5 years on! Data Protection is not working!

5 years ago, GDPR became a legal requirement.
 
There was a lot of confusion and a lot of panic! The sentiment behind it though was good, change needed to happen to make things better. Data needed to be respected and understood.
 
In the years before that, although the regulation was technically similar to today, business operation was quite different. Organisations focused on their business; data was (for most) a secondary consideration.
 
That was one of the reasons GDPR was rolled out: so that businesses would consider data and data protection as a fundamental part of business processes (data protection by design and default).
 
5 years down the road, I asked Andrew Roberts who has over 35 years experience in this area: is Data Protection is working in UK organisations?

This is what he said:

No, it isn’t.

At least not in the way the EU wanted.

We now have a mess which mainly involves paying lip-service to data protection, and so allowing people to get on with their ‘real jobs’.

Just what the GDPR was trying to avoid.

We’re probably several steps backwards compared to where we were on 24th May 2018!

Why isn’t Data Protection working in UK Organisations?

We believe that Data Protection working in UK Organisations for 2 main reasons:

1.     It’s all about reducing risk, not about managing data

We talk to dozens of businesses and keep an eye on what many others are doing – we see that it’s all about reducing risk, not about managing data.

We decided to undertake some research – in a sample of UK privacy policies that we reviewed, a massive 80% seemed to have been written with the aim of risk mitigation.

These policies did NOT seem to be trying to help the individuals whose data was being processed to understand how their data was being used, which should be the main aim.

The policies were trying to pre-emptively defend the organisation.

The policies mostly contained data protection-specific terminology and went into extensive technical detail on things like cookies, data transfer and bases for processing.

We have ended up with privacy policies which often don’t make sense to lay people, or are too complicated for them to bother spending time on reading. Just what the GDPR was trying to avoid.

2.     Delegation without empowerment

The second main reason we believe that Data Protection is not working in UK Organisations is that the staff training on the GDPR and other relevant data protection regimes is simply not effective.

It’s OK at the time of training (sometimes), but the training is not immediately used which means that only some is remembered.

When key people in the business are involved in new projects, they know data protection is something to be considered. Though even now, data protection is often an afterthought. Their knowledge of what needs to be considered is patchy, and even knowledgeable people often do not understand the subtle context which can drive efficient data protection planning.

If project teams struggle, legal or DPO teams are often too busy to support them well, if at all.

Project teams who know they need to consider data protection, often don’t know where to start, or don’t understand the subtleties of how to apply the different bases for processing, when and how to manage the sensitive data, and basically will often not know how to conduct a thorough and not-just-lip-service DPIA.

We do see that some organisations have great standard operating procedures that guide them through this; but sadly it’s not common.

This tends to mean that data protection on projects is done by chaos and chance rather than design and default.

Just what the GDPR was trying to avoid.

What is the way forward?

So what is the way forward? We believe it is quite simple: to work with data and set up projects that embed data protection by design and default. Three perspectives are needed to do this:

1.      A thorough and practical knowledge of data protection regulations.

2.      A thorough knowledge of how data is, and can be, managed in an organisation.

3.      A thorough knowledge of the business and how it works.

It is, however, astoundingly rare to find all of that in one person. So the answer is to create teams which contain a balance of these perspectives.

The team (and an organisation could have multiple such teams) should be involved in setting up data protection standard operating procedures and in guiding the development of data protection within new projects or supporting existing projects.

The team must have access to an adjudicator when they either can’t resolve an element to the satisfaction of all three parties, or where the parties come into dispute with another party, internal or internal to the organisation. This is where the DPO or the lawyers come in.

Without this or a similar approach, data protection will continue to be a sideshow, or a panic that absorbs all attention when something goes wrong. It could be so much more.

 

Help is at hand

If you need any help with any aspect of data protection’s how, what, when, why, who or where, Blake Consultants is here and can help.

Please contact us on hello@blakeconsultants.co.ukor call us on 01635 592020