as a tool for leverage against the employer. This makes life difficult for an organisation in terms of locating the data and handling it in the requested fashion. It was noted that the regulators are aware of this issue. Indeed, it can be hard to differentiate between what is a legitimate claim and, what one may claim is a ‘personal ven-data’.
Then the discussion moved onto the topic of the UK Government’s data strategy post-Brexit and ICO independence. The panel thought the UK Government’s approach was a thoughtful one, which recognises the importance of promoting business and trade, but within a robust data protection environment. However, there was strong support for the ICO maintaining its independence from the Government, so that individuals can take comfort that their data is being adequately protected and regulated.
The panel agreed that trust is a critical factor and people must feel that their data is being protected, especially when society is reacting to certain situations – such as the COVID-19 pandemic – by collecting and sharing increasing amounts of personal and sensitive personal data.
Finally, it wouldn’t be a GDPR conversation without discussing international data transfers and Schrems II. Commenting on how they dealt with this challenge, the panel supported a risk-based model, but with different approaches. For some, it was considering dealings with US vendors as a priority to ensure data protection impact assessments were in place. For others, it was a focus on a number of “use cases”, to track data flows, the documents which need to apply and identifying the risks that come into play for the international data transfers.
In summary, the panel gave overall support to the GDPR and the behavioural changes it has driven. However, it appears that it is far from perfect. There can be no harm in re-assessing what has worked, what has not, and updating the legislation for the better going forward.
To access a recording of the session please visit our blog: RopesDataPhiles.
it can be hard to differentiate between what is a legitimate [DSAR] claim and, what one may claim is a ‘personal ven-data’.