Help or Hindrance? Engage Early With Data Protection Regulations to Facilitate Innovation
Mac Macmillan, Counsel, Hogan Lovells
Earlier last week at Money 20/20 I participated in a panel discussion on “the EU Data Protection and Privacy Framework: Opening new markets?” The audience was interested in how data protection reform in Europe would impact on innovation. Would the new General Data Protection Regulation (GDPR) help or hinder innovation? The role of data protection regulation isn’t to support innovation, but neither does it have to be the blocker to new business ventures which it is often seen as. Often it becomes a blocker because businesses don’t understand it and so avoid engaging with it until the last minute. Early engagement is key to ensuring that data protection rules aren’t a blocker to innovation, and this will be more true than ever once the GDPR comes into force. Here’s why:
The GDPR seeks to get organisations to embed privacy within their organisation, and to give individuals more control over their data. The first goal means organisations have to be pro-active in their approach to privacy. In particular:
· Organisations must implement policies to ensure and demonstrate that they comply with the GDPR
· They must implement policies to introduce “data protection by design and by default”. This means product developers need to design with principles such as security and data minimisation in mind from the outset — a new mindset for many developers.
· If you are using new technologies to carry out processing which may result in a high risk to individuals, a privacy impact assessment (PIA) is mandatory. This is likely to apply to any significant profiling or uses of big data.
· In certain cases prior consultation with the data protection authority is also going to be mandatory.
None of these obligations are insurmountable, but for example if you wait to the end of a project to conduct your PIA, it will be a lot harder to make changes to your product to mitigate any risks.
In addition to this, innovators need to take account of the new and strengthened rights given to individuals:
· Individuals will have to be given much more detail about how their data will be used, including the legal basis for each purpose of data processing, guidelines for data retention periods, and details of any automated decision-making, including profiling, which significantly affects them.
· If the purposes of processing change, updated information will need to be provided.
· If you are going to rely on individual consent to process an individual’s data you can’t bundle the consent into the Ts&Cs — it will need to be presented so it’s clearly distinguished. You also have to give individuals a genuine choice. If the consent is presented as a “take it or leave it”, it’s unlikely to be valid.
· Individuals will have an absolute right to object to profiling for direct marketing purposes.
· They will also have a stronger right generally to object to data processing or to ask for processing to be temporarily restricted while complaints are investigated.
· Individuals have a right to data portability — in other words to receive a copy of data which they’ve provided in an easily portable electronic format which can be shared with other data controllers.
Again the key here is planning ahead — in most cases systems will need to include functionality to allow for management of these rights.
GDPR won’t come into force until 2018, which seems a long way away until you consider the length of product development life cycles — businesses need to start getting their heads around what GDPR will mean for them now so they are ready for the changes it will bring.