2020 has been a difficult and challenging year for many on so many levels. 2021 brings more challenges, so where should you start on data privacy? Currently we have Brexit, real cyber threats, changing requirements and an increasingly informed and sensitised public.
Let’s start with Brexit. By the time you read this we may have a deal or a no deal. So what, you say? On one level, not much. The UK has already Brexit-proofed GDPR by using the Data Protection Act 2018 to, in effect, implement it post the exit transition period into UK law, becoming the ‘UK GDPR’. So on that level, not much change.
Where a deal, or no deal, matters most is in relation to transfering data between the EEA and the UK. Transferring data out should not be much of a problem. The UK Government has already decided that EU and UK GDPR are comparable and represent ‘adequate provisions’ for data flow. But incoming personal data from the EEA is more tricky because without a deal, the EU may not treat the UK as ‘adequate’ and therefore the same kind of requirements would apply as current ‘third’ countries like the US. So for many, that means putting ‘Standard Contractual Clauses’ into contract to ensure the gateway is kept open.
But the requirements go beyond Brexit; 2020’s strikedown of the US-EU Privacy Shield in effect shuts the door on the UK/EU/US gateway for sharing personal data. Still unresolved by the authorities, it demonstrates that our frameworks are still evolving, partly a reflection of our having collectively not settled tensions between privacy protections, commercial freedoms and state security frameworks. But also because individual business and public sectors are looking at what their data frameworks should be to help evolve their operations and cross sector and cross border data flows. And don’t forget, any Brexit ‘deal’ is not ‘it’. Myriad negotiations on equivalence and trade remain to be had with the EU and the rest of the world where personal data is a part.
Then there is security. Data protection isn’t just about cyber and preventing or acting on data leaks. But when the US Government is currently investigating a major attack which may have persisted since March 2020 and a cyber-security firm such as FireEye Inc has an ongoing investigation, the cyber and data leak threat is very real. And not just for large corporates and Big Government. FireEye’s investigation has identified that up to 18,000 entities may have been compromised in a related attack on SolarWinds Corp. Most of that is about commercial and state data but is it any wonder that when Google suffered a global outtage during December 2020, that many customers will have wondered ‘have they been hacked?’ ‘Is my data safe?’
2020 has asked a lot of questions of us on our data safety. Many of us have been working from home and that is likely to continue in some shape or form going forward, way beyond the pandemic. In the rush, rightly, to protect staff, many scrambled to work from home with little thought to safety of networks in an emergency scenario that has been going on for months. Others have substantial recruitments of new staff who may not have been physically seen by their employer. Yet ironically, being at home will have focused the minds of individuals more on their personal data security and privacy, because they have spent more time there.
So, amidst all of this, what should I do?
The first is, recognise that your compliance and your data protection has to be practical. Yes, you need policies and contracts, but you need to combine that with practical implementation and monitoring of standards.
We have found through the second half of 2020, increasing numbers of people coming to us to review and strengthen their compliance standards. Why? We think that two years on from May 2018’s implementation of GDPR, often hurried and legally focused for many, new management and board intakes have taken the opportunity to review work done to get ready for GDPR. They want to update, but more importantly they want to see their data protection frameworks working. Not just having policies and documents. Instead, having end to end policy-to-practice and principles-to-performance. And as boards or execs, getting the kind of reporting and management information that they would expect or other risks or from other parts of the business so they can take business decisions.
The second follows this; having a joined-up approach. Data protection is about many things. They include protecting your operations and business. Protecting your customers and partners. They also include turning this into a competitive advantage and business opportunity because data is one of your biggest assets. That means linking your customer focus, staff recruitment and standards, information and transparency, physical security, cyber and information security, board and executive reporting and the priority you give to data protection as against your many other business risks. The Compliance Foundation, also think that means thinking about your whole spectrum of compliance of which data protection is a part and how it all interrelates, rather than separating it out into a privacy stream.
That means thinking about the support you use which has to be joined up in providing the specialisms you need in a joined up and non silo’d way. That’s why The Compliance Foundation, Mitigate Cyber and Hill Dickinson LLP formed their ‘360 approach’ to data protection two years ago and a joined-up approach now seems even more important than ever.
Because among the many grave lessons 2020 has taught us, expecting the unexpected and working together has to be a top lesson for 2021.