Teacamp: Jacqui Taylor on GDPR
it's amazing when we look at how we got here - I was originally in the cabinet office in the attic, now we have the open government partnership - working to make government transparent
last time I was here was talking about bulk release of open data, and came to teacamp asking for people to help. Local Goevrnment delivered in 6 weeks
as a result of that, Francis Maude created 30 open data champions and that has spread further
I work in the European Council - my official title is Agent Provocateur and I work on the digital single market with the 28
I have worked with GDPR since 2014
GDPR grew out fo the transparency agenda for making government accountable, but we won't make data open when it is personal data
there has been a lot of GDPR snake oil - I want to debunk some
people say "GDPR is like Y2K" - Y2K was a technical problem to solve based on an error; GDPR is about the Digital Single Market - a new governance model for personal data
GDPR is an enablement capability
Myth: GDPR went live 25th May 2018 - no, we have been working on it since May 2016; the rest of the world woke up early this year
the Data Protection Act from 1998 is not sufficient for the modern web
I cofounded the data journalism industry, and Snowden made it visible, with Cambridge Analytica making it more obvious
Service Design is at the core of this transformation - civic design first
We built GDPR as an enablement and an opportunity
Another GDPR Myth is that you can just switch to a new version of your backend. You need to demonstrate compliance, and showing how you deal with subject access requests are key
You also have to prove that you have deleted data that you are required to
another Myth is that GDPR can't be policed; the Information Commissioner has had teams out doing risk assessments already
From an information security point of view you can't pass off the risk as a data controller to a processor - the cold calling industry was against GDPR rules as they were set up
GDPR is about building our web world with privacy at the core - so citizens can trust us
once we get to IoT and distributed models, the traditional trust model doesn't fit
you have enabled devices in your house- I have seen an electronic doorknob that wants you to register your family name and address - the opposite of privacy by design
Secondary processing is not allowed - you have to have explicitly got permission for any processing you want to do
The payoff from GDPR has been a big reduction of email after I didn't re-engage with anyone who mailed me
Making sure that local government engagement has been defenisble on legal grounds was key
from a UK PoV in May 2017 we launched the NHS GDPR service to enable it for Trusts who are all transactionally based
If you move on from an OpenData agenda to a Shared Data agenda, you are looking at it from a security point of view
85% of EU cities are 250k to 500k - I have written a White Paper on governance for cities
The first city to launch with this standard was Dubai; the first nation was Russia
This shows that this is a global market for how privacy should be handled
China is going to build 200 new cities and retrofit 250 exiting ones, based on these privacy models
Keep an eye on my tweet stream for events UK wide
you mentioned IoT and GDPR - good examples of a city there?
These all end up in Asia; Japan and China - we bring back learnings from their construction
This is going to be a big project before brexit and setting the baseline for that too.
you don't start by transforming the whole of Yorkshire, you build on what is already there -an All Party Parliamentary Group is the best way
where are we going to see the biggest GDPR failures?
The ICO has worked to encourage the big companies to comply first and give smaller ones a breather
anyone who hasn't started thinking about this when you have had 2 years to get ready you are liley to ge=et introuble
The stuff that has been happening at TSB has been shocking - sending sensitive information to wrong customrs etc
The correspondent banks have had a lot of new regualtiosn wiht Open Banking etc already, so the GDPR changes look makk
Even with the whole TSB saga, very few accounts switched
the number of online services over 15 years that haven't been DPA compliant; suddenly this is at the top of their radar
for most people the web has made things more complicated - from the EU 28 point of view this was for setting a new basis of practice
In local government we have taken this seriously since 2016
does GDPR bring in a lot more into personal data?
The lanyard model for who can be photographed is a model for data protection without too much process
there is a worry to do this properly you need to do a lot of record keeping
If you look at the GDS process, you can see how to do this without too much data collection
how much does this apply to what you already hold?
if you haven not demonstrated compliance for what you already hold, then you have a problem.