Data Privacy Day – an interview with Rob Masson, CEO at The DPO Centre

In honour of world data privacy day, we sat down with our CEO, Rob Masson, to discuss how the last 12 months have impacted data protection and where he thinks the industry is headed in 2022.

Q: Thanks for taking the time out to speak to us Rob, we wanted to start by asking you to talk about what you think have been the most fundamental issues that have influenced the data protection industry in the UK over the last 12 months or so?

You can’t really talk about the last year or so in data protection without mentioning Brexit which has, and will continue to shape the UK’s data landscape. When the UK officially left the EU on the 1^st of January last year, the UK was given full reign to change the direction of UK data protection laws as it sees fit. How the UK chooses to use this newfound power is something we are likely to find out later this year when the outcome of the DCMS’ recent consultation on UK data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. is revealed. However, the biggest question last year that Brexit threw up was how data transfers between the EU and UK would be affected or, more precisely, whether the UK would gain an adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has.... Whilst perhaps initially considered a foregone conclusion, the UK’s adequacy was jeopardised after the Schrems II ruling in 2020 which invalidated the US-EU Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. due to the US’ mass surveillance laws being deemed non-compliant with the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). – laws that are not dissimilar to the UK’s. Fortunately, the EU did end up awarding the UK adequacy which was a welcome relief for any UK business that deals with European personal dataInformation which relates to an identified or identifiable natural person..

Overarching and, to some degree, overshadowing the fallout of Brexit though was the ongoing Covid-19 pandemic, which has shaken up the way we all work, and has continued to throw up ever more data protection considerations.

Q: What has made the Covid-19 pandemic have such an impact on data protection?

A key impact that the pandemic has had on our working lives is that many of us now work from home for some or all of the time. We have gone from coming into the relatively secure environments of our workplaces, where we work on our devices that are under the direct control of our IT teams, to now working from home on our personal equipment and over our home WiFi. Facilities such as VPNs and remote access can reduce the risks but, in many cases, data processing is occurring at home, making it much harder to apply the appropriate “technical and organisational measures” that the law demands and to respond fully to individuals’ rights requests, such as DSARs.

In addition to this, not being in the office alongside colleagues has also meant that people aren’t having those informal “at the coffee machine” chats with their DPOs, which are often opportunities to bring up small issues or queries that they might have. Unfortunately, this has meant that sometimes issues that could have been nipped in the bud early are going unnoticed, leading to bigger problems down the line. Keeping open lines of communication between DPOs/those responsible for data protection and their colleagues is therefore vital to maintain, even when working from home. Aside from this, implementing appropriate policies and procedures, and delivering tailored training that ensures that employees are aware that it is everyone’s responsibility to comply with data protection law, especially when working remotely, is critical in this now not-so-new way of working.

Q: Are there any ways in which the pandemic has had a positive impact on the profession or created any opportunities?

The transition to working from home threw up a host of data protection issues that privacy professionals suddenly had to deal with. Whilst this was challenging, it did reinforce how dynamic and adaptable data protection practices and frameworks need to be, so has led to significant improvements for many.

The pandemic also created issues such as the UK government’s decision to develop their “Track and Trace” appAn application, downloaded by a user to a mobile or other device. using a centralised, rather than de-centralised, approach to data processing. This highlighted all manner of privacy-related issues in the mainstream news that significantly raised the profile and importance of data protection to the public and focused the attention of a great many more organisations that it would otherwise have passed by. The knock on effect of this has been a wealth of career opportunities being created within the industry due to the now higher demand for individuals with expertise in this area, which can only be a great thing for the profession.

In addition, the switch from face-to-face to online data protection events and conferences has made them far more accessible to people working in data protection all over the world, providing greater opportunities to connect with other privacy professionals and facilitate valuable networking and knowledge-sharing.

Q: You also mentioned the UK’s DCMS consultation that began in Q4 of 2021, how do you envisage that shaping the UK’s data protection landscape in 2022?

Well, whilst we are still waiting for the outcome of the consultation, it is safe to say that the proposals included within it show a clear intention to diverge away, quite significantly in certain areas, from the EU’s regime. The two areas in which this is most true are regarding international data transfers and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. requirements.

In terms of data transfers, the UK government has made its intentions quite clear that it wants to significantly broaden the number of countries given adequacy, as well as the number of alternative transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms available for businesses. In addition, the accountability requirements proposed in the consultation seem to fly in the face of the EU GDPR, with the possible removal of the requirements for DPOs to be appointed (but replaced with a Privacy Programme Manager), and the completion of DPIAs and RoPAs. These are significant changes that are likely to create a more complex regulatory landscape for organisations required to comply with both EU and UK regulations.

Overall, although nothing from the consultation is yet set in stone, it is clear that many of the proposals, if written into UK law, would detrimentally impact the chances of the UK retaining its adequate status from the EU in four years’ time.

Q: What other factors do you think will impact data protection in the coming year?

Although AI/Machine Learning has been around for some time now, its use has really taken off over recent years. More and more of our clients are now leveraging AI and as it becomes more prevalent, so do the data protection considerations involved. Furthermore, AI presents far more complex data protection issues due to the inherent lack of transparency of algorithms and the increase in automated decision making, so how these risks are managed will be interesting to see, particularly as the UK has now set itself the goal of becoming an “AI global superpower”. It remains to be seen how far individuals’ data protection rights will be compromised in the pursuit of this goal.

Q: Clearly, the innovations you speak about will provide big opportunities for business growth for many, and you mention individuals’ rights potentially suffering as a result, but should data protection be seen as a barrier to this innovation?

Compliance with data protection laws should not be seen as a barrier to the introduction of new technologies and innovation. Data protection laws ensure that innovation occurs responsibly and respectfully, which is especially important with AI due to just how integrated it is going to become in our everyday lives and the type of decisions about people that it is going to be involved in.

Responsible innovation builds trust, loyalty and engagement between organisations and their customers, which forms the fundamental building blocks for business growth. We saw failure in this regard in 2021, when WhatsApp informed its users that it would be sharing their personal data with its parent company, Facebook, an organisation that has built a questionable reputation when it comes to data protection compliance and respecting the rights of individuals. Almost overnight, there was a mass migration away from WhatsApp and toward other apps, such as Signal and Telegram, that provided greater transparency and assurances in respect of protecting their users’ personal data.

Data subjects are now aware of their rights more than ever before, and they are far less likely to tolerate the misuse of their personal data. Data subjects not only know more about their rights, but are also becoming more willing to enforce them against organisations, and this trend is only going to continue into 2022 and beyond.