It all got very frenzied around 25th May 2018, when the General Data Protection Regulation (GDPR) came into force. You just couldn’t move for e-mails asking if you wanted to subscribe – often for things you never subscribed for in the first place.
Some of the e-mails were all wrong, some of them were part wrong; sometimes people were telling you they were keeping your data for reasons which were not, actually, legitimate. Sometimes companies told you they would cease to use your data, but then they continued to do so. And of course in many cases, people did nothing at all – they didn’t give you any notification, they didn’t think about whether they should, and they just kept on doing what they’d always done.
So is that it? We had a storm, it passed, we don’t have to bother anymore? Or has everyone done everything they needed to, totally on top of what they need to do and all’s good for ever more? We assume – none of the above. Here are some thoughts to be chewing over:
- Snuck in on 23rd May, taking effect on 25th May, Parliament approved the Data Protection Act 2018, which confirmed GDPR as part of UK law – it already was, but moving on – and dealt with areas which GDPR left to individual countries to legislate for – such as the age at which individuals cease to be regarded as children for these purposes.
- Businesses which have support functions carried out outside the EEA – the EU plus Norway, Iceland and Lichtenstein – are waking up to the fact that if any personal data is accessed from there, there has to be a comprehensive and highly prescriptive agreement (and arrangements in place to follow that through) between the UK or EU company and the support company or subsidiary. Companies we are dealing with have got their customers wanting to know If data is processed outside the EEA – and a small number of other approved countries – and if so, and if there is no approved arrangement in place, to stop it. This can be drastic in effect.
- Come March 2019, the UK is due no longer to be in the EU, or the EEA. What’s more, it’s not at all guaranteed that it will be one of the other approved countries, at least immediately. Companies in the EEA would not then be able to have data processed in the UK. That could be very disruptive, to businesses, jobs and prosperity. That wasn’t on the side of a bus; it’s just a detail after all.
- Did you see Facebook got find £500,000 for its activities with Cambridge Analytica? That takes Facebook about 8 minutes to earn, so that wasn’t very painful for them. Why so little? Because that was the maximum fine under the Data Protection Act 1998. Had it come under GDPR, it could have been $1.9 billion. Ouch.
- For that reason, funnily enough, businesses – especially large corporates, and especially those in regulated sectors or with high public profiles, are getting very hot on the data protection element of contracts, and wanting a load of wording adding to any contract that isn’t up to date on GDPR. Usually the wording replicates, pretty much, the requirement of the Regulation; but not always, so it needs reading ad comparing. A new contractual battleground has opened up over the level of liability suppliers will agree to expose themselves to, for their customers. Often customers will make a play for a full indemnity –all cost covered. Suppliers, on commercial grounds, are standing up against that, so compromises are made.
- And why do we need this? It’s because the availability of data is so massively different from 1995, when the last European legislation was brought in. The World Wide Web was four years old. There was no Google (1998), no Facebook (2004), no Twitter (2006). Not that many companies were that bothered for your data. Now, it’s not just that we, as individuals leak data, unintentionally, all the time. Though we do that. We also actively give our personal data away, free, to people and companies we really don’t know, for other free stuff in return, and our person data is monetised to a massive degree. In short, we have become not the customer, but the product.
Data Protection isn’t a flash in the pan; it’s an essential element of the personal safety of all of us. It is how the world now is, it’s not just what happened on 25th May. If we are the product, then we need to be aware of that, and need protection against our being abused as a result. This is the beginning; 25th May wasn’t the end.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins.