The UK’s new Data Protection Bill is simply GDPR with a Brexit mask. But what challenges does it pose to technology innovators? Chris Middleton reports.
Much has been made by the media of the UK government’s proposed new Data Protection Bill, which will give citizens a ‘right to be forgotten’ by digital services – the right to demand that data held by organisations about them should be permanently erased from their servers (including backups and mirror sites).
Among other good things, this would address child protection issues: internet safety campaigners have long urged the government to mandate the erasure of social media data that refers to under-18s, partly to prevent organisations from searching it when school leavers or graduates enter the job market.
Digital Minister Matt Hancock has been talking up the new Bill as though it represents the vanguard of post-Brexit government policy; a newly independent UK forging a bright, progressive digital future – a line that has been reproduced across some of the mainstream and even tech media.
The reality is rather different. The Bill simply casts into law the European Union’s General Data Protection Regulation (GDPR), which comes into force in May 2018 when the UK will still be a member of the EU. As a result, the UK has no choice but to adopt its provisions. Even post-Brexit, the UK will have to retain GDPR if it is to trade with Europe on terms that the union will accept.
The EU’s aim is to create a more rigorous data regime that shifts the advantage away from any unscrupulous data collectors and towards individual citizen rights. With fines of up to four per cent of turnover for serious breaches, stricter reporting guidelines, and the right to be forgotten, the new legislation presents a real challenge to technology innovators – with the clock ticking and less than a year to go.
One of the key areas will be data location, sovereignty, and transfer – an overlooked consideration in the context of Brexit. For example, a 2016 survey by Computing found that 83 per cent of the UK’s data centre or equivalent processing facilities are based in Europe: the hidden story of Brexit.
That survey also found that nearly half of all UK organisations (49 per cent) were either unaware of GDPR or had done nothing about it at all, while a further 26 per cent were at the earliest stages of preparation. Together, these figures suggested that three-quarters of UK organisations would have been at risk of financial penalties, were the UK’s new Bill already in force.
So has the situation improved since then? Very little.
A May 2017 survey by the same publication found that 47 per cent of organisations (against 49 per cent last year) have either still not heard of GDPR, are vaguely aware of it, or are aware of it, but have done nothing to prepare for it. In 12 months, therefore, only two per cent more organisations have taken action.
If that same trend continues into 2018, then 45 per cent of UK organisations could be in breach of the new legislation. In this sense, the government’s publicity push about the Data Protection Bill – which simply incorporates GDPR into British law – is a very good thing.
The large majority of these organisations process personal data of some kind, and many are in a transition ‘hybrid’ period from on-premise to cloud-based systems. Many cloud providers have data centres in the EU rather than the UK, so all these issues need urgent consideration too, not just in terms of GDPR/the Data Protection Bill, but also in terms of Brexit.
Another overlooked area is the extended technology ecosystem itself: business partners’ and suppliers’ usage of customer data should also be considered against the new laws’ requirements.
But the real challenge is that many tech innovators – CIOs and CDOs among them – identify security as their main data protection problem, but that vital focus must now broaden to include the whole culture of data usage that GDPR is designed to address.
The new age of consent
At the core, GDPR and the Data Protection Bill seek to make organisations more accountable for their actions. So in 2018, the most pressing area for technology innovators will be the question of consent: the new laws’ provision that personal data only be collected for “specified, explicit and legitimate purposes” with “the consent of the data subject”.
Those clauses alone will make little difference to most digitally enabled enterprises. But further provisions certainly will: the new rules say that processing this data must be necessary to “protect the vital interests of a data subject” and “for the performance of a task carried out in the public interest”.
It will be fascinating to see how these additional clauses affect the advertising and marketing sectors, for example, and the work of those departments within large organisations.
Many marketing processes are becoming increasingly automated and AI-enhanced, but some of that innovation may have to be unpicked if the data it addresses is found to be in breach of consent, ‘vital interest’, or ‘public interest’ rules. For example, is a targeted advertising or sales campaign really in the recipient’s ‘vital interest’? Advertising copywriters may have us believe so, but will legislators agree?
This begs some further interesting questions: will any right to be forgotten also mean effective exclusion from a broad range of digital services? And if so, would that be legal? I predict that citizens will begin to challenge organisations’ ability to prevent them from buying goods or using services if they choose not to open a permanent account or divulge personal data that is irrelevant to the transaction.
Of course, there are problems with any right to be forgotten, such as whether it might be applied to restrict legitimate reporting, but that isn’t the purpose of the new regulations. They’re really about resetting the balance.
Many businesses today collect personal data almost as a right – even some restaurants and cafes insist on customers filling in detailed forms simply to use the ‘free’ wifi, while many retailers force customers to register a wide range of personal data simply to buy something online, and then follow it up with targeted marketing.
Even the BBC now forces licence payers to divulge personal data to use its iPlayer services, not only online but also on smart TVs. Meanwhile, unwanted programmatic advertising sometimes follows users around the internet for days after click or purchase.
Innovators will soon have to face the facts: those days may be drawing to a close, and a new type of relationship with private citizens will emerge; one that shifts the balance of power to the customer.