Thursday 14 September 2017

Talk from Naomi Korn: Nuts and bolts of information law compliance – copyright and GDPR

This blog is from our talk from Naomi Korn on the 16th August 2017. With thanks to Fiona Watkins for writing this piece!

The event began well with savoury nibbles, cakes, biscuits, drinks and time for the early arrivals to shake off their journeys and chat if they wanted to.  Having arrived a few minutes early courtesy of train timetables I was one of the first to arrive and received a warm welcome from one of the Thames Valley committee members.  The event was advertised to begin at 7pm although the talk did not start until after half past which allowed time for late arrivals and for some networking to take place.  Shortly after 7:30 we were ushered into a small lecture theatre to discover more about copyright and GDPR. 

Naomi began with some of her background and her passion for both copyright compliance and GDPR data protection became immediately apparent.  She was keen to inspire her audience and also to reassure us that our existing processes and procedures are most likely working well so that the reform of data protection should not be a scary prospect!  After a show of hands to see whether to focus mainly on GDPR or copyright Korn gave a brief overview of copyright compliance, recapping the Naomi Korn Copyright Consultancy (NKCC) Compliance model[1] and ensuring that we all understood how the model worked.  The majority of the evening was spent looking at GDPR which will be translated into UK law in May 2018, NKCC is working in partnership with Content Clear a data protection and GDPR specialist provider and it is something Naomi believes lines up really well with the compliance model used for copyright.  Naomi is a firm believer that copyright and data protection are an organisational issue not simply a matter of legal compliance and the compliance model illustrates this really clearly.

GDPR gives greater transparency in data protection obligations and responsibility and broadly speaking if your company is compliant with existing data protection laws and has a customer focuses ethos the compliance with GDPR should not cause huge issues.  GDPR covers paper and electronic records and builds upon the 8 principles of data protection.  GDPR increased the responsibility of companies to keep data secure and also increases citizen rights in relation to data protection.  Accountability in relation to data protection is becoming stricter, for example when an organisation is collecting data and making it available then privacy must be designed into the process including considering and justifying why the data is being collected and where and how it will be being shared. Fines for breaches of GDPR are likely to be higher.  Citizen rights are also being increased in terms of what they can expect and request, e.g. deletion of data from systems.   Naomi highlighted the ICO next steps information[2] as an important document to read.  She urged us to consider if we as a data collecting organisation could deal with an individual’s right to be forgotten and have their personal data deleted?  The GDPR legislation gives better recognition to children in relation to their data protection, and the importance of consent from parents and guardians.  It is essential that compliance with GDPR needs support from all elements within the organisation.

A large part of the event revolved around Naomi’s 10 top tips, although as the observant amongst those reading this will realise we soon moved past the limit of 10 tips! 
1)     GDPR and copyright are organisational compliance issues, not individual ones.
2)      It is unlikely that GDPR compliance will be completely achieved immediately – it is a process and process equals time.
3)      Copyright is a balanced relationship between compliance, pragmatism and ethics; GDPR is similar and becomes a risk management issue whereby we aim for complete compliance focusing on areas of higher risk first.
4)      Be proportionate about what we do; do your best to comply but remember that as information organisations we are likely to already be fairly well advanced.
5)      Project management and privacy by design are essential.  E.g. plan privacy into all aspects of projects how are you mitigating risks and ensuring that GDPR is built into contracts and licences.
6)      Monitor, review and keep up-to-date as an organisation.
7)      Ensure that you have training and strategies to raise awareness of the changes in place; this needs to be embedded throughout the organisation and regular refreshment activities need to be in place – avoiding complacency!
8)      Remember that GDPR applies to paper and electronic records.
9)      The policy section of the compliance model is not simply about writing a GDPR policy – many other policies will be impacted and therefore need reviewing.
10)   Read the ICO website for further information but don’t be overwhelmed by the amount of information available.  Naomi recommended that we begin with the 12 steps diagram previously mentioned.
11)   Carry out an information audit – what have you already got, where is it stored and who can access it.  This will enable us to move forward organisationally and see what changes need to happen.
12)   Exemptions – there will be some but as yet we don’t know what they are!  Expected to be broadly similar to existing data protection exemptions, but an announcement of the exceptions is not expected until at least September.  Commercial activities and sharing data outside of the organisation are likely to be areas of higher risk.

The final aspect of the session involved, unsurprisingly, questions from the audience.  Things that were touched upon related to the “right to be forgotten” aspect in relation to things such as library fines and Naomi believes that this sort of issue will be covered via the exemptions when they are announced.  Brexit was mentioned, when is it not nowadays, but this is will have no impact on the adoption of GDPR as it will be transposed into UK law.  Finally the likelihood of prosecution was discussed with Naomi feeling that using the compliance model will reduce the risk.  If we deal with areas of higher risk first e.g. losing data or sharing data with people/companies that we shouldn’t, then the process will hold less chance of prosecution.
Naomi’s final word of advice was to breathe in the change rather than panic over it, generally the types of institutions that were represented are already data protection compliant and the move to GDPR is unlikely to pose a big challenge.  

Fiona Watkins - Digital Resources Manager, University of Northampton