In May 2018, the EU GDPR will come into force. I recommend the ICO blog for a reality check on its impact. The UK will implement through the Data Protection Bill. Boris Johnson has suggested that this is an area post Brexit that the UK may wish to diverge from the EU model.
Within the GDPR material I get sent, there are two clear camps:
- GDPR and big fines
- GDPR and consumer protection and trust.
A recent article in Computer Weekly suggests that only a quarter of law firms are ready for GDPR which ought to be a concern for those reliant on them for good advice.
Personally, I welcome GDPR as a step to build greater trust in the digital world and share the ICO blog’s contention that the fear message misses the point.
What I think is important to understand is that there is still considerable latitude at national level within the regulations. Whenever I am trying to find the most complex data issues internationally, health data is always a goldmine of potential pitfalls. The ownership and extent of health data has many cultural variations globally and within the EU.
Much of the attention has been over the ‘right to be forgotten’. I’ve spoken to a number of organisations implementing distributed ledger technology for non-contractual data and suggested that they get advice as to whether their proposed architectures can be made GDPR-compliant. It could be a very expensive mistake, and I don’t mean in fines, to have to rework systems implemented in a hurry to take advantage of blockchain developments.
Less attention has been paid, and I see it in my email stream, around the requirement that the right to withdraw consent should be as easy as the giving of consent. There any many caveats and exclusions, but again I see many websites that I think will have difficulty meeting that challenge as their business models are largely predicated on making withdrawal of consent a lot of effort.
The big problem with all principle-based changes, such as GDPR, is that the case law as it evolves will have to deal with difficult arguments where the principles appear to be at odds with each other. The unintended consequences will only emerge over time. If the UK does diverge from the EU on data protection, I suspect that this will add to the complexity as UK organisations trading with the EU27 will have to be GDPR-compliant in their dealings with the block.
So, let me illustrate a possible, seemingly obscure, example of the challenges we may face in working out strategies to derisk systems we build over the next few years. In fertility medicine, the UK removed donor anonymity some years ago, though some countries maintain it. This has led to the use of, largely, Danish sperm and Spanish eggs. These can be imported legally, but under UK law donors must be identifiable. Spanish donor eggs are guaranteed anonymity which means they can't be imported to UK, so women seeking treatment need to go abroad to Spain and elsewhere. This makes the situation more complex. Where a couple both want donors, think that through.
And imagine the situation where a Danish donor wishes to withdraw consent to being identified. It could be argued that a lifetime commitment to removing anonymity is incompatible with the principle. Until it is tested, who can tell. If the UK does, post-2019, depart from the EU principles, then trying to work out how to make the system work internationally could be problematic, to say the least.
The devil, as always, is in the detail, but we won’t know the detail for some time.
I’d welcome other people’s ideas on some of the complexities that they see within their sectors.
My belief is that the best course of action is to see GDPR as a call to action to build trust in the digital economy and clean out practice that society may come to see as predatory and unwelcome. GDPR is an opportunity. Not seeing it in that light risks it becoming a monstrous headache within a few years. We can all benefit if we do more than mere compliance and hope for the best.