9 things we learnt at the Data Protection World Forum 2018

The inaugural Data Protection World Forum took place at the ExCeL in London on 20-21 November 2018.

We attended the Forum to get the latest data protection insights and developments, including:

• The impact of the GDPR 6 months on
• How (and if) businesses are effectively managing their data
• Upcoming changes and new legislation worldwide

Read the 9 key things we learnt below.

1. GDPR certification is on the way

So claimed Ventsislav Karadjov, Chairman of the Commission for Personal Data Protection in Bulgaria.

As a member of the European Data Protection Board enforcing the GDPR across EU member states, Ventsislav identified 4 cornerstones of GDPR compliance:

• Awareness
• Accountability
• Consistency
• Enforcement

Ventsislav stated that GDPR certification for controllers/processors will be implemented in the coming months - though what form it will take remains under wraps for now.

2. Cyber crime and data protection keep overtaking each other

Charlie McMurdie is the former head of the Metropolitan Police's National Cyber Crime unit. 

Charlie described a pattern of constantly evolving cyber crime taking advantage of increasing digitisation, with new regulations and intelligence-sharing then emerging in response.

• 65% of large businesses were deliberately breached in the last year
• Only 22% of CIOs feel fully prepared against cyber crime
• Half of these major breaches were due to human error 

Cyber crime is an increasingly expensive problem as connected digital information silos become a prime target for attack.

Direct costs of investigation and remediation are made worse by indirect costs: reputational damage and increased insurance premiums.

Charlie recommended that businesses invest in secure, integrated systems and pay close attention to potential weak spots.

3. Businesses have prepared for May 25 - then done nothing

Is your business guilty of this?

A recurring theme of the Forum was that many businesses have rushed to prepare for the GDPR in May 2018, getting processes and procedures in place before mentally ticking the box and forgetting about it.

But your processing records and DPIAs are your key long-term accountability tools. Don't forget to keep them refreshed and up to date!

There has been a spike in data subject access requests since May as individuals move to exercise their new privacy rights. 

Yet lots of businesses still don't have airtight processes for responding to these claims, and the 30-day window is proving difficult for many to meet - particularly larger, more diffuse businesses.

In short: plenty of businesses prepared for May 25, but not after.

The repeated advice of the Forum speakers was to:

• Revisit your data processes regularly
• Keep your privacy impact assessments and asset registers up to date
• Ensure that you actually can fulfil the requests of your data subjects should they ask

Compliance is maintained, not achieved.

 Is your Information Asset Register complete and up-to-date?

4. GDPR compliance is becoming a B2B prerequisite

You're going after a piece of new business.

In principle, the deal's done - they like and trust you and are ready to commit.

You expect them to do their due diligence before signing on the dotted line, don't you?

Typically this will mean taking a look at:

• Your finances, to ensure you aren't going to go bust any time soon
• Your indemnity and insurance agreements
• Your pre-existing customers and their word of mouth about you

But in the post-GDPR age, something new is now taking place as well.

More and more businesses are doing 'due data diligence'.

That means your DSAR capabilities, document vetting, data flows, privacy policies and assessments can all be looked at as a prerequisite for doing business with you.

This reinforces the message above: don't rest on your GDPR laurels.

If you're sitting comfortably on your data, don't.

It might cost you your next big customer.

5.  The ePrivacy Regulation is coming soon

The GDPR's forgotten little brother, the ePR, has fallen behind but is still on the way.

The ePR was supposed to come into effect on May 25 2018, too, but has been pushed back and is expected to arrive in 2019.

It's essentially a more focused version of the GDPR, geared specifically towards the use of personal data for electronic communication and marketing. It will cover:

• Cookies
• Marketing opt-outs
• Protection from spam
• Confidentiality of communication metadata

Its exact contents remain to be seen, but a few things are clear.

1. Metadata relating to communications with customers must be anonymised or deleted if consent is not given for storage

2. Marketing callers will need to display a phone number or designated prefix to indicate a marketing call

3. Unsolicited emails, texts and automated calls will be banned

4. The heavy financial penalties of the GDPR will be carried over for the ePR too

We'll be covering and analysing the ePrivacy Regulation as more information is revealed, so watch this space.

6. Tech is key

Stewart Room is one of the UK's leading lawyers in the field of data protection.

Stewart argued that the GDPR is not the revolutionary leap forward in data protection that some think it is.

Instead, it's clouded the 'purity' of proper data protection. GDPR compliance is the start, not the pinnacle, of good data control.

Stewart's argument was this:

1. Businesses operate across 3 layers: paper, people and data

2. They are influenced by 4 behaviour drivers: laws, norms, market forces and architecture

3. The GDPR is a 'law' driver influencing the 'paper' and 'people' layers, but most businesses are ignoring the final and crucial 'data layer'

4. Because of human error and data crime, real data protection can only be cemented with electronic, code-driven privacy by design

Until businesses consider how to apply technology, code and electronic systems to their data management, they will only scratch the surface of the real issue and will find themselves duplicating work 5 years down the line.  

Moving away from insecure paper systems and investing in electronic data management is the only sustainable pathway for businesses in future.

Electronic, secure coded data sets are the future of

data protection according to PwC lawyer Stewart Room

7. Some businesses are majorly failing at data protection

If you're uneasy about your data processes, don't worry - there are plenty of businesses in a worse state than you. 

That's what Privacy International, a privacy rights charity, discovered when they challenged the 'invisible strangers' at international data broker Acxiom. 

Armed with their GDPR right to request the data held about them, Privacy International investigated how Acxiom was managing personal data.

Acxiom failed GDPR compliance on every count: 

• As a third-party broker you've probably never heard of, the data that Acxiom holds doesn't meet the transparency requirements of the GDPR. They hold data for around 700 million people - almost none of whom know about it.

• Article 14 of the GDPR states that businesses must disclose the source of the data they hold, if direct consent has not been given. Acxiom simply described 'various sources'.

• They claimed that lawful basis for their data-holding came from the Interactive Advertising Bureau's Transparency & Consent Framework - but this only applies to direct first-party consent for advertisers. As a third party with no direct consumer contact, Acxiom rely on a dubious 'chain' of consent from first to third party - which is not how consent works. 

In short: vague answers and abstract frameworks won't wash anymore.

Businesses need to demonstrate an active, direct and provable network of consent for their data - plenty of businesses, particularly larger businesses, are failing to do that, even 6 months after the GDPR live date. 

The Acxiom case is ongoing - so keep an eye on how it develops.

8. The GDPR has been a global inspiration - but won't necessarily translate everywhere

James Felton Keith, President of the Data Union in the United States, discussed the effect the GDPR had had beyond the EU.

He claimed a 'legislative precedence' had been set by the GDPR which will be mimicked by the rest of the world in the coming years.

But he hinted at a different conception of data protection in the US.

'Privacy' and 'right to erasure', Keith claimed, don't resonate in American political culture in the same way they do in the EU and UK.

'Ownership' , 'personal agency' and 'value' are guiding principles in Congress - with the First Amendment at odds with the right to erasure.

Keith argued that the GDPR focus of individuals having agency over their personal data and 'digital lives' has already catalysed a change in American law, with several states (Ohio, California and South Carolina) passing data protection laws inspired by the GDPR.

But Keith advocates using data as a free-flowing market asset for individuals to demonstrate their productivity value to society - and believes this is how future American laws will interpret data protection.

What does this mean in practice?

Imagine you get a new job and leave your current business.

As per the GDPR, you have the right to request that they delete the personal data they hold on you: salary details, email records, phone numbers and so on. And you might choose to do that.

But with Keith's conception of American data protection, you wouldn't delete that data.

Instead, you could harness it, proving your economic value to future employers with data such as:

• an email string showing how you led and completed a project
• a wage record showing how much you were valued
• a piece of copy you wrote and want to put your name to

Data is therefore treated as a natural resource to be utilised and 'proliferated' by individuals and businesses, not just something to be locked away and 'protected'.

So while the GDPR has inspired other territories like the US to think about data, the conclusions that will be drawn won't necessarily be identical to those in the EU.

This raises some interesting questions about the future of data protection on the global stage.

9. Data laws are here to stay

The key takeaway from the Forum surfaced time and again: the GDPR is the start of an irreversible change in worldwide engagement with data.

Anneke Schmider, Director of International Strategic Policy for the ICO, discussed the global roll-out of data regulations as a key upcoming challenge.

California, China and key Commonwealth countries like Canada, India and Australia are all working on data protection laws.

ISO is formulating a data protection standard to go beyond the information security focus of 27001. 

And the 'ecosystem' of data is only growing in complexity as we digitise more and more of our processes and daily activities.

Data protection discussions are becoming increasingly connected to wider issues of democracy, ethics and social governance - so data protection is not going to go away.

Businesses need to fully understand and engage with data issues and ensure they're able to comply and meet best practice.

And we can expect the Data Protection Officer's role to become more important than ever before, as the GDPR and ePR screws continue to turn.

Next steps

Brush up on your GDPR knowledge with our free toolkit: