Category Archives: Data Protection

Are GDPR Guidelines Becoming So Complex They May Overwhelm Businesses Ability to Meet Them?

Authored by Lynn Goldstein and Peter Cullen

Last December the European Union’s Article 29 Data Protection Working Party (Working Party) issued draft guidance relating to two key aspects of the General Data Protection Regulation (GDPR) addressing Consent and Transparency, both essential to the effective operation of the GDPR. The Working Party invited comments, and the Information Accountability Foundation (IAF) responded to both the Consent and Transparency drafts (collectively and singly Draft Guidance). In short, the IAF believes there are some significant challenges related to the Draft Guidance that may have the unintended impact of limiting the beneficial uses of data and potentially limiting the longer-term goals of providing data protection against the full rights and interests of individuals as the beneficial uses of data grow. IAF’s comments on the Draft Guidance broke down into two main themes:

  • The Draft Guidance has an apparent narrowing of some of the plain language and flexibility contained in the GDPR text
  • The complexity of the Draft Guidance will be challenging for even the most sophisticated and resourced organizations to meet

The GDPR is part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.  The GDPR is intended to create both legal certainty and a platform for the free flow of data in a suitably protected manner.  This strategy is responsive to all the stakeholder rights and interests articulated in the treaties that have established the European Union.

There are various provisions in the GDPR that are intended to create flexibility for discovering new knowledge, including new and better means for achieving stakeholder objectives. There are examples of “narrowing” in the Draft Guidance, particularly related to Scientific Research.

For example, the Draft Guidance quotes GDPR Recital 159 that states “For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner.”  But the Draft Guidance then goes on to say, “however the WP29 considers the notion may not be stretched beyond its common meaning and understanding that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodology and ethical standards.”  The GDPR words “should be interpreted in a broad manner” links to the full range of fundamental rights and interests articulated by the various European Union treaties and the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

The Draft Guidance on Transparency focuses on the need for organisations to be very specific in stating all the purposes and the legal basis for all such purposes.  In research, new processing may develop over time that is not inconsistent with the original purposes.  The GDPR was not intended to stifle innovation through work flow improvements that are not inconsistent.  The IAF is concerned that the Draft Guidance may create disincentives for knowledge creation related to new processing that is not incompatible with the initial processing. In short, the flexibility built into the GDPR for research and related activities should not be prematurely limited by the Draft Guidance.

The second thematic area of concern relates to the complexity of the Draft Guidance.  For example, the Draft Guidance on Transparency identifies a basic conundrum associated with the challenge of making transparency simple and concise on the one hand and complete on the other hand. The conundrum lies not in the objectives for transparency but rather in the details deemed necessary to achieve those objectives.  The Draft Guidance includes a table with 14 numerous factors necessary for compliant transparency.  A table with 14 factors seems contradictory to concise and simple.

To meet the Draft Guidance expectations, organisations of all sizes and complexity will need skills, resourcing and differing capabilities and capacity to achieve the preferred transparency.  For example:

  • Communications specialists with expertise in data protection to describe data processing activities and user rights, in simple age- and consumer-appropriate language;
  • Consumer research staff to test timing and efficacy of language and transparency delivery including multi-language translations;
  • Experienced designers and programmers to create the needed online and in-product experiences, product flow and visual design that are ‘just-in-time’ or to describe further data processing activities when they arise.

Experience from businesses that have complex relationships with customers that are exercised primarily online is that developing an approach that requires numerous notifications and separate consents requires a large cross functional team of product developers, designers, usability testers, data protection experts and lawyers.

It will be equally critical for organisations to put into place new business processes to ensure consistency across the recommended communications channels recommended by the Draft Guidance.  A limited number of organisations have these skills in place, but most do not.  Putting such resources in place will require a substantial investment that needs to be balanced against other expectations, with the knowledge that only the most motivated individuals will have the time to absorb the communications. These cross functional teams are the exception, not the rule, at many organisations.  This staffing approach means the resources required by organisations to execute on the Draft Guidance will be a challenge for most and certainly for smaller ones.

In addition to the narrowing of the GDPR’s intent and the complexity challenge, in IAF’s view, Draft Guidance should not inadvertently become secondary regulation. It should, however, provide a commentary on legal requirements mandated by the GDPR that go into effect in May. Guidance should provide an interpretive view on the objectives of the GDPR and how best to meet both the letter and spirit of the GDPR. IAF’s feedback on the Draft Guidance was to take care not to over engineer these requirements to the point that they may be quite challenging for organizations to implement and negate a key part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

Guidance and Un-Legislated Law

In 2016 and 2017, the Article 29 Data Protection Working Party (WP29) adopted Action Plans which set forth its global implementation strategy related to the General Data Protection Regulation (GDPR).  Pursuant to these Action Plans, the WP29 has produced seven Guidelines and has indicated it will produce at least eight more.  As the data protection… Continue Reading

Accountability Does Work

143,000,000 people were the victims of a recent data breach when their data was stolen from Equifax, a company that has an obligation to keep their data safe. Data security is tough. The bad guys only need to be successful once, while companies need to win every time. However, from the perspective of many consumers,… Continue Reading

IAF Releases Ethical Guidance for Artificial Intelligence at Commissioners’ Conference

The terms ethics and ethical data processing are in vogue. With the rapid growth of innovative data-driven technologies and the application of these innovations to areas that can have a material impact on people’s daily lives, enhanced corporate governance focused on ethical objectives is needed. Particularly where data enabled decisions are made without the intervention… Continue Reading

A Data Protection Risk Assessment Is About Ethics – Join IAF Webinar

A Data Protection Risk Assessment Is About Ethics —- Join IAF Webinar Webinar September 6, 2017 We have never read a privacy or data protection law that requires controllers be ethical. Yet implicitly new laws are driving expectations that organizations using data robustly do so in an ethical fashion. What does that mean? The European… Continue Reading

The Colombia Congress Matters

There seems to be a privacy conference every week in the United States or Europe. However, privacy training and policy development in Latin America is not nearly as well developed as that in the United States and Europe. Latin America has one annual conference that is clearly considered the conference of conferences. It is organized… Continue Reading

IAF Policy Call

The ePrivacy Regulation may swallow any flexibility built into the GDPR.  What does mean for effective data protection governance and the ability for companies to build value by thinking with data?  Does the adequacy drive from Latin America cause additional disruption?  Will the International conference in Hong Kong bring balance back to global discussions?  Join… Continue Reading

The Need for An Ethical Framework

The vast amount of data made possible and accessible through today’s information technologies, and the ever-increasing analytical capabilities of this data, are unlocking tremendous insights that are enabling new solutions to health challenges, business models, personalization and benefits to individuals and society. At the same time, new risks to individuals can be created. Against this… Continue Reading

Big Data Ecosystem, Fairness and Enforcement

Big data has become an increasingly scary phrase for all stakeholders in data protection. For privacy advocates, it often means loss of control, asymmetrical power and hidden discrimination. For regulators, it often means regulatory round pegs in operational holes of different sizes, in constantly moving locations, with mismatches that begin with vocabulary. For companies, it… Continue Reading

Abrams Moderates Panel at ICDPPC Open Session – 19 October 2016

Adequacy, Localization and Cultural Determinism Open Session Panel Discussion DATE: 19 October 2016 TIME: 11.30 to 13.00 LOCATION: Atlas Room, Conference Center of the Palmeraie Golf Palace EVENT: 38th International Data Protection & Privacy Commissioners Conference ADMISSION: The discussion is open to all conference attendees. Are adequacy, localization and cultural determinism efficient measures to strengthen/adapt… Continue Reading