Gareth Oldale

GDPR was not the final hurdle. The huge effort undertaken by organisations three years ago to bring themselves in line with the framework was part of a perpetual race. GCs and DPOs sit at the middle of a battle between the ever-advancing world of technology and data collection, and the ever-changing world of data regulation and public opinion.

It is a delicate balance between fostering a progressive organisation that takes advantage of new technological advancements and remaining mindful of customer privacy and expectations.

Striking this balance is increasingly important as the world emerges from the pandemic into the virtual future. Meanwhile, the UK’s exit from the European Union has cast uncertainty over its alignment with the GDPR and its ongoing adequacy status with Brussels.

This roundtable session, hosted by TLT partner and head of data, privacy and cybersecurity Gareth Oldale, sought to explain how GCs and DPOs can best support their businesses in navigating this complex terrain. Oldale was joined by leading in-house lawyers and data officers from organisations throughout the UK.

Brexit and international data transfers, clarity at last?

The General Data Protection Regulation (GDPR) was published by the EU in April 2016, two months before the Brexit vote. In the years since, the UK’s relationship with the regulation, which also governs the transfer of data outside of the EU, has been subject to much conjecture and change.

The UK was finally granted adequacy status by the EU in June this year. Adequacy status allows for the free flow of data into and out of the EU from an external territory that has been deemed to provide adequate protection for the data rights and freedoms of individuals.

Oldale said: “The adequacy agreement fills a huge gap in people’s data transfer models.”

When the announcement was made the EU Commissioner for Justice added: “The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed.”

As such, the job of the GC or DPO is never really finished. The UK’s adequacy status is continually under scrutiny and at risk of revocation every four years. Revocation would mean that UK companies would lose access to EU data, and would have to rely on the European Commission’s Standard Contractual Clauses (SCCs) or another appropriate safeguard for transfers of data from the EU to the UK, posing a logistical nightmare for UK data teams.

An immediate challenge for attendees is to adapt to both the European Commission and the UK’s new SCC documents. The European Commission published its new version of the documents in early June, while the UK’s Information Commissioner’s Office (ICO) has yet to release theirs.

“The key question is do you remediate your EU contracts with the new SCCs now, or do you wait until the ICO publishes its version and then do it all in one hit?” said Oldale.

Roundtable delegates were generally in agreement that it’s best to sit tight, prepare the contracts you suspect will need repapering, and wait for the UK’s SCCs to be published.

Two potential hills to climb in this process were then discussed. The first was around a clause within the new SCCs that says data controllers must undertake a data transfer impact assessment before transferring data to a third country, in order to determine whether there is essential equivalence to the GDPR. “This is likely to be difficult in many cases, as over the 25 years since the EU has been responsible for determining if third countries offer equivalent protection (through the adequacy process), only 14 countries have been deemed adequate, and now that onus is in some respects on you,” said Oldale.

Focus then turned to the use of SCCs when using third party providers, such as cloud service providers.

The new SCCs stipulate that you do not need to use them if the overseas provider you’re contracting with is already subject to the GDPR. Oldale said: “My experience is that clients really aren’t comfortable with this, and it feels alarming not to have anything in the contract, so you might feel the need to use SCCs anyway.”

AI and regulation

The GDPR was a major milestone in data regulation, but the regulatory landscape continues to develop as new technologies emerge.

A major focus for the UK’s ICO going forward is around bias within technology. During last year’s exams fiasco, the UK Government looked into determining exam grades through an algorithm that would consider address, postcode and the ranking of a school alongside strict academic performance. There was a backlash against this, as high performers within low-income areas sometimes had their grades brought down.

One technology at the forefront of this debate is live facial recognition (LFR) software. LFR software will read the dimension/characteristics of faces and screen them against a watchlist of people of interest. In a law enforcement context, this may be used by the police to scan a particular area for suspects. In the private sector, retailers could use LFR to monitor shoplifters.

Bias is a key concern here, as LFR technology has been shown to be less accurate at reading female and black faces. A black woman is far more likely to receive a false positive match than a white man.

In the past few weeks, the Information Commissioner published a statutory opinion on the matter. She has called for a statutory code of practice to be implemented by the government, outlining where and when LFR technology can be used.

“The discussion around LFR is relevant to the future of any AI technology that impacts the individual. Key themes are the loss of liberty and financial detriment arising from the use of an algorithm or other AI technology to make decisions about people,” said Oldale.

On the topic of algorithms, one delegate explained that: “Most of the advice we have received [when learning how to use algorithms compliantly] is to explain and be transparent. By being open with our clients we can counter bias.”

Transparency

Roundtable delegates were in broad agreement that transparency is key when implementing any machine learning, algorithm or AI technology.

“Without any prescriptive regulation, doing what you can to apply core GDPR principles to whatever you do will serve you well,” said Oldale. “This will vary depending on the audience. You have to consider the language and phrasing you use.”

Transparency means to be readily understandable. When the GDPR was introduced, organisations often complied by publishing complex and generally inaccessible resources that most members of the public would lack the time and willingness to read.

One delegate commented that they are beginning to use infographics and videos to make their cookies policy transparent, translating what is a relatively complex area into a digestible format.

Accessibility of privacy notices, for example, is essential in gaining a customer’s trust around an organisation’s use of data.

Just because you can, doesn’t mean you should

The ICO has stressed the importance of implementing technology with a purpose, and not implementing technology for technology’s sake.

“Employees and the public at large have had sympathy for organisations that deployed technology in a hurry as a result of the pandemic,” explained Oldale. “As we start to come out of lockdown, patience around intrusive technology will wear thin.”

Oldale was referring directly to organisations that have implemented technology to monitor their employees at work.

For example, Amazon has developed a product that can determine whether your staff are social distancing. Once the pandemic has finally subsided, privacy activists may quickly point to this type of technology as being reminiscent of Orwell’s 1984.

“This all comes back to having robust data protection impact assessments in place and ensuring they’re adhered to,” said Oldale.

The discussion highlighted the human side of data use. The capability to implement technology may exist, and you could be well within your legal rights to do so. But does it feel like the right thing to do? Is it the image of your organisation that you want to present?

Just because you can, doesn’t necessarily mean you should.