Daniel Stafford is Deputy Chairman of Oxford Conservative Association, and works as GDPR Compliance Officer for an Oxford-based national Christian charity.
Since January, you may have received an email or a letter from a charity or business, with the cheerful message “URGENT! RESPOND NOW!” emblazoned on the envelope or subject bar. This rush of correspondence is due to a piece of EU legislation called the General Data Protection Regulation (commonly shortened to GDPR) due to come into force on 25th May 2018. The GDPR replaces the 1998 Data Protection Act, and places much stronger restrictions on how personal data is used.
On the face of it, the GDPR is a great idea. If you’ve ever lamented buying a gift online because of the subsequent tide of spam emails or hung up in frustration after an unsolicited caller has asked you about a car accident you’ve had in the past, you will welcome anything that reduces nuisance correspondence. More topically, the scandal surrounding Cambridge Analytica and Facebook has highlighted the issue of how transparent big-data companies are when capturing and using our data. Given some of the serious questions around how Facebook has gathered data in the past, it seems right that data protection laws respond to the proliferation of big data.
While the GDPR sounds great in theory, the experience for those implementing it has not been as positive. Over the last 12 months, I have been involved in understanding the implications of GDPR for two different charities. Charities, even more so than businesses, rely upon relationship building, personal promotion of the cause they advocate, and keeping sound donor records in order to ensure a donor’s experience of supporting the charity is a positive one. While Elizabeth Denham, the Information Commissioner, has correctly taken pains to emphasise that the GDPR is only meant to codify what was already expected as best practice under the Data Protection Act, many charities and businesses are panicking given the uncertainty about what it looks like to be compliant with the GDPR.
The source of this confusion is best explained in this way: under the GDPR, any use of personal data is strictly prohibited, unless you have what is termed a ‘legal basis’. On paper, this sounds straightforward enough – you don’t use personal information without either permission or a just cause. In practice, there are two deep flaws with the legislation.
The first stems from the European mindset behind the legislation. In contrast to the British common law tradition where everything is permitted unless it is prohibited, the GDPR is very much in the tradition that everything is prohibited, unless it is permitted. That has a stifling impact on any business, organisation, or charity that uses personal data. Rather than proceeding on a good faith basis, organisations are having to document and codify just about every procedure to demonstrate compliance. A number of organisations are hurriedly discarding data or will refuse to hold on to potentially legitimate business data, for no other reason than the fear that they might break the law.
This would not be so serious but for the second flaw – GDPR prescribes an extremely broad definition of personal data, which encompasses anything relating to a living person. That breadth includes quite serious information, such as your health, sex life, and religious or political views, but theoretically can expand to where you do your shopping, personal opinions, or your favourite sporting teams. Case law may eventually provide a more practical application of the GDPR definition, but in the meantime organisations are left to tread cautiously and fearfully. Among those organisations may well be political parties – under right of access, “personal data” includes anything written about a person in an email context. Until a judge rules otherwise, every party might live in fear that a member who left under a cloud might put in a subject access request, and ask to see any email in which they are named. The absurd idea that emails can no longer be private stems solely from GDPR being so all-encompassing.
Brexit does not provide an immediate solution to the flaws of GDPR, as the Government is adopting its own version of GDPR into UK law through the 2018 Data Protection Bill. Nor can we entirely ignore it when we do leave the EU; as the Facebook story has demonstrated, even non-EU organisations need to comply with the GDPR when they handle the data of EU citizens.
A central argument for Brexit, however, was that Parliament would take back control of our laws, and be able to improve EU laws we were dissatisfied with. I suggest that amending GDPR as a matter of urgent priority would have a massively positive impact on many UK charities and businesses; especially small organisations who risk being throttled by the burden of documenting their use of data. A new data protection law should focus on proscribing specific offences; principally relating to the abuse of personal data, or the failure to protect data from outside intervention. By focusing on the punishment of specific unacceptable practices, rather than seeking to burden organisations with a mass of bureaucracy, we can have a data protection regime that works for charities and businesses, and also protects individuals.