"However fast regulation moves, technology moves faster."
- Elizabeth Denham, Information Commissioner
Andrew McWhir is the Law Society policy adviser for competition law, and GDPR & EU. He discusses the known paradox that the opportunities for digital innovation rely on people trusting organisations with their personal data, and the GDPR mechanisms that support this for lawtech.
Many people, including Elizabeth Denham the Information Commissioner, have pointed out that digital innovation relies on people handing over their personal data to companies. Properly respected and enforced data protection laws increase trust but, in the short term, enforcement action reveals unlawful and unethical processing that undermines public confidence. These include the prospect of some spectacular GDPR penalties for data breaches – the ICO has stated its intention to fine Marriott International over £99m and British Airways over £183m.
The GDPR recognises that technology is transforming the economy and social life. It also recognises the importance of creating the trust that will allow the digital economy to develop. This is, of course, an objective of the regulation as a whole. But within the regulation there are mechanisms for promoting innovation within a framework of trust. They are highly relevant to lawtech innovators.
The data protection impact assessment (DPIA)
The first mechanism is the data protection impact assessment or DPIA. DPIAs are a structured process for evaluating innovative, high risk initiatives for processing personal data. They involve systematic descriptions of the proposed innovation, assessment of the proportionality and risks involved, and identification of measures to mitigate those risks. Where high risk remains, data protection authorities provide written advice on how to proceed.
Data protection by design and by default
The second mechanism is less specific. It is the concept of data protection by design and by default. The core idea is that appropriate technical and organisational measures that reflect data protection principles should be baked-in to systems and not, as so often happens, added as an afterthought.
For example, if you are collecting personal data for statistical purposes you may be able to add 'noise' to that data in a way that retains its statistical value but which minimises the extent to which it can be traced back to a particular individual. An example of poor practice would be to include mandatory data fields (such as data about age, income or political views) in an online query form requesting a report or a quote.
Most data protection experts are familiar with the sinking feeling that comes from having to say 'caution' or even 'no' to an initiative that they have been asked to advise on only when it's almost ready to launch. More often than not, the initiative could have been designed differently and in a way that would have been fully compliant if only they had been involved sooner!
Robert Bond, one of the UK's leading data protection by design practitioners and a partner at Bristows LLP will be leading a data protection by design session at the Law Society's half-day New Frontiers in data protection, ePrivacy and workplace surveillance conference on Thursday 26 September 2019. Workshops include lawtech and GDPR, social media in law firms: the danger spots, and workplace surveillance: know your limits; helping you tackle the challenge of how law firms can combine the challenges of lawtech innovation and data protection compliance.
The Law Society supports lawtech innovation.
Join our half-day conference Thursday 26 September 13:00 - 17:20 New Frontiers in data protection, ePrivacy and workplace surveillance at 113 Chancery Lane, £175 + VAT, Practising certificate holder working for a NFP £125 +. Expert speakers will be exploring crucial data protection and privacy issues. We will be announcing some new GDPR guidance for solicitors in law firms at the conference
Listen to our Tech Talks podcasts designed to make lawtech easier to understand