Opinion & Analysis

GDPR – The calm before the storm?

The need for greater protection of personal data has accelerated dramatically over the last ten years as the use of electronic and digital technology for communications and storage has grown. So it was absolutely vital that we introduced the GDPR after some 7 years of deliberation and preparation.

As we did our work in the European Parliament, in which I was a major participator, we felt at times as if we would never catch up with developments in technology and in cybercrime. This led me to call for a more flexible approach to legislation which I called simply “ Smart Legislation” allowing faster updates of items like the GDPR to keep abreast with changing or adapting social and commercial behaviour. Since I returned to the UK in 2016 to become a domestic “ legislator” in the House of Lords I have again pressed for a more modern and flexible approach to our Laws and law making in the UK and I hope colleagues in the EU will at some stage follow this approach.

So what have been the effects of the new Regulation so far?

In anticipation of the new rules and penalties our businesses large and small have rushed to communicate with their customers and consumers to make sure that information about them is being appropriately held and is accurate and has their consent. No doubt we all have received countless letters, e-mails, and other messages either asking us to confirm our satisfaction with the security of our details held by others or at least delineating how those details are held and the processes of redress available to us if abuses are detected. We have even had to learn how to deal with encrypted messages and even more passwords than ever before which has admittedly caused some complication especially to older citizens and those who are less “ computer literate” This feverish activity has now started to “ quieten down” and the appointments of the National Information Commissioners and their staff have been completed. Businesses have all appointed their Data Controllers. No-one ( at least in the UK) has yet been fined for abuse, and we will have to wait to see if, and when, the fears of draconian penalties for data abuses start to be applied. So far a more gentle and pragmatic approach is being adopted, as some of us recommended , especially in the early stages of implementation.

But what next? Are we in the “ calm before the storm”? Are there consumer groups or “militant data protectors “ lining up to take action against corporations to test the new laws? I hope not, but it is possible.

And in the fast moving climate and even without my “ Smart legislation” we will have to return to these regulations on a regular basis to ensure our intended protections for personal data continue to match collection methods and retention arrangements. Nobody should make a profit out of our personal data without our permission and hopefully we have at least curbed that process.

The GDPR was overdue and necessary. It was a very complicated piece of law.

I will not be involved ( and sadly ,I suspect ,nor will the UK) in the forthcoming Privacy and Electronic Communication Regulations ( PECR) replacement which the EU is presently considering, but that will probably prove to be an even more complicated process than GDPR , but equally necessary as the years go on.

 

Lord Kirkhope of Harrogate

(Formerly Timothy Kirkhope MEP, Conservative spokesman on LIBE Committee and shadow rapporteur on GDPR.  Former UK MP and Home Office Minister. Lawyer) June 2018