Unless you’ve been on extended break or a different planet lately, you will know that the new EU-wide General Data Protection Regulation (GDPR) comes into force in almost exactly a year from now.
Watching the GDPR from a distance over the past couple of years has reminded me a bit of the wonderful – if corny - 1951 American sci-fi/disaster movie, ‘When Worlds Collide’. In the film, a clever group of astronomers spot a massive planet called Bellus on collision course with Earth. Everyone’s going to die when Bellus hits in eight months. Panic. Disbelief. But then those clever people spot a smaller planet called Zyra on the same course, and start building a space-ark to transport the crème-de-la-crème of humanity (all white Americans, as far as I remember) to settle on it and keep humanity going. After the standard good-guy, bad-guy struggle and love interest, we get the inevitable happy-ish Hollywood ending on Zyra (sorry if I’ve now ruined the plot line for you).
The GDPR’s inexorable advance since 2015 has felt a bit like watching the approach of Bellus. It’s actually a lot more Zyra than Bellus, much-vaunted by advocates of privacy and protecting the rights of the individual versus big-data corporations – and with some justification. But records managers and archivists cannot afford to ignore the practical implications. Our community was not the ‘target’ of the GDPR. But the people that drafted the Regulation have limited understanding of our sector, notably the daily operational realities of managing data and records.
Progress, of sorts
Thanks to the tireless work of Susan Healy, the ARA has dutifully submitted its concerns, ideas and recommendations on the GDPR to the European Commission, various parts of the UK and Irish governments and to regulators and legislators, including (recently) on ‘derogations’ or flexibilities that we would like to see in the Regulation. See here for examples. We’ve managed to get some things improved. And there are a number of specific exemptions that will protect archives and archive ‘services’ (see below for some outstanding gaps). But the GDPR still contains elements that could lead to inadvertent and/or damaging outcomes for record-keepers of all stripes.
It is arguably records managers, however, that face the biggest and most radical challenges from the GDPR. Many ARA records-manager-members will be well on top of these. This blog is aimed at those who may not be, especially anyone struggling to get the attention of their line managers or senior executives.
I attended a very useful Government Knowledge Information Managers (KIM) event in Swindon on 8 May and was struck by the specific challenges facing records managers. What follows owes a lot to several speakers on that day (with grateful thanks), but any misinterpretations or mistakes are mine. So, NB, this is not a technical treatise or manifesto, more of a checklist to help members get started, organise priorities and/or frame discussion within their organisations. We always recommend getting a detailed, expert appraisal for your individual situations.
The key starting point when working with GDPR is to sort out your fundamental legal basis for processing other people’s data (ie, that of ‘data subjects’). The words ‘explicit consent’ and ‘transparency’ sum it up best. ‘Explicit consent’ is a key element of the GDPR, so it will be law. Some examples of what this may mean in practice:
- No longer can you rely on a ‘legitimate interest’ argument (if in a public authority) or ‘tick-boxes’: unless you have specific legal coverage (see below) otherwise, data subjects must now give you their explicit ‘ok’ before you can process their data. Plus, they have the right to change their minds, and they have the right to have data corrected or erased – and ‘be forgotten.’
- The GDPR applies to data processors, not just data controllers.
- This means that records managers may need to keep clear, verifiable written records that people have given their explicit consent for their data to be processed.
- If your organisation sub-contracts work to partners, involving the collection and retention of personal data, that does not absolve you of obligations under the GDPR: so many of your contracts are going to need rewriting.
- If your organisation has website ‘privacy notices’, you it will have to change them to reflect the GDPR requirement that a clear contact point be articulated for the information of anyone with personal data concerns.
- There are new obligations to notify data subjects of any breaches affecting their personal data. Read, mark and inwardly digest the new rules.
- Your Data Protection Officer will need to have ‘professional experience and knowledge of data protection law’ proportionate to the type of processing the organisation carries out.
- Your organisation will need to develop – now as an explicit legal requirement – a ‘privacy-by-design’ and data minimisation approach to handling personal data.
The following didn’t feature prominently at Swindon, but are other key evolutions in the GDPR that will impact on records management and could even be opportunities for you within your organisation to ‘sell’ the value of proper records management:
- The accountability principle at Article 5(2): demonstrating compliance with the new accountability principle will require the retention of evidence, which in turn will require records and effective records management;
- Article 30: requires records of processing activities to be kept and specifies the relevant records.
Those facing the biggest challenges here will be in public bodies and highly-regulated business sectors, such as health, utilities, finance and telecommunications.
What does this all mean in a nutshell? From now on, when planning retention schedules, etc. you will have to build in provision for consulting data subjects pro-actively and explaining your procedures, eg the length of time that you intend to hold their data, so that they are properly informed; and that, if things change (eg, you think you need to keep said data for longer), you will first seek their permission. Data subjects, in effect, will now have much more control over their data.
True, millions of British and Irish citizens are not going to suddenly say ‘no’ on matters concerning their personal data or demand huge numbers of corrections or erasure. But the intent of the GDPR is to embed in law that personal data is as much someone’s personal property as their house or car. So records managers need to understand this and be ready. Of course, those in the public sector that can make a clear ‘public interest’ or ‘official authority’ argument or those who are required by law to process personal data, will still have a legal basis under the GDPR for doing so. But it would be wise to make absolutely sure of your legal ground in your specific work environment from the outset. In the UK health sector, for example, a broad continuity between the current UK Data Protection Act (DPA) and the GDPR seems likely (but if the devil exists, he will certainly be lurking in the detail).
The ARA’s view is that the headline goals of the GDPR are fair and reasonable in principle and hard to argue against. It means a lot more work and a change in organisational culture, but generally in a good cause. However, there are some inherent problems in the GDPR that that have yet to be addressed. For example, unlike the current DPA, there is no provision in the GDPR obliging data subjects to give you a ‘starting point’ when demanding to know whether or where you hold their data. Without a starting point, finding any or all of someone’s personal data may be practically impossible. That is why the ARA is advocating with governments for derogations on this (for both archives and records managers), and on other issues. Our objective? To ensure as much continuity with current operational practice as possible when this is clearly in the interest of both the data owner and data processor and respects the intent of the GDPR.
GDPR also offers an opportunity for records managers. The demise of the automated ‘tick-box’ culture means that management of personal data will require more human oversight and intervention. Also, the consequences for getting things wrong (the provision for fines is being massively increased, to €20 million or 4% of global turnover) will be potentially much more severe. This should mean that effective records and data management should move higher up the risk register of all organisations and become more of a ‘strategic’ function. It should also mean employers recognising the advantage in recruiting and retaining records management expertise.
If your senior management or boards of trustees haven’t grasped this yet, now’s your chance. And if you are a senior executive that thinks that customer personal data can just keep sitting under the IT function, or be automated, or keep being done ‘as it always has’, or be bolted onto the job description of the most junior member of staff, you have a year to develop an effective records management strategy before change ultimately gets forced on you. The ARA will be covering the ‘risk’ angle in a training module for members as part of the second phase of our ‘Don’t Risk It!’ records management campaign later this year.
What can you as an individual records manager do by yourself? Information audits are one great way. For example, what personal data do you hold centrally? Which other parts of your organisation are holding what categories of personal data? What do you and your colleagues really need in operational terms (versus what you have just accumulated in the past because you could)? Are your retention and disposal schedules up to date and fit for the new purpose? Secondly, get acquainted with key documents, such as the Privacy Notices Code of Practice issued by the Information Commissioner’s Office (ICO) and make sure that your senior management know about them. Thirdly, look at the changes to Subject Access Requests (SARs): there are new requirements and timelines plus some new flexibilities, and you can start your planning at the coal-face now.
Many of the above issues will affect ARA members in double-hatted or triple-hatted roles, ie those responsible for records throughout their life-cycle. But, it is not all plain-sailing for single-hatted archivists, either. There remains unhelpful language in the GDPR that says archives must first have a ‘legal obligation’ before they can acquire and preserve items that contain personal data. This is a nod to the legal structure on much of the European continent that governs the sector, but it causes headaches for those of us in the Common Law world.
There may be provisions in the Regulation that allow for flexible interpretation at member state level, but these are flimsy. Clever administrators are telling us: ‘don’t worry, no-one in reality is going to force a university or business archive to shut down because of the GDPR.’ Maybe so, but our concern is the potential for inadvertent outcomes, ie that universities, NGOs and businesses may decide by themselves that it is too much of a risk (and cost) to maintain an archive in such uncertain legal territory, and so decide to shut theirs down as a precaution. That’s why we are arguing for clear language in any UK and Irish implementing legislation that ‘all archiving purposes are in the public interest’ and therefore all archives have a clear legal basis to exist and do their invaluable work.
So, a message to single-hatted archivists: if you, or your institution, are looking for a simple issue to rally around when it comes to the GDPR, start with this. It is simple and has the advantage of being in everyone’s interest.
The Brexit illusion
For any Brits hoping that Brexit might mean seeing the back of the GDPR, no chance. The big argument in favour of the GDPR has been the need to regularise data-handling practice and data transfers across the single market. Even if the UK were to withdraw from the single market and seek a free-trade agreement, UK companies wanting to do business in Europe would need (arguably, want) to operate on the same terms as their EU clients and suppliers (and competitors).
Experience says that, however well-drafted, the implementation laws for GDPR are going to contain gaps. So , no prizes if you predict that we are going to have several years of court cases while the judges clarify the parameters of the GDPR and interpret what its legislators ‘meant’. Brexit may play a part here: it will be interesting to see if (or for how long) the UK Supreme Court and the European Court of Justice interpret the implemented versions of the Regulation in the same way…
So it may seem like Bellus is still a year away and that you don’t need to do much because we still haven’t seen the draft implementing legislation in the UK or Republic of Ireland. But it may be more prudent to use what’s already in the Regulation to guide you in overhauling your records management procedures; and build your own space-ark towards a happy new beginning.