Lessons Learned From 5 Years of GDPR

Brief history - a look at where it all started

Let’s begin in 1953. The European Convention on Human Rights (ECHR) became binding on all Council of Europe member states. Article 8 provides a requirement to respect the right to privacy in private life. This has been tested repeatedly over the and formed the basis for constitutional articles and rights declarations far beyond Europe.

In 1981, Convention 108 of the Council of Europe was signed. This was intended to address Article 8 of the ECHR. It set out some basic binding principles on automatic processing of personal data and is often considered the first major step towards modern data protection laws – it remained the only internationally legally binding instrument on the protection and privacy of personal data for four decades!

Then in 1995, the Data Protection Directive was enacted by the EU. In the UK, this became the Data Protection Act 1998. This defined requirements for transparency, purpose limitation, proportionality, internal and international transfers, and the requirement for a supervisory authority (such as the UK’s Information Commissioner’s Office) among others. It was intended to ensure the free flow of data within the EU but prevent risky transfers to other countries, and to ensure that there was an avenue for individuals to challenge the use of their data, or at least get a copy of it.

In 2003, the ePrivacy Directive became law as the Privacy and Electronic Communications Regulations (PECR) in the UK. This strengthened protections in electronic communication, particularly the security of communications networks and the use of data for marketing purposes. This set new requirements for consent to direct electronic marketing, including phone calls in many situations. It requires that preference lists such as the Telephone Preference Service (TPS) are checked and honoured. And yes, it did bring about the requirement for cookie notices on websites – long before the GDPR! It also covers non-cookie tracking technologies such as tracking pixels or graphics in emails. PECR is often overlooked and we’ve written a separate blog about it – well worth a read.

Back to the future... sort of

I appreciate that this is called 5 Years of GDPR and so far we’ve talked about everything except GDPR. But bear with me. GDPR was ratified in 2016, and the key requirements were known about even in advance of that. So, when we say that in 2018 there was something of a state of panic on the topic, there had been two whole years to prepare at that point! GDPR didn’t come out of nowhere. In those two years the GDPR was hailed as the biggest boon to individual rights to date, and at the same time condemned as the biggest threat to business. As with many things, the truth is somewhere between those two positions – but not necessarily always in the middle.

In the UK, the Data Protection Act 2018 was added alongside it. This brings together GDPR, elements of PECR, and other legal bits and bobs. It also has requirements of its own that flew under the radar for years, such as the need to have an Appropriate Policy Document (APD) for processing the sensitive data of employees.

Is GDPR ‘compensation’ working well enough?

Obviously the biggest GDPR headlines have been fines and compensation. While there have been dramatic headlines, with Meta's total fines under GDPR in the region of €4bn, the fines have not been nearly as impactful as some of the worst fears (or depending on perspective, hopes) of 2018. In the UK, public sector organisations are more likely to be given a reprimand rather than a fine for instance.

As for compensation, this has been far lower than many anticipated. For instance, in one jurisdiction, loss of control of data to the US was set at €100 per person, tempering the threat of group litigation orders (AKA class actions) for the more humdrum failings.

Can GDPR actually help your business?

Despite the GDPR routinely (and wrongly) being seen as an encumbrance, many of its requirements make sense for sound business and management reasons. For example, the requirement to maintain Records of Processing Activities (RoPA) under Article 30 can reduce time needed from business analysts when scoping projects. Data Protection Impact Assessments (DPIAs), reduce time misspent on projects which are not appropriate, legally viable, or necessary.

Is GDPR keeping up with AI?

This brings us to profiling and automated decision making. This could scarcely be a hotter topic in 2023. These rights apply not only to black box AI solutions but also apply to profiling based on a person’s characteristics. There’s a misconception that these are blocked by GDPR. On the contrary, it is acknowledged that automated tools and classifying people on common attributes, can, in the right circumstance, be immensely valuable. For instance, the insurance industry could scarcely function if they were genuinely blocked from profiling. What GDPR does do is require that safeguards are in place, that the impacts are assessed, and risks managed. This means conducting a DPIA, creating a plain language explanation of the processing, or potentially, the option for a human decision maker. These rights also only normally apply if they have significant effects, such as access to employment, goods and services, pricing, and the like.

Controllers utilising these tools should account for inherent bias. For instance, if a CV analysis tool is trained by looking at who were successful in the past, this may build-in a gender bias that currently exists in the workplace. However, it provides the opportunity to reduce human bias if this is addressed as part of the design and testing of the tool.

There are of course massive risks to people, to businesses, and even to nations from AI tools. Whether this be from a car safety system that can recognise a pedestrian and a cyclist, but not someone wheeling a bicycle, a large language model that crams government consultations with AI produced responses, or an AI logistics system exploited by cyber criminals.

Evolving regulation to match evolving risks

It is for these reasons that new regulation is being developed, intended to bring a degree of accountability to developers, setting standards for safeguards and human oversight, while still facilitating the effective use of these powerful tools.

As a test, I took the liberty of asking ChatGPT to write a blog on five years of GDPR. Unfortunately, while the output was well written and had a veneer of plausibility, the accuracy was genuinely terrible. It stated that explicit consent is always necessary, in reality, consent is often highly inappropriate as there is a contract or a service being provided. It would be a bit of a problem if the police required explicit consent to process the data of suspects! I suspect that this was derived from some terrible articles that were being reposted on the internet in 2018 that led to businesses seeking consent they shouldn’t have been. It had other inaccuracies on cookies, the right of access, when to report data breaches, and even wrongly said that data subjects have an absolute right to have their data deleted.

It's also been highlighted that large language models like ChatGPT can result in data leakage. For example, developers using it to assist in coding and testing, discovered were inadvertently training the model and so, their proprietary code was available to anyone who asked the model the right questions.

The UK’s different path... goodbye GDPR?

Just in time to celebrate 5 years of GDPR, there’s news that UK may be abandoning it, sort-of. In the UK, there is a new bill before Parliament, the Data Protection and Digital Information (No 2) Bill. Or the ‘DPDI’ to you and me. If enacted as written at present, this will mark the start of the UK’s divergence from the EU data protection landscape. The DPDI is lauded by some as a saving for business or scrapping annoying cookie notices (spoiler, they’re only annoying if websites aren’t following the current rules) and feared by others as a significant blow to individual rights. This can be both at the same time. For example: there appears to be an erosion of the requirement to inform data subjects of the processing, which would make life easier to those business that handle the largest volumes of data. It is claimed that it will enable more research to take place. This is debatable as in most cases, significant research and statistical use of data is already possible, it’s just that data subjects may be able to object or opt-out depending on the circumstances (e.g., the NHS National Data Opt-out). Perhaps the biggest risk in the Bill comes from reduced protections in relation to profiling and automated decision making.

If the UK were to kill the GDPR and adopt the DPDI, businesses who provide services in the UK and the EU would need to support separate data protection standards. If the DPDI failed the EU’s tests for an adequacy decision, then that’s also more work in maintaining SSCs and BCRs, and possibly lost business, particularly in the health and education sectors. This extra work could easily outweigh any potential savings the DPDI is likely to bring.

People are always the ones to rely on

Be it for complying with existing laws, assessing the impact of planned laws, or working out how to tread the line of ethics and business benefit, having the right guidance and support is key to every business. Your advisors should have the skills and experience in all aspects of data protection and the resources to assist. An independent adviser or DPO can often bring the advantage of wider industry knowledge, security resources, and inter-industry experience while maintaining an understanding of your business, its challenges, and needs. Regulations always change as they react to technology and politics. Your business can’t afford to be left behind.