EP04: UK data reform – a saga, or A New Hope?

Andrew Rawlins-Catterall: Hello and welcome back to the Tech Leaders Podcast with Mazars. For those of you who are new to the podcast hello, and to those of you returning hello old friends. My name is Andrew Rawlings-Catterall and this week we're going to be exploring the rather complex area of the UK Data Protection Framework Reform. For those of you who have been following the news recently, you'll be aware that MP Julia Lopez has been reappointed for Minister of State for the Department of Culture, Media and Sport. And joining me today is Robert Baugh, CEO of Keepabl to discuss the rather complex areas and how that's going to affect UK businesses and the UK as a whole. Welcome, Robert.

Robert Baugh: Thank you very much, Andrew. Great to be here.

Andrew Rawlins-Catterall: Absolutely fantastic and thank you for taking the time out. You must be insanely busy at the moment.

Robert Baugh: Yeah, it is. It's always a good time in privacy, everything's just getting busier every month and so it's good, it's good.

Andrew Rawlins-Catterall: It doesn't seem to matter what time of the year it is, there's always a new piece of case law coming out of the EU or the UK. There's constant reforms, of course, we’'ve got the AI Act in the EU as well, and that's under reform at the moment. So it's it's quite an exciting time I'd say. So, to our listeners, those who aren't familiar with Keepabl, Keepabl has been awarded a, in fact, two years in a row, isn't it, Robert? The RegTech 100 list for companies providing innovative solutions, especially in the financial services market.

Robert Baugh: Yeah, absolutely. Global list as well, so we’re very happy about that.

Andrew Rawlins-Catterall: Yeah. Pretty impressive credentials there. So, I guess really a good way to start off and I think listeners are very, very interested in understanding people's journeys into privacy. So, it would be great if you could give us some background in your own personal views and how you moved into it.

Robert Baugh: Yeah, absolutely. So, I started off as you did with a technical background. So, I did a master's in engineering economics and management, and it was all about how science and economics and marketing all come together. So, I actually cross qualified as a lawyer to a city firm back in 1995, joining in 1993. So, being someone who understood the technical aspects, I was very much drawn to intellectual property and data and information law as it was then, because that was the crossroads of law and business interaction and technology in a really interesting way. And so, because we were in IP, it was all about data. We got data protection, we also got e-commerce, which was fantastic. There was no real IT law practice at that point, so we got that, which was great. And so, as that practice grew and data protection became more and more important, as the internet started coming through, I mean, we didn't have laptops back then when I started as a lawyer, as we're using a system called Wang, it was all prehistoric, but very rapidly it all started changing. So, data protection was really underpinning this. I then went out to Hong Kong and Melbourne working as an e-commerce and technology lawyer and very much with data protection as part of the focus. And then I went in-house as general counsel of VC backed South Growth companies and data protection is, data protection and IP are the two biggest things that a business are looking at and privacy and security, the two biggest operational compliance issues. So, that's where it really came from and because we were talking earlier, we had a great session before this, about being able to look at the law but actually have that practical knowhow and experience to go, well, actually this is how we look at it and how we can implement this was really key. And I think that's where it, that's where it all came from.

Andrew Rawlins-Catterall: I think that's one perhaps of the biggest challenges when it comes to data protection, the written guidance and the practical application are two very, very different things and they require entirely different skill sets. I think you sort of very succinctly, very on point sort of covered that off with the experience from the tech background. How that leads into data privacy and the development of technology at the moment is absolutely insane because of course we started off with infrastructure as a service and then it was platform, then it was software, and now we're talking about outsourcing DPO functions and all sorts of different things. Everything's cloud based and perhaps later we will touch on the Cloud Act from the US and maybe something to do with artificial intelligence if we have time. But I suppose the focus of this podcast is to look at UK data reforms and that started off with a consultation which has been quite divisive in many ways. As we were having a coffee discussion just before this and it would have been quite useful to have recorded that, to top and tail it as a sort of intro. So, I suppose starting from a very high level for businesses, the consultation itself, what was the purpose?

Robert Baugh: So, absolutely to take it from beginning. So, the EU GDPR bit was UK law because we were a member state at the time and it became retained EU law and we just basically went through, you can see the schedule where you just cross out the EU and write in the UK. So, the UK GDPR to all intents and purposes is identical to the EU GDPR. So, the government, the UK government decided that that was holding business back and what they wanted to do was, this is the published line. What they wanted to do is make it easier for, for Britain to gather the Brexit benefit and sell off in a new third way to unleash business was the stated intent of the consultation to make the changes to the data protection regime.

Andrew Rawlins-Catterall: So, I'm going to pick up on that very last point, the stated intent. So, the stated intent would be to reduce burdens, for example, for businesses to encourage innovation and so on and so forth. Has that translated into the bill?

Robert Baugh: So, they were the intentions for sure, and everyone would applaud those intentions. I think one of the problems was the consultation was very controversial as you said, I put like a 40 odd page response in, but lots of industry commented, law firms commented and one of the big things was people weren't sure they were achieving what they wanted in terms of the impact on UK business, which is our, our focus here. So, leaving aside, say, the structure of the ICO for the moment, for a business, what do they do about privacy? And people are saying, well, actually you're swapping out one orange for another orange here. You know, it's not really making much of a difference and it could even be worse. Then the bill came through, which was not as extensive as the consultation. And when you look at when the bill came through, so the government response just before the bill was most people objected to this, but we're doing it anyway. And so, then the bill came through with some things and we're going to get into that in more detail. My personal view is it makes almost zero impact on a UK business or a negative impact on the UK business.

Andrew Rawlins-Catterall: So effectively what you're saying is the consultation responses were effectively ignored?

Robert Baugh: So, I think it would be unfair to say totally, but I think it would be fair to say in quite a lot of occasions they were, because you can look at a lot of the the Government's response which was published in between and they say pretty well everybody objected to this, but we're doing it anyway. And so, I think from a personal point of view, I think a lot of this is basically sort of White Cliffs of Dover, Brexit voters, movement on EU law. If you actually look at the practical impact and we've published a side-by-side guide to the changes, there's, there's very little change for UK business or it will be worse in a lot of situations. And one of the things is they're bringing in a lot of uncertainty, we'll get into a couple of areas like vexatious or what have you and the SRI, this is not the time we need uncertainty. This is a time when we want certainty about the data protection. Now, no one's saying GDPR is perfect, but it's not helping the situation for UK businesses.

Andrew Rawlins-Catterall: Yeah so, I suppose from what I've read, the main focus of the bill was around accountability. Having a senior responsible person or individual, should I say, is the correct technical SRI as you mentioned earlier. Changes and that's really to replace what the DPO function is at the moment, changes around Data Subject Access Requests, DSARS which you mentioned again with the vexatious aspect, more flexibility around international data transfers as well. There were ICO reforms in there and also an additional point around which certainly for me and perhaps we'll go into that later around automated decision making, that perhaps has over complicated things. So, in practice, I suppose starting at the first point and probably the most contentious point, DPO versus SRI, what does it mean in practice?

Robert Baugh: So, this is one of the difficulties about all this is you have to really put a cold towel around your head and have a look at it. So, this, again this side-by-side thing we've done is really good and there are other ones out there as well, but I think the DPO role itself, before looking at the SRI, the DPO role itself is massively misunderstood. The vast majority of businesses do not need a DPO. So, if you're private sector, you only need a DPO if you're core activities, that's not ancillary stuff like your own HR processing, it’s your core activities at a large scale; you're regularly systematically monitoring individuals, or you're processing special categories or criminal data as your core activity at a large scale. Most aren't doing that. The Law Society of England and Wales said most law firms will not need a DPO and if you think of what they process. So, I think the DPO aspect has been massively for me misunderstood and very few businesses by number and percentage in the UK really need one. I think then one of the big issues with DPOs that I have is this no conflict bit that we were talking about earlier. It makes it very, very difficult and really if what you're wanting to do is drive good compliance, you want to make it easy and that no conflict rule for me makes it really difficult. So, what they've done is they said, well, look, this DPO bit is really bad, we want to get rid of this, it's an onerous burden.
We will replace it with this senior responsible individual, the SRI. Now the SRI, this is where they're introducing more uncertainty. The SRI needs to be a really senior person.

Andrew Rawlins-Catterall: So, are we talking board, Exco, risk committee, that level of seniority?

Robert Baugh: So no, it's more, it's more the level sort of below, it's more the sort of not the person who would be like a once a month having a look at this. It would be the daily senior leader, like the senior, you know, senior daily sponsor. But they're meant to be able to to make change in your organisation, but they can't be conflicted either. Now, the European authorities and our authority and various case law has said if you're a head of then your conflicted. So, the law is saying, the bill is saying your senior responsible individual has to be of that senior management aspect but can't be conflicted but because they're in that senior management role, they're almost guaranteed to be conflicted and then they can delegate if there's a conflict to someone else. But then that person can't be conflicted either. So, to me, the fix would have just been to take away the conflict on the DPO and leave it there. Or but certainly don't have the conflict piece in the SRI.

Andrew Rawlins-Catterall: So, in effect it's increasing burdens in practice because on the one hand we're saying it needs to be a senior responsible individual who can then, who is likely to be conflicted in one way or another in determining how the daily operations work, which is determining the processing. So, that's where the conflict comes in. So, they can then delegate, however, the protections of the senior responsible person or whomever is taking on that responsibility has the protection. So, the person who is delegated receives that protection, that's different, isn't it? To the existing framework with the DPO

Robert Baugh: So, the DPO, is protected, which I think is amazing. So, I was general counsel in businesses where basically you're in a very similar position to a DPO, you're advising them on a position and saying this is how we should deal with this, this is the legal framework and maybe we can't do it this way, we can maybe do it this way. But you didn't have, you don't have, as a general counsel, the protection which the DPO has, where you can't be sacked from your job. And also, that the business, if they disagree with you, it should write down why they disagree with you. So, you've got this sort of safe harbour as a DPO that you can say, I don't think we should do that and if the business goes ahead and does it, you're protected because the law recognises you can't make that happen. I think with the SRI, the difficulty the SRI has is there's a new obligation on the SRI to ensure compliance and ensure there's governance in place to to have good compliance that's not there for the DPO. So, the SRI has the advisory bit, it has the monitoring, it has the training bit and all the stuff. But the SRI also has to ensure compliance, so that's a statutory obligation for that role to ensure compliance with, by the organisation. I think that is a massive extension.

Andrew Rawlins-Catterall: I would tend to agree with you on that. So, in practice, if there's a requirement, a regulatory requirement to ensure compliance where does the liability fall, is it on the business? Is it on the SRI? Is it the person doing the job who has to ensure compliance?

Robert Baugh: It's a very difficult question. So, it's very clear for the DPO, the DPO is not liable. The liability on the GDPR is the controller or the processor, not the representative and not the DPO. Even though the regulators have tried to make the representative liable under the territorial guidelines, the draft one, and that went out in the public forum. But with the SRI there's nothing to say the SRI individually is liable. However, this is going to be a statutory obligation. I mean, you mentioned the finance industry earlier and the money laundering regulations and the MRLO was a very difficult provision position to fill at the beginning. So, I think it's going to be quite interesting but one slight sort of twist in it is when you read the law, arguably nobody needs an SRI.

Andrew Rawlins-Catterall: And I suppose the reason for that, if I could almost predict what you're going to say next, is this to do with the issue of high-risk processing?

Robert Baugh: It is indeed.

Andrew Rawlins-Catterall: Go on, tell me more about that.

Robert Baugh: So, the test of whether to appoint a DPO, as we've mentioned before, core activities, large scale, systematic monitoring or processing of criminals or special categories data, very clear. The SRI one is you appoint an SRI if your processing is likely to generate a high risk for individuals. Well, the whole regime at the moment is you don't do that. So, if you think you're likely to have high risk, you do a DPIA. You then put in place measures to see what the residual risk is. If the residual risk is below high, fantastic, you carry on. If it's still high, you try and put more measures in. If you can't reduce it below likely high, you go to the ICO and say, I can’t, can you help. If they say, no, we can't help, you can't do it, you can't do that. So, people should not do processing activities that are likely to result in a high risk to individuals. They should be putting in measures to reduce that to say medium. So, under the current aspect, arguably that wording, which is also used for the exemption for 250 employees or less for Article 30. So there's two different connotations to it. But for the SRI, there's a good argument that if you reduce your, if you do proper risk management, so all of your processes are medium at most you don't need an SRI which I don't think is the intention. Well it might be from the UK Government, so no one has to put one in.

Andrew Rawlins-Catterall: But surely that's complicating things that are going to be high risk activities or systematic processing, large scale processing. So, effectively it's creating more burdens on the compliance function to put in more protections and more measures and do much more work on that side. So, isn't that just shifting the financial responsibility, perhaps from employing a DPO, who's an expert within data protection, replacing them with an SRI who might not necessarily have the same level of expertise and who may then delegate to the person who used to be called the DPO, who will then have the protection, who will effectively do the same job.But because it's now a regulatory requirement that will increase compliance costs, surely.

Robert Baugh: Absolutely. So, if we assume, excuse me, if we take away the when do you need to appoint one bit and let's assume you need to appoint one in the same situation when you appoint a DPO. So that level of appointment, you know, if you need a DPO, you need a SRI, let's assume that. The SRI has a lot more obligations. So, the company has a lot more obligations, express obligations. Obviously you can go, well, how do I fulfill that DPO role and there's guidance around it. What the DPDI does is actually brings in a lot more express obligations.

Andrew Rawlins-Catterall: Yeah, no, it's a lot to take in and it's a lot to think on and sort of digest. I think businesses and certainly from a consultancy point of view, we're going to have quite a tough time advising businesses if this comes to fruition. And of course, that sort of leads onto the next one, which is quite a big change on how data subject access requests are being dealt with because there has been a new introduction in the wording, which is controversial because of the original purpose of a DSAR was to see what information a company held about you, how it was being processed, and to ensure that it was accurate and being processed lawfully. That way you could exercise your rights to rectify it and so on and so forth. However, there is a very controversial word and I'll hand over to you at this point to explain what that word is and exactly the impact it's likely to have.

Robert Baugh: Yeah. So it's vexatious. And so it's an interesting one just what you said about the purpose of a data subject request. And it's not just the DSAR it’s that any DSR, any request. So, what's the purpose of putting one in and one of the recitals is that it's always been the case that the primary purpose is, as you say, to protect the fundamental rights and freedoms, in particular in relation to privacy, and that everything is accurate and being appropriately processed. There's a long line of case law that ulterior motives are irrelevant. So, if you want it for litigation, that's irrelevant. There's a Court of Appeal decision recently from Oxford, two cases joined together, fantastic judgment actually, saying it's absolutely clear that if you want the information for the purposes of litigation, that's absolutely fine, that you can have other motives as well as long as it's not an abuse of process. So, I have to say I've done it before, where I've said to people, do a DSAR and see what you can get in the case of an employment tribunal, for example, before you get there. Because discovery and litigation comes later. So lawyers do all this stuff anyway, so that’s been going on for decades. The difference with vexatious is you've got manifestly unfounded or excessive and so now you got vexatious and what vexatious is, is from, this is the uncertainty. So, it's been in the Freedom of Information Act for a while. But the purpose behind moving it to vexatious is, is to give businesses a bit more flexibility of when to refuse to do a data subject request or to charge a fee. Now, the difference is likely to be minimal. And one of the difficulties as well is we don't really know what vexatious means in the context of data protection. So, the UK ICO has great guidance on it on their website in the context of Freedom of Information Act, but the purpose of it in the Freedom Information Act is you don't want to waste government public money by doing a Freedom of Information request that's pointless for whatever reason or vexatious. So, there's a totally different motive about protecting government money that's very scarce. You go to the NHS or whatever instead, in terms of doing a vexatious data subject request, it's a very different situation. But even when you look at that, it's not doing anything like what the PR says about will give businesses a massive leeway to say you're being vexatious because you want this for an employment tribunal. It won't stop that at all.

Andrew Rawlins-Catterall: So I suppose in effect until it's been defined perhaps through the judiciary in the courts and we have case law, we won't actually know what vexatious means in context.

Robert Baugh: Absolutely. And this is, this is a thread that runs through the bill. The whole bill is quite weirdly drafted as a lawyer looking at it. There's quite a lot of narrative in there in places, there's a lot of use of phrases from elsewhere. There it’s, it's not clearly written out. It's going to actually generate a lot of interpretive uncertainty which again we don't need at the moment.

Andrew Rawlins-Catterall: Yeah, I completely agree. Some stability in business, especially with the current economic climate and so on and so forth. And thinking reflectively about that, there's a likelihood and it'd be great to have your view on this, that it could undermine public trust in the business. If any particular business starts refusing subject access requests on the basis of it being vexatious, because then all of a sudden people will be asking the question, well, how or is this particular company process my data, could I actually trust this company? So, what would your advice generally be to businesses if this comes to fruition?

Robert Baugh: So, my advice generally to businesses on the vexatious bit is it's going to make hardly any difference whatsoever to how you practically do data subject requests and I would also say that, but data subject requests from my experience talking to people in the market and to our customers, they're very binary, you either get them or you don’t. So you either get none or maybe one disgruntled employee a year or you get sort of 20, 25, 30 a month or upwards. So, it's either you get them or you don't and if you don't get them, it’s going to make no difference to you. If you do get them really, the difference is negligible on this as well. So, the vast majority of data subject requests, it won't make any real difference to. I think one of the things about trust is what we sort of talked about before. We've mentioned here is the difference to records of processing activities and the data protection impact assessments or risk assessment. So, we've talked about the DPO and SRI. So, assuming they were put in place for the same reasons in the same situations, actually the public should have even more trust because the obligations are now bigger. The record of processing activities, it was all about let's get rid of this tick box stuff, it's identical. So, under the, under the DPDI is identical to under the current GDPR. There's absolutely no point in doing it whatsoever, it's absolutely identical. So, the companies will have to create those records of processing activity. In terms of the DPIA, they still have to do a risk assessment where there's going to be a likely high risk, and the risk assessment has to cover pretty well the same thing. So, a lot of the governance and accountability is actually the same or harder under the new regime. So, I think that government, sorry, businesses will be able to maintain that trust because they'll still be doing everything they should be doing. And it doesn't change the fact you've got to have a really good answer for people as a business you want to, the accountability principle is you're responsible for complying with the principles and you're also responsible for being able to demonstrate that you're complying.

Andrew Rawlins-Catterall: Yeah, exactly. So, what I'm taking the main message is that many of the main obligations are effectively the same thing by another name. And in some cases it's actually placing harder, a much higher bar for businesses to sort of try and hurdle over.

Robert Baugh: For sure. For sure. I think that's right. If the SRI wording is intended that the SRI goes in whenever a DPO goes in at the moment then yeah, it's much harder.

Andrew Rawlins-Catterall: I suppose. Another thing that's really surprised me, so one of the points on the consultation was about tech innovation in the UK and a lot of that was surrounding some sort of artificial intelligence, machine learning and things like that. But there's nothing really in the bill, there is obviously about automated decision making and making things easier, especially when it comes to things like clinical research, where there's obvious tangible benefits. However the EU does have a draft piece of legislation on AI, do you think that perhaps has affected whether or not the UK Government has decided to introduce that into the bill at this stage or is it a case of wait and see? Because it seems to be that there's a two way almost experiment going on. So the EU is watching the UK as a sandbox experiment and in fact I think I'm quoting directly there aren’t I and it's been quoted as being a sandbox experiment to see whether it or not regulations can change and whether it would work. But conversely and looking the other way is, do you think the UK is looking towards the EU to see how they move in terms of AI legislation to make sure that we maintain adequacy?

Robert Baugh: It's well, so that's that that's. So so I think for the AI part itself, we're looking, the UK has just published its sort of white paper basically on, on how it's going to approach AI with not not having a single regulator giving giving the individual regulators that are already there a bit more clarity on how to deal with it on a principles based approach. Whereas as you say, the EU AI Act is very much on a very prescriptive this is, these are the categories of AI based on the impact on people and this is how we're going to treat them. I think the world is actually looking more at the EU and thinking that makes probably more sense. I think the US is looking to be more sort of in the middle, but I think the EU approach, people can see that it makes a lot of sense. In terms of Article 22 in the GDPR, which is the bit about the automated decision making, there's really no change. And what was really interesting is beforehand and this was one of those ridiculously named Tigger reports. But, but you know, and through the consultation, we're going to release businesses by scrapping Article 22 altogether. And actually the Retail Association, the British Retail Association said, no, don't do that. And I thought if anyone, I was really surprised because if anyone wants to sort of be able to, you know, profile people and automated decision making, it would be retailers and marketers. And the British Retail Association was no, no, don't do that. In fact, make it harder. And most industry came back saying, please don't take that away. If anything, make it harder. So the rights of individuals are equally protected under that and it's a mirage on that one.

Andrew Rawlins-Catterall: It's an interesting one because I would have expected most retailers who have loyalty cards, different point schemes, would want to analyse more information and what surprised me, I suppose the the new draft bill has tried to define slightly in more detail perhaps the automated decision making in that if, you can do it as much as you want, but if you're not doing using it for anything, then that's okay. But of course you're not going to randomly stop processing data, profiling people and then not put it into use. But if you put it into use, there seems to be tougher safeguards in place. So again, that seems to be more regulation as opposed to reduce.

Robert Baugh: Yeah, it's gone the other way from the consultation for sure. And one of the things it's done is also so in the GDPR it says solely based on automated decision making. And so the DPDI is sort of well if most of it's automated, if there's no material involvement of a human and there's been cases in Europe just recently about actually even if you use AI to present information, it's then taken into account by a human, that’s automated decision making. So it's the opposite. So there's a lot of seesawing in this area. There's still quite a bit of uncertainty to be clarified. But I think really the reason that the retailers did this and what the rest of industry was, they welcomed GDPR. You look at the British, the Marketing Association, marketers have welcomed GDPR because actually what it's meant is, is people who they're involved with are much more bought into it and it's higher value and people are respect, trust, economy you've got to show to consumers that you're going to handle their information properly. Salesforce have done tons of great studies on how people don't, will ditch customers if they don't think they're handling their data properly. So, the retailers have gone actually, we really respect privacy, we really respect data protection. And that's helping our business by showing our customers that we are handling their data responsibly and appropriately it's helping our relationship with them. So please don't, please don't make it worse. And so that was I thought that was a very refreshing thing from a court I wasn't expecting.

Andrew Rawlins-Catterall: It is surprising and it links nicely back to what you've mentioned about businesses, what they should do when it comes to handling details, because it is about trust and reputation, isn't it? So I suppose perhaps we'll leave international transfers aside because I think we could probably talk for hours on that particular topic and it's very, very complex. Maybe we'll do another one. However, there have been some interesting changes to how the regulator will work, not just in terms of reporting, but how fines will be approached. And also, that is, am I correct in thinking that the ICO can potentially retain some of that revenue?

Robert Baugh: Yeah, and this could be quite an issue. So across Europe, it's quite a sort of mix of who gets to retain money that they fine and everything so that the ICO should be able to retain a portion of it which will be questioned about whether that will actually make a difference, because the UK ICO has doubled down just recently on making public statements that we are known as the practical non fining regulator and we're going to continue with that. We want to get better compliance in the UK by helping and supporting businesses, having conversations with them rather than them worrying that we're going to slap massive fines on them. So obviously things like you know, sending out 2 million text messages when you shouldn't, they're going to be fining those people, they've got no worries about that, which they have been, that's been their main area of fining. But on GDPR there much more about leading people to better compliance and they don't really want to fine, and they've made a statement and that's going to continue to be there way. So, I don't see the fining bit changing. What I do see is you mentioned the changes to the regulator that you mentioned the adequacy decision. I think this is one of the big areas for the threat to our adequacy. So, on transfers, funnily enough, there's not much in the DPDI it just puts in place the opportunity for these adequacy regulations, it’s not really much of, there's nothing really in the DPDI about the transfers in that respect, but the risk-based approach to the UK is contrary to the EU one and as you say we’ll park that. On the regulator side, an independent regulator is one of the things that the EU looks at for the adequacy decision. The regulator now has to put certain codes and guidance before the Secretary of State to get their approval before they can be published and they can be said, no you can't, that's that's not right you're not going to be doing that. So, for me, that that's one aspect where there not as independent anymore. So, if you're looking at the adequacy decision part, the main thing is the Government's stated obligations, stated intent on transfers and risk-based approach, which should be coming through later this year. And the second thing is the independence of the ICO. Now, the structure of the ICO, I don't think is going to change that. But this whole reporting aspect into the secretary of state, I think will do.

Andrew Rawlins-Catterall: It’s certainly going to make things a little bit more interesting. And I suppose going back to the aspect of independence, if the regulator isn't independent, it could trigger sunset clauses, couldn’t it? Because at the moment the EU have said and I think, correct me if I'm wrong, I do believe that the UK adequacy decision actually has an expiry date of 2025.
However, there are sunset clauses in there that if we diverge for whatever reason, that could be reviewed beforehand. So, in context of obviously the ICO perhaps or proposed not to be independent, do you think that could potentially trigger one of those sunset clauses?

Rober Baugh: So, questions have already been asked in parliament to the European regulators to review what the government in the UK is looking to do. And so obviously they're wanting to see the hard action first. So, I think once if we if we go down a risk based TRA route, transfer risk assessment route instead of the TIA, transfer impact assessment route from the EU recommendations, I think that's going to set us up for a bit of an interesting conversation with them. If we go through this independence part on the ICO about having the codes all approved etc, and also the government can say to the ICO, so there's a part of the the bill where the ICO is going to have certain other obligations it has to take into account, certain other factors it needs to take into account, put on a statutory level. They're not going to make much of a difference. Below that there's then a statement that the Secretary of State can give the ICO, and they have to take that into account. So that's also impacting on the independence, and they have to explain whether they have or not as well. So, they don't have to do what it says, but they have to explain why they're not if they're not etc. So that together with the pre-approval of guides, does put quite a big change on the independence of the ICO. I do believe the ICO is very well respected across Europe as a regulator, certainly for its thought leadership, certainly for things like age appropriate and data protection, for example. I think they're seen as not fining enough in number because they're certainly fined a lot in size. But I do think that that is going to make a change for Europe. They will have to see how the independence of the ICO and the TIA when it comes through is saying, we have a sunset clause in our adequacy decision, it can be reviewed earlier, and I think these are exactly the sort of things they'll be looking at to review it earlier.

Andrew Rawlins-Catterall: Yeah. So, it seems I suppose to sum things up the changes are quite cosmetic. It's almost a UK branded version and while intentional or not, there's a risk, potentially a high risk that it's actually going to increase burdens would that be fair to say.

Robert Baugh: Yes, I think that's fair and also there's a risk that it could lose us the adequacy decision.

Andrew Rawlins-Catterall: Yeah, that's that's I was going to lead onto, whether or not it's likely to move on to effect adequacy as well. Yeah. So putting aside the complex areas of law like the the Bill of Rights for example, which is a review of the Human Rights Act 1998 and, that's been put on a short hiatus too while it's been reviewed, there is the potential for the US Cloud Act. So, if there's any agreement between countries on sharing of information. What I suppose are the potential new impacts in terms of what was known as ePrivacy, PECR; The Privacy and Electronic Communications Regulations, what are the fundamental changes proposed there?

Robert Baugh: Yeah, I have to say, and we said we weren’t going to go into the human rights aspect, but that actually is, and a lot of commentators said that that's a bigger threat to adequacy than the DPDI. So that, but leaving aside PECR, ePrivacy regs, I think there's some welcome bits in there. So, the fines are going up to GDPR level, which makes sense. So you've got people being fined that at the moment the fines are capped at 500K, I think they're going up to the 17.5 million or 4%. So, I think everyone thinks that's absolutely right and it's been a long time coming. There's some new categories of, so this is quite interesting at the moment you essentially can look at cookies in various different ways. You can slice a cookie in different ways. One way to look at it is some that are strictly necessary and either for delivering a service or delivering a transmission and those you don't need consent for. So that's going to be legitimate interest, those are the only cookies currently you can use legitimate interest for, those very, very narrow, strictly necessary cookies. Everything else is consent. So, you've got two big buckets, one small bucket, one big bucket. Now what we're doing is we're putting a third bucket in the middle where we're going strictly necessary, which is for the delivering the service or is it something they've asked for, is still strictly a legitimate interest you don't need consent. The middle bucket coming in, is if you provide an information society service or website, you're able to look at that and say, I can use cookies now for monitoring and improving the performance of that service and for the user's customisation basically but they're on an opt out basis. So, you can have pre-ticked boxes, which you're not meant to have for anything for the consent, but for these ones you can have pre-ticked boxes and they can take un-tick, there has to be an easy way for them to to say, no, I don't want this to happen. And there's also categories in there about delivering security improvements as well. And then you've got the second bucket as well as now the third bucket, which is just consent. So un-ticked has to be consented to. So, at the moment, you've got strictly necessary, they don't need they can't object, and you've got consent where you can't have pre-ticked, and they have to opt in. You're having this middle bucket squeezed in which is you can have it pre-ticked and they can opt out. But it's not for marketing, it's not for profiling and I think a lot of commentators have sort of said, wahey, we can now do profiling.

Andrew Rawlins-Catterall: So, it's more about website improvements, analytics, to do with the use of the website rather than how people use it.

Robert Baugh: The website or the solution. Yeah, absolutely right.

Andrew Rawlins-Catterall: And then what's the difference between the first party and third party cookies in relation to these buckets that you've mentioned?

Robert Baugh: So that’s a really good question. So, there's also the whole idea about, well, what if we do it just server side and we don't use any cookies. And so we were talking about that before as well about where does PECR apply, where does GDPR apply. And so one of the things, for example, in the IAB Europe case we mentioned, I'm not sure why I think it was the Belgian regulator didn't just say PECR not PECR, eprivacy directive because you cannot have legitimate interests for building an ad profile about somebody that has to be consent under the ePrivacy directive. And the whole decision I read it has no mention of the Privacy directive in that sense. It's all about GDPR, can use legitimate interest and it's clear this particular senior law, the privacy director, says, no, you can't. So, I really don't understand why they didn't refer to that. And I didn't see the questions that have been referred to the CJEU, I read those too weren’t really answering that either. And the court can just go, guys, you're missing the whole point here, ePrivacy directive, you cannot do this using legitimate interest you need consent. So, I think that it's going to be, we're in a state where the first party, third party, the whole Apple Google Server side aspects, this is a major state of flux. And I think the central question comes down to your protecting the rights of individuals and so if you're tracking somebody that generally is seen as something that needs consent, now, whether you're doing it with a cookie or whether you're doing it server side, I don't really think that makes much difference. I think people are quite relaxed about, as you say, analytics and performance stuff and that's coming through in the draft of the ePrivacy Regulation as well. And actually personally, I think that could be in a strictly necessary bucket because what you're talking, there's a conversation that everyone's got consent fatigue from these cookie boxes. Actually, the cookie box is not the problem, it's people not adhering to them properly and setting them up incorrectly. And so what we've done now is we've now got this, okay I can opt out of these, I have to opt out of these, but I have to opt into it, so it makes it more complex. I would have been happier if they just said analytics and performance are in this strictly necessary bit, everything else is still in the opt in. It would make it a lot simpler. So, I think the key question is how are you protecting the individual.

Andrew Rawlins-Catterall: So again, it's adding complexity to something that was actually originally slightly simpler.

Robert Baugh: Absolutely. And there's a lot of chaff at the moment about using the technical settings of the browser. And the consultation was all about do we bring this in? And the commission has always said it's too early. The technology's not there, it's not in a particular place. And there's different movements on this around the world, which again are all to be applauded and everything. But the government has recognised we're just not there yet. So we're not going to, we're going to make a provision that we can do that down the track, but we're not going to do anything right now. So that's something as well that receded and quite rightly. But just again, it's just making it uncertain, making it more complex when you really want to just reduce the uncertainty and make it simpler.

Andrew Rawlins-Catterall: There's definitely a theme developing there, I suppose, it definitely keeps the conversation going and it makes these things much more interesting to delve into. And I suppose this is a good time to address the elephant in the room, most UK businesses at some point or another will engage with a third party processor or self services or goods to an EU country. So, what's the impact of the UK data protection reform on those businesses, which, let's face it, is probably quite a lot, the majority in fact.

Robert Baugh: So, we've been in a bit of a situation since Schrems II and so obviously Schrems II was the decision in July 2020 taking down Privacy Shield, which was the adequacy decision allowing a structure for US companies to sign up to so that you could use like Salesforce and HubSpot with US data centres and US contracting parties. With that gone, no one's basically meant to use a cloud provider that can see information in plain text, and that's a massive summary but let’s not go into it. So, there's a lot of discussion going on about that now. In terms of Europe, I remember sitting at a, I was co-chairing a a GDPR panel in Barcelona in late 18 with the Chief Compliance Officer of American Cloud Provider and all the people in the audience were basically wanting to know from France, Germany, Netherlands, everywhere, when are you moving all of the data centres away from the UK? And the Chief Compliance Officer said, we've got that project in place, it will all be out of the UK, and you can all have it in Germany instead or what have you. So, you know, the data question Europe has seen the UK as a non strategic option because of the unpredictability of our regulatory regime. So, people just move stuff to where it's safe and carry on. They don't want to have years of uncertainty. So, a lot of businesses have moved data into Europe. You've often also seen a lot of providers of goods have had to open up in Europe because of the whole Brexit issues, which is a shame. I think going forward people who are supplying Europe, if you're, if you're covered by EU, GDPR, you can continue to just comply with EU GDPR and you'll comply with the UK regime, it's a bit it's, that's what's been said, it not that particularly clear from the DPDI, for example, on the SRI and DPO and all that sort of stuff. So, you should be able to comply with the UK regime by complying with the EU regime. So, a lot of companies will just keep doing that and actually one of the things that came through from a lot of responses was the government you're wrong. We were all quite comfortable with the GDPR. We've all done all the stuff. We think it's fine. We don't want to have to change to another one or to run two. So, a lot of companies who are going the EU GDPR, which is the UK GDPR we'll just continue. And so my recommendation to people who are in the UK who do business with the EU is just keep adhering to the EU standard and you and you should be fine in the UK as well.

Andrew Rawlins-Catterall: So, in effect, if the measures that have been put in place and put before Parliament, which haven't gone ahead for the second reading just yet and the SRI is introduced, the DPO could just stay effectively, and it could be delegated to them.

Robert Baug: Yeah, well they may need a DPO under EU GDPR, so they've got a big, it's a bit like UK representatives. So, when that, when Brexit took effect, before Brexit took effect, people went, well, do I need an EU representative? And then when Brexit took effect, they got to go actually I've got to revisit that. Do I need a UK one and do I need a UK one and an EU one? And then now the EU representative is meant to be going in the DPDI, but it just again, it's this uncertainty, extra burden. So, keep it simple. I would just say if you've got European exposure just do the European rules and you'll be fine. The one difficulty is the small cheese manufacturer who can't export goods to Brexit because of Brexit. The services provider as well may find themselves in a similar position through no fault of their own. If the adequacy goes, it’s going to be quite an interesting situation.

Andrew Rawlins-Catterall: And obviously the economy is going to take quite a hit, I would imagine on a situation like that.

Robert Baugh: Well, this is one of the interesting things as well. And I mentioned this in my response to the consultation that the UK Government put forward papers before Brexit, talking about the massive importance of data driven trade between the UK and the European Economic Area. They said this has to be continued is paramount, the adequacy is maintained and what came through from the consultation from the ICO, but also from business around the UK and our new commissioner who I’m a big fan of from his listening tour he said it's clear everybody is absolutely wetting themselves that we’re going to lose adequacy. We have to keep adequacy. And when he was actually the New Zealand commissioner on the New Zealand website there talking about, it’s basically like a free trade deal, giving a massive competitive advantage to New Zealand in the area. So, it is a huge thing.

Andrew Rawlins-Catterall: And I suppose the biggest thing that I've noticed with the SRI and DPO just going back to that and sort of wrapping that part of the conversation up is the SRI has to be internal. Now at the moment with a DPO, you can outsource that, but that's not possible with an SRI.

Robert Baugh: No but I think the the you're right. But I think the the cascade we were talking about earlier, about conflict. So, I don't know why the conflict provisions in there, I really think it's it's just ridiculous because most DPOs are conflicted because people get the DPO to do, it’s become shorthand for data protection expert. So, they get an external consultant not just to act as DPO but to actually do stuff, which is conflicting, but they do it because. So just taking away the conflict aspect would just make it all so much better. But you're because of that cascade, the SRI is going to be conflicted de facto. I don't know how they're going to square that circle. They shove it down to people who can't be conflicted. That's probably going to be an external person again, particularly if you're in a small organisation, you don't carry loads of fat. You're very lean as an organisation, so everyone there actually affects us and does stuff and therefore there conflicted.

Andrew Rawlins-Catterall: Sure. I mean, we've gone through so much today. I suppose, really for organisations, businesses right now, if you were to sum up perhaps three to five points of practical advice that businesses can take and implement and sort of learn from this session, what would that be, those points?

Robert Baugh: So, I think the top one is don't panic, continue and do the privacy compliance projects that you're doing at the moment.

Andrew Rawlins-Catterall: That's a very British answer. Keep calm and carry on.

Robert Baugh: Yeah. And the second thing I would say is get senior sponsorship in your organisation because you don't want to to not fall foul. You want to make sure that you can do the change project that is making sure GDPR compliance goes in. Privacy is rapidly catching up with security, security, they realise it's a domain on its own, there's all this different spend, all these different providers, all these different tools, everybody has to look at it. It's run centrally and you don't ask a marketer or a legal person to do their own security because they don't know the difference to be a firewall and a VPN and I can say that because I'm a lawyer, but, you know, you get security to do it and security says this is what you're using and this is the password manager or whatever. So, it's the same with privacy. You don't say to market, they don't know whether the contracts comply with GDPR or not. You've got to run it as a central thing. You've got privacy coming through as a domain on its own rapidly catching up with security. So, get sponsorship for that, senior sponsorship to be able to do that change management process. Next thing is do your records of processing activities because one of the things in the consultation that was again incorrect was they were saying it’s duplications to do your Article 13, 14 notices to individuals and to your article 30 records of processing activities and to do your privacy policy on websites it's not, you do one one inventory of what am I doing with the data and then that's what you use to create the other stuff. Do your records of processing activity, that's not going to change and that's the fundamental cornerstone. That's where everyone is at the moment. They're all moving from spreadsheets to software, specialist software. So, get your records of processing activities right, that flushes out your transfers. Like we mentioned, it flushes out your processes. Like we haven't been talked about too much.
It flushes out where you need to do a risk assessment. How do you know? Even under the new regime, there's a likely high risk? I need to do a risk assessment. If you don't know what the processing activity is, you're doing. So senior sponsorship for sure, do your data protection inventory however you do it, preferably in software because it's easier and then have a good answer. Understand what your answer is going to be to the external world be it a customer partner, an auditor regulator, so that you can, helps you also channel everything and bring it together.

Andrew Rawlins-Catterall: That's brilliant advice. Thank you, Robert. And obviously you’ve help clarify and really bring to focus some of the key aspects that businesses need to focus on, which I’d expect nothing less from someone like yourself. So, thank you so much for joining us today and providing your expertise on this and I'm hoping to have you back as well.

Rober Baugh: Delighted.

Andrew Rawlins-Catterall: That's great. Will definitely get you booked in again. And that concludes this instalment of Tech Leaders. We look forward to having you join us again in the near future but for now farewell.