Teacamp: Jacqui Taylor on GDPR

Dr Jacqui Taylor:

it's amazing when we look at how we got here - I was originally in the cabinet office in the attic, now we have the open government partnership - working to make government transparent

last time I was here was talking about bulk release of open data, and came to teacamp asking for people to help. Local Goevrnment delivered in 6 weeks

as a result of that, Francis Maude created 30 open data champions and that has spread further

I work in the European Council - my official title is Agent Provocateur and I work on the digital single market with the 28

I have worked with GDPR since 2014

GDPR grew out fo the transparency agenda for making government accountable, but we won't make data open when it is personal data

there has been a lot of GDPR snake oil - I want to debunk some

people say "GDPR is like Y2K" - Y2K was a technical problem to solve based on an error; GDPR is about the Digital Single Market - a new governance model for personal data

GDPR is an enablement capability

Myth: GDPR went live 25th May 2018 - no, we have been working on it since May 2016; the rest of the world woke up early this year

the Data Protection Act from 1998 is not sufficient for the modern web

I cofounded the data journalism industry, and Snowden made it visible, with Cambridge Analytica making it more obvious

Service Design is at the core of this transformation - civic design first

We built GDPR as an enablement and an opportunity

Another GDPR Myth is that you can just switch to a new version of your backend. You need to demonstrate compliance, and showing how you deal with subject access requests are key

You also have to prove that you have deleted data that you are required to

another Myth is that GDPR can't be policed; the Information Commissioner has had teams out doing risk assessments already

From an information security point of view you can't pass off the risk as a data controller to a processor - the cold calling industry was against GDPR rules as they were set up

GDPR is about building our web world with privacy at the core - so citizens can trust us

once we get to IoT and distributed models, the traditional trust model doesn't fit

you have enabled devices in your house- I have seen an electronic doorknob that wants you to register your family name and address - the opposite of privacy by design

Secondary processing is not allowed - you have to have explicitly got permission for any processing you want to do

The payoff from GDPR has been a big reduction of email after I didn't re-engage with anyone who mailed me

Making sure that local government engagement has been defenisble on legal grounds was key

from a UK PoV in May 2017 we launched the NHS GDPR service to enable it for Trusts who are all transactionally based

If you move on from an OpenData agenda to a Shared Data agenda, you are looking at it from a security point of view

85% of EU cities are 250k to 500k - I have written a White Paper on governance for cities

The first city to launch with this standard was Dubai; the first nation was Russia

This shows that this is a global market for how privacy should be handled

China is going to build 200 new cities and retrofit 250 exiting ones, based on these privacy models

Keep an eye on my tweet stream for events UK wide


you mentioned IoT and GDPR - good examples of a city there?

Dr Jacqui Taylor:

These all end up in Asia; Japan and China - we bring back learnings from their construction

This is going to be a big project before brexit and setting the baseline for that too.

you don't start by transforming the whole of Yorkshire, you build on what is already there -an All Party Parliamentary Group is the best way

Sarah Baskerville:

where are we going to see the biggest GDPR failures?

Dr Jacqui Taylor:

The ICO has worked to encourage the big companies to comply first and give smaller ones a breather

anyone who hasn't started thinking about this when you have had 2 years to get ready you are liley to ge=et introuble

Sarah Baskerville:

The stuff that has been happening at TSB has been shocking - sending sensitive information to wrong customrs etc

Dr Jacqui Taylor:

The correspondent banks have had a lot of new regualtiosn wiht Open Banking etc already, so the GDPR changes look makk

Even with the whole TSB saga, very few accounts switched


the number of online services over 15 years that haven't been DPA compliant; suddenly this is at the top of their radar

Dr Jacqui Taylor:

for most people the web has made things more complicated - from the EU 28 point of view this was for setting a new basis of practice

In local government we have taken this seriously since 2016


does GDPR bring in a lot more into personal data?

Dr Jacqui Taylor:

The lanyard model for who can be photographed is a model for data protection without too much process


there is a worry to do this properly you need to do a lot of record keeping

Dr Jacqui Taylor:

If you look at the GDS process, you can see how to do this without too much data collection


how much does this apply to what you already hold?

Dr Jacqui Taylor:

if you haven not demonstrated compliance for what you already hold, then you have a problem.