Category Archives: GDPR

Are GDPR Guidelines Becoming So Complex They May Overwhelm Businesses Ability to Meet Them?

Authored by Lynn Goldstein and Peter Cullen

Last December the European Union’s Article 29 Data Protection Working Party (Working Party) issued draft guidance relating to two key aspects of the General Data Protection Regulation (GDPR) addressing Consent and Transparency, both essential to the effective operation of the GDPR. The Working Party invited comments, and the Information Accountability Foundation (IAF) responded to both the Consent and Transparency drafts (collectively and singly Draft Guidance). In short, the IAF believes there are some significant challenges related to the Draft Guidance that may have the unintended impact of limiting the beneficial uses of data and potentially limiting the longer-term goals of providing data protection against the full rights and interests of individuals as the beneficial uses of data grow. IAF’s comments on the Draft Guidance broke down into two main themes:

  • The Draft Guidance has an apparent narrowing of some of the plain language and flexibility contained in the GDPR text
  • The complexity of the Draft Guidance will be challenging for even the most sophisticated and resourced organizations to meet

The GDPR is part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.  The GDPR is intended to create both legal certainty and a platform for the free flow of data in a suitably protected manner.  This strategy is responsive to all the stakeholder rights and interests articulated in the treaties that have established the European Union.

There are various provisions in the GDPR that are intended to create flexibility for discovering new knowledge, including new and better means for achieving stakeholder objectives. There are examples of “narrowing” in the Draft Guidance, particularly related to Scientific Research.

For example, the Draft Guidance quotes GDPR Recital 159 that states “For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner.”  But the Draft Guidance then goes on to say, “however the WP29 considers the notion may not be stretched beyond its common meaning and understanding that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodology and ethical standards.”  The GDPR words “should be interpreted in a broad manner” links to the full range of fundamental rights and interests articulated by the various European Union treaties and the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

The Draft Guidance on Transparency focuses on the need for organisations to be very specific in stating all the purposes and the legal basis for all such purposes.  In research, new processing may develop over time that is not inconsistent with the original purposes.  The GDPR was not intended to stifle innovation through work flow improvements that are not inconsistent.  The IAF is concerned that the Draft Guidance may create disincentives for knowledge creation related to new processing that is not incompatible with the initial processing. In short, the flexibility built into the GDPR for research and related activities should not be prematurely limited by the Draft Guidance.

The second thematic area of concern relates to the complexity of the Draft Guidance.  For example, the Draft Guidance on Transparency identifies a basic conundrum associated with the challenge of making transparency simple and concise on the one hand and complete on the other hand. The conundrum lies not in the objectives for transparency but rather in the details deemed necessary to achieve those objectives.  The Draft Guidance includes a table with 14 numerous factors necessary for compliant transparency.  A table with 14 factors seems contradictory to concise and simple.

To meet the Draft Guidance expectations, organisations of all sizes and complexity will need skills, resourcing and differing capabilities and capacity to achieve the preferred transparency.  For example:

  • Communications specialists with expertise in data protection to describe data processing activities and user rights, in simple age- and consumer-appropriate language;
  • Consumer research staff to test timing and efficacy of language and transparency delivery including multi-language translations;
  • Experienced designers and programmers to create the needed online and in-product experiences, product flow and visual design that are ‘just-in-time’ or to describe further data processing activities when they arise.

Experience from businesses that have complex relationships with customers that are exercised primarily online is that developing an approach that requires numerous notifications and separate consents requires a large cross functional team of product developers, designers, usability testers, data protection experts and lawyers.

It will be equally critical for organisations to put into place new business processes to ensure consistency across the recommended communications channels recommended by the Draft Guidance.  A limited number of organisations have these skills in place, but most do not.  Putting such resources in place will require a substantial investment that needs to be balanced against other expectations, with the knowledge that only the most motivated individuals will have the time to absorb the communications. These cross functional teams are the exception, not the rule, at many organisations.  This staffing approach means the resources required by organisations to execute on the Draft Guidance will be a challenge for most and certainly for smaller ones.

In addition to the narrowing of the GDPR’s intent and the complexity challenge, in IAF’s view, Draft Guidance should not inadvertently become secondary regulation. It should, however, provide a commentary on legal requirements mandated by the GDPR that go into effect in May. Guidance should provide an interpretive view on the objectives of the GDPR and how best to meet both the letter and spirit of the GDPR. IAF’s feedback on the Draft Guidance was to take care not to over engineer these requirements to the point that they may be quite challenging for organizations to implement and negate a key part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

Guidance and Un-Legislated Law

In 2016 and 2017, the Article 29 Data Protection Working Party (WP29) adopted Action Plans which set forth its global implementation strategy related to the General Data Protection Regulation (GDPR).  Pursuant to these Action Plans, the WP29 has produced seven Guidelines and has indicated it will produce at least eight more.  As the data protection… Continue Reading

Demonstrating Responsible Use for Legitimate Interests Is Necessary Now

Elizabeth Denham, the United Kingdom’s Information Commissioner published a blog 16 August, busting the myth that consent would be required for all processing under the General Data Protection Regulation (GDPR). In addition to the GDPR-consent myth, over the years, many businesses have actually relied predominantly on consent as a means to achieve the lawful processing… Continue Reading

Europe Sets the Standard – Other Regions Follow

Europe Sets the Standard – Other Regions Follow The Ibero-American Data Protection Network (“network”) adopted “Standards for Personal Data Protection for Ibero-American States“ (“SPDP”) on June 20, 2017 at its meeting in Santiago, Chile, with the official English translation now available. Most data protection experts have predicted that the adequacy provisions of the European General… Continue Reading

Assessments are the Hub of a Forward-Looking Data Protection Program

The term assessments appear a great deal in IAF work. We have written about comprehensive data impact assessments, ethical assessments, digital marketing assessments, Canadian assessments and legitimate interests assessments. All these references are part of the same theme; a family of comprehensive assessments of how data is used and how it impacts individuals is necessary… Continue Reading

IAF Policy Call

The ePrivacy Regulation may swallow any flexibility built into the GDPR.  What does mean for effective data protection governance and the ability for companies to build value by thinking with data?  Does the adequacy drive from Latin America cause additional disruption?  Will the International conference in Hong Kong bring balance back to global discussions?  Join… Continue Reading

AI Without Data is Artificial Ignorance

Many years ago, I attended a seminar in Prague on the state of credit scoring in numerous locations in what had been Soviet Europe.  I was taken aback by the stretch to find any data that would facilitate the growth of consumer markets through credit.  This followed a session on credit scoring at the International… Continue Reading

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while… Continue Reading

IAF Policy Call on Research as a Legal Basis to Process

Thinking with data, the discovery of new insights through the processing of large diverse data sets, has already become a driver of innovation. One of the truly remarkable outcomes of the European Data Protection Regulation, is a liberalization of data for research. Is research essentially a new “legal basis” to process data? Viktor Mayer-Schonberger and… Continue Reading

Trust Deficits, Bright Lines and Verification

Freight trains heading through a tunnel are pretty hard to miss. The equivalent of a freight train in the world of privacy is a privacy trust deficit related to information use in an observational age driven by analytics. The many, many indicators that have piled up over the recent days, weeks and months are coming… Continue Reading