Category Archives: Peter Cullen

Are GDPR Guidelines Becoming So Complex They May Overwhelm Businesses Ability to Meet Them?

Authored by Lynn Goldstein and Peter Cullen

Last December the European Union’s Article 29 Data Protection Working Party (Working Party) issued draft guidance relating to two key aspects of the General Data Protection Regulation (GDPR) addressing Consent and Transparency, both essential to the effective operation of the GDPR. The Working Party invited comments, and the Information Accountability Foundation (IAF) responded to both the Consent and Transparency drafts (collectively and singly Draft Guidance). In short, the IAF believes there are some significant challenges related to the Draft Guidance that may have the unintended impact of limiting the beneficial uses of data and potentially limiting the longer-term goals of providing data protection against the full rights and interests of individuals as the beneficial uses of data grow. IAF’s comments on the Draft Guidance broke down into two main themes:

  • The Draft Guidance has an apparent narrowing of some of the plain language and flexibility contained in the GDPR text
  • The complexity of the Draft Guidance will be challenging for even the most sophisticated and resourced organizations to meet

The GDPR is part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.  The GDPR is intended to create both legal certainty and a platform for the free flow of data in a suitably protected manner.  This strategy is responsive to all the stakeholder rights and interests articulated in the treaties that have established the European Union.

There are various provisions in the GDPR that are intended to create flexibility for discovering new knowledge, including new and better means for achieving stakeholder objectives. There are examples of “narrowing” in the Draft Guidance, particularly related to Scientific Research.

For example, the Draft Guidance quotes GDPR Recital 159 that states “For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner.”  But the Draft Guidance then goes on to say, “however the WP29 considers the notion may not be stretched beyond its common meaning and understanding that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodology and ethical standards.”  The GDPR words “should be interpreted in a broad manner” links to the full range of fundamental rights and interests articulated by the various European Union treaties and the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

The Draft Guidance on Transparency focuses on the need for organisations to be very specific in stating all the purposes and the legal basis for all such purposes.  In research, new processing may develop over time that is not inconsistent with the original purposes.  The GDPR was not intended to stifle innovation through work flow improvements that are not inconsistent.  The IAF is concerned that the Draft Guidance may create disincentives for knowledge creation related to new processing that is not incompatible with the initial processing. In short, the flexibility built into the GDPR for research and related activities should not be prematurely limited by the Draft Guidance.

The second thematic area of concern relates to the complexity of the Draft Guidance.  For example, the Draft Guidance on Transparency identifies a basic conundrum associated with the challenge of making transparency simple and concise on the one hand and complete on the other hand. The conundrum lies not in the objectives for transparency but rather in the details deemed necessary to achieve those objectives.  The Draft Guidance includes a table with 14 numerous factors necessary for compliant transparency.  A table with 14 factors seems contradictory to concise and simple.

To meet the Draft Guidance expectations, organisations of all sizes and complexity will need skills, resourcing and differing capabilities and capacity to achieve the preferred transparency.  For example:

  • Communications specialists with expertise in data protection to describe data processing activities and user rights, in simple age- and consumer-appropriate language;
  • Consumer research staff to test timing and efficacy of language and transparency delivery including multi-language translations;
  • Experienced designers and programmers to create the needed online and in-product experiences, product flow and visual design that are ‘just-in-time’ or to describe further data processing activities when they arise.

Experience from businesses that have complex relationships with customers that are exercised primarily online is that developing an approach that requires numerous notifications and separate consents requires a large cross functional team of product developers, designers, usability testers, data protection experts and lawyers.

It will be equally critical for organisations to put into place new business processes to ensure consistency across the recommended communications channels recommended by the Draft Guidance.  A limited number of organisations have these skills in place, but most do not.  Putting such resources in place will require a substantial investment that needs to be balanced against other expectations, with the knowledge that only the most motivated individuals will have the time to absorb the communications. These cross functional teams are the exception, not the rule, at many organisations.  This staffing approach means the resources required by organisations to execute on the Draft Guidance will be a challenge for most and certainly for smaller ones.

In addition to the narrowing of the GDPR’s intent and the complexity challenge, in IAF’s view, Draft Guidance should not inadvertently become secondary regulation. It should, however, provide a commentary on legal requirements mandated by the GDPR that go into effect in May. Guidance should provide an interpretive view on the objectives of the GDPR and how best to meet both the letter and spirit of the GDPR. IAF’s feedback on the Draft Guidance was to take care not to over engineer these requirements to the point that they may be quite challenging for organizations to implement and negate a key part of the European Union strategy for a Digital Single Market that is an engine for employment and economic growth.

We lost A True Mensch – Joe May You Rest In Peace

This weekend Joe Alhadeff passed away after a long bout with cancer. Joe is a founder of the Information Accountability Foundation, just one of a number of organizations that he saw as providing solutions to an increasing complex set of eco-systems.  He has been a colleague of mine for well over a decade.  He was… Continue Reading

The Need for An Ethical Framework

The vast amount of data made possible and accessible through today’s information technologies, and the ever-increasing analytical capabilities of this data, are unlocking tremendous insights that are enabling new solutions to health challenges, business models, personalization and benefits to individuals and society. At the same time, new risks to individuals can be created. Against this… Continue Reading

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while… Continue Reading

EDPG Update Call

To discuss a number pf accomplishments and next steps related to the EDPG project, IAF will hold a one-hour update call on the project’s work during 28 November. The EDPG project was created as a means to mitigate a business risk related to a growing focus on data use as an integral part of business… Continue Reading

The Data Use Imperatives – Effective Data Protection Governance

We are on a cusp of many dramatically new ways to think about data and data use that will increasingly place pressure on public policy models and organisational governance. This overall challenge was introduced in our blog last month and is the cornerstone of The Information Accountability Foundation (IAF) work on an Effective Data Protection Governance… Continue Reading

EDPG Project: Enhancing Benefits from Information Flows While Improving Regulatory Certainty in a Digital Age

Today’s information ecosystems are complex and set to become even more complicated. Business, today, is making increasing use of information as a means to create new products and services and drive value creation. IoT environments offer a terrific example of this complexity as does the whole area of Big Data analytics, which can involve the… Continue Reading

Enhancing the Benefits of Information Through a Values Based Holistic Approach to Information Governance

Businesses today are increasingly using information as a means to create new products and services and to drive the creation of benefits. Access to data and advanced analytical capabilities are enabling new opportunities for both current information-intensive industries and new players, even those traditionally in core product segments or where there is no direct business-to-consumer… Continue Reading

Data Management Ethics in an Observational World

Data ethics is more than data minimisation and purpose limitation. If it was not more, big data governance would be easy. But it is not easy. Giovanni Buttarelli, European Data Protection Supervisor, heightened the big data governance debate last Friday, 11 September, when he issued opinion 4/2015, “Towards a new digital ethics.” In the paper,… Continue Reading