On 17th April 2018, I was one of the speakers in the GDPR Press Briefing held at City, University of London (City). Checkout the hot off the press ‘City academics discuss GDPR at press briefing’
My written prepared talk is shared below.
Privacy and the Individual – What difference will GDPR Make?
Thanks John for the introduction. A warm welcome to all.
Any talk on privacy and the GDPR invariably uses terms or phrases that may be blurry or obscure. So just to set the scene, when I say the ICO I’m referring to the UK’s data protection watchdog – The Information Commissioner’s Office. When I say ‘data’ I’m referring to personal data as described in the GDPR.
Although the GDPR did not reference privacy – itself a complex term, privacy is embedded as information or data privacy and expressed in phrases such as:
‘respect for human rights and fundamental freedoms (Art. 12 – exercise of the rights of the data subject); ‘High risk to the rights and freedoms of natural persons’ (Art. 35 -Data protection impact assessment), and ‘Risks to the rights and freedoms of natural persons (individuals)’ (Recital 75).
It is no longer just about protecting personal data or processing of personal data but data privacy.
With this comes obscure or unclear terms.
What is ‘high risk’? How do you express ‘rights and freedoms’ of natural persons (individuals) especially in the context of privacy impact assessment (PIA) or data protection impact assessment (DPIA)?
We know that the GDPR describes DPIA (Art. 35) and also breach notification (Art. 33 – notify the ICO, and Art. 34 – communicate to the data subjects).
I know fresh in our minds is the recent Facebook-Cambridge Analytica scandal. Flashback to October 2015, anyone here still remembers the TalkTalk data breach incident?
Would you all agree that both Facebook & TalkTalk responded or handled the data breach announcement or notification to affected individuals rather badly or failed to do so in the eyes of the public and the affected individuals?
Certainly, under the GDPR both would be required to notify the ICO within 72 hours and to affected UK individuals without undue delay or ‘as soon as possible’ (Guidelines on Personal data breach notification under Regulation 2016/679)
As we know the GDPR requires organisations to notify the ICO where there is a risk to the rights and freedoms of individuals, and only notify the individuals where there is high risk.
My research examines data incidents response, in particular, the privacy harm to individuals as a consequence of the data incident. I have designed a prototype dashboard and have conducted user evaluation study with industry practitioners. The dashboard is for assessing privacy data harm by addressing the initial breach notification question to notify or not affected individuals and to the ICO during initial data incident response.
There is still fear in organisations when it comes to disclosure of data incidents. However, the GDPR will held organisations accountable e.g. with the fines and penalties, and to be transparent to report data incidents. Affected individuals have the right to know.
The outcome of my study also revealed that it is possible to do an initial data breach assessment even with the unclear terms: ‘high risk’ and the ‘rights and freedoms’ of individuals. The prototype dashboard also shows notification alerts with the countdown to 72 hrs from the point of being aware of the incident. One participant remarked: ‘It (the dashboard) provides a calm objectivity in time of panic & stress. Because you’re going to be stressed, you immediately think your personal reputation and your organisation’s reputation. Would we be fined? And all these things come in rather than actual thinking of the consequences to individuals’.
When the data incident happened, the genie was out of the bottle, out in the wild – the harm was already done.
The GDPR would not bring the genie back into the bottle or stop the harm. So as a matter of good business practice and in the spirit of the law, organisations should notify their customers.
May post a photo taken by John Stevenson (City’s Senior Communications Officer)