Our Director and Consultant, Clare Paterson, gives an update on her view of data protection and how it is looking at the beginning of 2023:
“In housing in particular, but this happens in just about every sector that I’ve worked in or worked with, data protection is seen as something separate from the day-to-day business, from the day-to-day customer service.
Add to that the fact that no one else outside of the Data Protection team seems to really understand what data protection is all about, and we have a bit of an issue as Data Protection Officers and Teams.
A lot of people will say “Oh yeah, data protection, that’s IT security”, but it’s about so much more than that. In housing I would say about 99% of everything you’re doing will involve (in some way) data that relates to identifiable people.
It could be something to do with tenants or customers. It could be something to do with colleagues or employees. It could even be asset-related data, as addresses of assets are often the addresses of people.
So much of what you’re doing is actually connected with data, as you know.
Meaning that data protection should be the foundation of all that work.
We know it’s not though, and that’s something we need to continue to work on, across the sector and related sectors.
Data Protection Reform
How does the road ahead look for the data protection reform?
Well, it’s a little bit cloudy at the moment; a bit of a grey cloud hanging over it.
Let’s look at what we’ve had so far:
- Data Protection Act 2018 for the UK;
- The UK GDPR after Brexit;
- The SCC’s (standard contract clauses) are transferring across to IDTA (international data transfer agreement);
- DPDI Bill (data protection and digital information) was on the horizon.
In housing we can add to that, with these things which are also about data:
- The Building Safety Act; and
- The Social Housing Regulation Bill (going through the Commons at the moment).
If we put all those together, it’s enough to make you scream!
In September 2021, when we heard about “Data, a new direction” from the government we all started looking at the draft DPDI Bill and trying to absorb the possible changes it would bring.
But then in October 2022, with a new Secretary, we heard about a “new British data protection system”. We had gone from Nadine Doris with her new direction to Michelle Donelan talking at the Conservative Party conference about a new British data protection system.
Does that mean scrapping the (currently paused) DPDI Bill and starting again?
Well, we don’t know for sure.
Let’s talk about what we do know so far – I just wanted to highlight a few points from the draft DPDI Bill that I think are most applicable to what we’re doing here in housing and similar sectors.
First of all, we start with a bit of clarification around identifiable and what that means in terms of what personal data. So that’ useful. And there could also be a list of legitimate interests that are already pre-approved legitimate interests, rather than having to do the balancing test for those particular purposes.
Profiling restrictions are eased. I’m not so pleased with that one. It’s about only restricting profiling and automated decisions when they involve special categories of personal data.
We already know that we’re moving towards a more risk-based approach for international transfers. Which might open things up a little bit, which might be useful for us DPOs, even if it’s just to reduce the number of arguments we have with colleagues.
There is also the possibility of scrapping the need for a UK representative.
The Bill would amend PECR (Privacy & Electronic Communications Regulations) as well, by providing a list of which cookies (and similar technologies) are necessary. Which would also mean fewer arguments with your marketing team and your web development team.
A lot of the other changes that I think are worth highlighting are just about a change in terminology, really. Although there have been headlines on LinkedIn and so on stating, “they’re getting rid of DPO’s”, “they’re getting rid of records of processing and DPIA’s”, it’s just terminology.
For example, in Data Subject Access Requests (DSARS) and other requests, the term “manifestly unfounded” could become “vexatious”, which is more in line with Freedom of Information, and perhaps easier to gauge.
Even if we get rid of DPOs, we would still need to have a “senior responsible individual”, so it’s “a rose by any other name.”
A Record of Processing might not be needed, but you would still need to know (and record) what you’re doing with data.
And Data Protection Impact Assessments might not be needed, but assessments of the impact of what you’re doing will still be needed. Again, spot the difference!
A little bit positive, and a little bit negative perhaps?
But remember that this is very much not set in stone.
We might get something completely new!
What we do know is that the majority of enforcement action by the ICO in 2022, was for PECR breaches, and that may well continue to be the case.
ICO Enforcement Action in 2022
In particular I wanted to highlight the Halfords service e-mail, which was not a service e-mail just because it said at the top of it “this is a service e-mail.”
This is a kind of approach I’ve seen many comms teams wanting to try. So these examples can be really useful to share with any of teams with whom you’re having those robust discussions (shall we say?)
We still need to be alert to the action that was taken under the GDPR too, though.
The Department for Education case was really interesting. Information they held had found its way into gambling companies…but they only got a warning for that!
That’s part of the ICO’s new strategic approach to enforcement in the public sector, which means the public sector faces much less risk of a high monetary penalty.
In the private sector, Interserve received a £4.4 million monetary penalty after they suffered a cyber-attack, and it will also have cost them more money behind the scenes, with all the work that goes on to sort out a cyber-attack and its repercussions.
The Easy Life case was great (for us DPOs!) because it proved that data protection is not just a data security issue.
Easy Life were fined £1.35 million for misusing data (plus a PECR fine too).
No data went outside of the company; nothing was breached or lost or hacked.
But they were a catalogue company that was, in the background and without any transparency, recording on the files of certain customers that they possibly had arthritis, for example, because of the products they bought. Then they were marketing arthritis related products to those customers.
So nothing went external. But it was because of that misuse of data with no legal basis, and that lack of transparency, that they were fined £1.35 million.
There was another cyber-attack, which was suffered by a solicitors firm, and they were fined £98,000.
And another data breach that I found heart-breaking, because we’ve all done this; The NHS sent out emails to people who were linked to their gender identity clinic, without using the blind carbon copy. I’m sure we’ve all done something similar.
They were fined £78,000.
Plus of course all the issues of dealing with that behind the scenes.
And then we had an enforcement notice (no fine) for SLS, a financial advisor, that had completely ignored a DSAR for months…and all they got was an enforcement notice telling them to complete the DSAR.
I speak to a lot of data protection officers who are so worried about being a few days late with a DSAR, and I always say it’s better to take your time to get it right and send it late, than rush to send it and you’ve not redacted something that you should have redacted, which could cause someone harm.
To end the update section, I want to mention a speech by the Information Commissioner John Edwards. He presented the keynote speech at the NADPO Conference in November 2022, at the offices of Mishcon de Reya. And he started his speech by saying “I enjoy speaking to groups of ordinary citizens and bringing to life this arcane and technical world of data protection.”
Let that sink in…”arcane and technical world of data protection.”
He went on to say “you, however [the people at the NADPO conference] are not ordinary citizens; you get the boring and technical and I know you thrive on it.”
I don’t know if he thought any part of that was supposed to be complimentary to those of us who work in data protection, but it certainly doesn’t feel like a compliment to me! And I don’t believe it’s a true reflection of data protection either.
When we even have the Information Commissioner himself calling data protection boring and technical and describing us data protection folk as thriving on the boring and technical, it’s no wonder our colleagues are seeing it as red tape.
It’s no wonder that the potential data protection law reforms are being talked about in terms of saving us from all this red tape. You might be forgiven for thinking it’s all doom and gloom for data protection officers though, so I do want to bring in some ideas of what you might want to focus on to not feel quite so doomed.
What do we do now?!
The first thing is to stay calm; don’t panic.
I know it’s easier said than done, but come back to that idea of data protection in its true meaning; that it’s about purpose and respect of data, not just security. And that it relates to at least 90+ percent of what goes on in the social housing world and a huge chunk of what you’re doing in other sectors too.
Look for opportunities to demonstrate that. Look for the opportunity to demonstrate that good data protection practises in their fullest meaning can be an asset, not an obstacle. Please see my recent blog post about using GDPR being the greatest asset in digital transformation, and in all the other projects that are going on in housing at the moment. Such as the golden thread requirements of the Building Safety Act, and the incoming Tenant Satisfaction Measures.
They’re all about data, and they’re all about pulling together threads of data. My advice to you as DPOs is look strategically. Look for those opportunities. What else is going on in the business? We have so many housing associations going through digital transformation at the moment.
Get yourselves in there and talk positively about data protection and the data principles; we don’t want to be focusing on the negatives.
As Luke Beckley and I co-presented in November 2022 at Privacy Space (and it’s now written up in a blog post with a free download to go with it – link at the bottom of this post) data protection professionals have amazing skills outside of our knowledge of DP law.
Bring that all together and don’t focus on the negatives unless or until you need to. Sometimes we do need a little bit of stick rather than carrots, but in in the main, we can be positive – there are a lot of positives.
We need some joined up thinking, we need cross team working and that is often the hard bit. I’m not saying this is easy. But coming back to what Luke and I talked about privacy space, we do have really good communication skills and relationships already built with a lot of areas of the business. Keep working on that. Get people onside and share your knowledge and your passion for data protection. I know many of you probably follow DPO Daily on LinkedIn. Recently he (Tim Turner) was talking about quite pointedly, I think, people posting on LinkedIn and closing the comments and not letting anybody interact with that and how he thinks that’s not a good idea.
I believe there are sometimes reasons for closing the comments, when people have had bad experiences in the past, and I can see where they’re coming from. However, in general, I don’t think gatekeeping is a good idea, and I’m all for sharing my knowledge of, and my passion for, data protection.
That sharing helps to get people more onside.
A lot of the value that we can add as DPOs is by looking globally across the business and mapping out what’s going on with data and we can help join the dots. We can see where we can pull value from one team and help that other team. We’re good at seeing where one thing can benefit another team. Use that skill.
Regarding policy and procedures, it can be tempting to think “everything says GDPR, we must update it to say, (UK)GDPR now, and reference the DPDI Bill”.
I would say don’t waste your time on that just now. Even if the policies say “GDPR”, you know that, if you’re working just in the UK (housing associations, I’m talking to you) you mean the UK GDPR.
It might be more worth your while doing those updates (or delegating them out, more likely) for those of you who are working more internationally.
But if your policy and procedures are pretty much OK, only look for the glaring issues. We have more than enough things to be worried about as data protection officers! Focus on what’s the right thing to do for the organisation and your customers, not whether you’ve got all the tiny details right. It’s about how you operate on the ground.
One thing that we do have a date for that you do need to concentrate is the SCC’s transferring to IDTA’s; as far as we know, that will still happen so that’s worth looking at. It’s also worth looking at because it means looking at your contracts with your data processors, which is always time well-spent because processor contracts can be so problematic. I would only be looking for glaring issues, though.
Bake-in Data Protection
Look as well, for places where you can start to roll out “baked-in data protection”; where you’ve got any other policies and procedures that relate to handling data, which will be 90+ percent of your policies and procedures in housing.
It will be all the policies and procedures in HR. It will be everything in Customer Service.
Baking-in data protection to these policies and procedures means making sure those documents for those teams include all the guidelines they need around data; what data those teams should be collecting, sharing, recording, and what they shouldn’t.
So many times those policies and procedures just say something like “collect relevant data, and by the way, do it in accordance with the data protection policy”. And that just doesn’t work. Nobody’s going to jump out of that policy or procedure and go and look at the data protection policy (and we can’t blame anyone for that!)
Across the housing sector, and other sectors, there is currently a lot of talk about “data”, which people seem excited about. And then “protection” gets added on the end and it seems to turn people off!
If you can get into those “data” conversations by losing the word protection to begin with and just talking about data, people listen more.
And then you can start to talk about purpose and fairness and transparency. Your colleagues don’t even need to know that you’re talking about the dreaded GDPR!
This is an approach that Luke Beckley has used to good effect, and I know Luke and I would both love to hear if it works for you too.
Join The Hive – free group on LinkedIn and meeting monthly online.