Despite Arctic weather conditions outside, a seminar on the imminent enforceability of the General Data Protection Regulation (GDPR) was held at the historic Goldsmiths’ Hall in the heart of the City attended by the Clerks from 101 Livery Companies.
The seminar was requested by the Lord Mayor Charles Bowman in conversations with Ardi Kolah LL.M, Director, GDPR Transition Programme and organised by the Livery Committee, led by Andrew Marsden who chaired the seminar.
Speakers from the Information Commissioner’s Office (ICO), Henley Business School and Accenture delivered a sobering overview of the regulation, and its potential impact on livery companies, and giving Clerks, Masters and Wardens much food for thought in relation to their specific roles and responsibilities.
Jonathan Bamford, Head of Government and Parliament Affairs at the ICO, set the scene by showing how the GDPR sits within the context of other privacy legislation, notably the Data Protection Bill and the forthcoming e-Privacy Regulation.
‘These laws are intended to foster public trust and confidence,’ said Jonathan, urging the livery companies to seize the opportunity to use this ‘step change’ as a means of showing that they live up to the highest standards.
‘Much of the content of the legislation is evolutionary,’ he added, ‘and builds on laws first drafted in the 1970s and 80s. But the key innovation now is the degree of accountability that is expected of all organisations. We all have to instil privacy by design into our risk assessments, codes of conduct, processing and strategies.’
And quoting the Information Commissioner, Elizabeth Denham, Jonathan reiterated that ‘Our fundamental objective is to build a culture of data confidence in the UK.’
‘Livery companies have a real opportunity to inspire trust and confidence,’ he concluded. ‘We can and must choose to be leaders, to be pathfinders, to set an example.’
The practicalities of implementing the GDPR
Next to take the podium was Ardi Kolah LL.M, Founder of training company GO DPO®, Editor-in-Chief of the Journal of Data Protection & Privacy and Director, GDPR Transition Programme at Henley Business School.
Along with Richard Preece, also from Henley Business School, they outlined the practical aspects of the new regulation, exploding a range of myths surrounding its introduction and involving the delegates in two interactive exercises aimed at stimulating discussion around the risk levels associated with data collection, use and storage.
‘We’ve all seen the potential penalties for data breaches and naturally, everyone wants to avoid them,’ noted Ardi, ‘but our starting point has to be respect for the individual and building digital trust through best practice.’
‘GDPR is here to stay, and even if you believe you are holding or using personal data for a legitimate interest, it’s no longer sufficient to assume that the data owner – a member of your company, for example – consents to you using that information through not opting out. Consent now means actively opting in, and it is up to us to ensure that we have that explicit consent.
‘Clearly, if the data is freely available within the public domain, it’s reasonable to believe that there’s a low level of risk of it causing harm or damage. But seemingly innocuous data, such as a member’s dietary requirements, or even a photograph of them at an event, will be deemed to be high risk, and must be treated with appropriate deference.’
Addressing questions from the audience, Ardi confirmed that Data Protection Officers (DPOs) will be required in larger organisations, and suggested that smaller companies should outsource or share this function. ‘Clear policies and procedures must be put in place so that you can demonstrate the actions you’ve taken, or intend to take. The ICO doesn’t expect 100% compliance from day one, but you would be well advised to limit internal access to data to key personnel, and be able to show that transparency, accountability and control are evident in all your processes – and those of any third parties with whom you work.
‘So don’t panic. Understand the principles, identify the biggest areas of risk, and be aware that one of those is the risk to your own reputation. By doing the right thing, you can enhance it greatly,’ observed Ardi.
The 7 principles
Ardi and Richard summarised the 7 key principles of data protection. These are:
- Lawfulness, fairness and transparency
- Purpose limitation – collecting data only for explicit and legitimate use
- Data minimisation – only holding and using what is relevant and necessary
- Accuracy – keeping data up-to-date
- Retention – maintaining data in an identifiable format
- Integrity and confidentiality – keeping the data secure
- Accountability – demonstrating compliance with the GDPR.
At Henley, fifteen types of personal data have been identified, based on the level of risk. Information deemed to be at the highest risk levels includes medical records, data which could cause reputational damage to individuals or organisations, or any which could involve or lead to discrimination, identity theft or financial theft.
Data owners’ rights are paramount too
In addition to our right to have control – through consent or not – over our individual data, we also have a number of other rights, namely:
- Access to our data on request
- The right to rectification, if we believe the data to be misleading or incorrect
- The right to be forgotten (now more usually referred to as the right to erasure)
- The right to restrict processing of our data
- The right to data portability
- The right to object or challenge
Ardi and Richard then invited questions from the audience, and were able to provide clarification on a range of issues relating to the way that the GDPR will apply specifically to the livery companies, including:
– the costs of addressing a personal data breach, irrespective of any fines or sanctions from the ICO
– identifying the public sector or charitable status of a livery company, and thus its need for a DPO
– means of obtaining consent across a range of data fields and intended processes
– gaining authorisation from previously-enrolled members through ‘elegant re-consent’
– the need for impact assessments, DPOs and codes of conduct
– the relevance of the British Standard BS10012:2017
– how and why the obligation to gain consent overrides ‘legitimate interest’
– data processing versus freedom of information
– definitions of data, data breaches, data processors and data controllers.
The grief cycle – everyone’s doing it!
The seminar’s final speaker, Nick Taylor – MD for Strategy at Accenture, UK and Ireland – empathised with the livery companies and assured them that the uncertainty surrounding the launch of GDPR is felt by many organisations. He likened the emotional journey to the bereavement grief cycle:
denial > anger > bargaining > depression > acceptance
Nick reminded the audience that many types of organisation – such as banks, for example – are massively impacted by GDPR to a much greater degree than livery companies, given the amount and scope of data they hold, but all have come to terms with the new regulation. He urged the livery companies to do the same, and use the opportunity to ensure that their houses are fully in order.
Using the RNLI as an example, he recounted their efforts to gain consent from the two million contacts on their database. Having had limited success with their initial attempts to obtain consent, they changed the tone of their communication to promote their wish to be a trusted and ethical operator, and elicited a higher response as a result.
Nick summarised his recommendations with a 6-step ‘No Regrets’ checklist:
- Find someone who is data oriented (internally or externally) to be your data controller
- Identify where your personal data is
- Assess the value relating to that personal data
- Dispose of any personal data that isn’t of any significant value
- Assess the risk to your audiences based on their customer journeys
- Have a clear plan for dealing with personal data breaches.
Ardi and Richard rounded off the day with their own five-point action plan for those present, and provided all delegates with a series of templates, plus a hot-off-the-press hard back edition of the GDPR with an index that was compiled using artificial intelligence software and printed and bound by F.J Blissett, London, bookbinders by Appointment to Her Majesty the Queen. An enhanced index version is available for purchase on Amazon.
Delegates were urged to:
- Send a new data privacy notice to all members and guests
- Add a subject account request (SAR) form to their website
- Validate the accuracy of any existing data and dispose of any out-of-date or superfluous data
- Ensure that all Masters and Wardens are briefed on the new standards under the GDPR
- As a Clerk, consider enrolling on Henley GDPR Transition programme to become a DPO.