IP Draughts has been involved in several GDPR-related projects this week. By “involved” he means working with our GDPR expert, Francis Davey, to provide training, give advice, and negotiate GDPR issues. Francis is one of two experts in this subject at Anderson Law, the other being Stephen Brett.
By way of background, there are several stages in a GDPR (General Data Protection Regulation) analysis, including (a) working out whether one has personal data (old assumptions about anonymisation being sometimes irrelevant under the new law), (b) where it is moving from and to, (c) what is the legal justification for such movements (e.g. consent or another permitted basis), (d) have the rules surrounding that legal basis been complied with, and (e) which of these parties is controlling the data (rather than merely processing it on behalf of a controller), including sole, joint and co-controlling. This is before we get to questions of what agreements are legally required or desirable between the various parties.
It is easy to lose one’s listeners along the way, particularly if what one is proposing does not conform to their established way of doing things, or they have seen different practices being followed that supposedly comply with GDPR.
The following is a random set of themes that emerged from these projects. They are given from the perspective of someone who doesn’t claim to be a GDPR expert, but who has sat in on enough detailed discussions of GDPR to form an overview of the subject.
- In the medical field, many, or most clinicians, have not really engaged with the new thinking required for compliance with GDPR. They are still assuming that consent is the best route, and that consent is broadly the same as consent for the purposes of conducting clinical trials.
- The European Data Protection Board (formerly the Article 29 working party) has published some guidance on the use of consent as a route to GDPR compliance in relation to clinical trials. They have thrown a large jug of cold water on the idea that vulnerable patients in hospital can give consent freely. One could view their opinion as an act of staking out their own territory, and refusing to be influenced by the developed group-think on consent for the purposes of the Clinical Trials Regulation. In IP Draughts’ mind, their opinion raises the question of whether established clinician practices for the purposes of the CTR may have to change, as well.
- It is all very well getting expert advice on the appropriate way to comply with the GDPR. But if that advice is out-of-line with established thinking (there is a lot of bad GDPR advice out there), how much appetite do organisations have for facing criticism by those whom they oversee or collaborate with, that they are creating unnecessary bureacratic obstacles?
- Equally, one may have conducted a sound analysis of GDPR issues, and put in place an action plan that one thinks is compliant, but where another party is involved and that party has also received expert GDPR advice, how does one resolve honest disagreements between the experts over the correct course of action? One of the themes that has emerged in recent days is whether a technical collaboration on a project that involves use of personal data may amount to both collaborating parties determining the “means” for the use of personal data. If so, it seems to be considered that this may impose GDPR obligations on a party, even if they don’t receive any of that data. That seems counter-intuitive to IP Draughts, but he will leave it to the experts to decide how the law works in this situation.
IP Draughts can see the merits in establishing a new regime that requires parties to engage in a new way of thinking about protecting people’s personal data. But he is concerned that the legislation is so radical and has created so many areas of legal uncertainty, that it will be several years before the courts develop clear guidance on how to comply. In the meantime, users of personal data will be somewhere on a spectrum between the head-in-the-sand brigade and the fastidious user who is protected by a team of lawyers and data protection officers, like a Roman magistrate with his lictors. IP Draughts wonders whether there might be a badge of office to represent the fully-compliant data team, like the lictors’ use of a bundle of twigs and an axe.