The Journey Towards Effective Data Protection With Deborah Bowers

  • 21 May 2024
  • 24 mins read

Table of Content

Table of Contents

The data space is constantly in flux, and the regulatory landscape struggles to keep pace. 

The rise of technologies like AI, big data, and the IoT has sparked concerns about data privacy and security, making lawmakers revisit and revamp existing regulations. 

The New Data Protection & Digital Information Bill aims to modernize and adapt data protection laws. Changes in terminology, obligations, and the role of responsible individuals highlight the bill's ambitious attempt to address contemporary challenges. 

Nobody can discuss these changes better than Deborah Bowers. Her legal consultancy, and advisory services offer comprehensive solutions and a voice for data management.

We are more than honored to have her with us to discuss her journey and some new trends in data protection.

Hello Miss Bowers! 

Q1: What was your motivation behind the career you chose, and what advice would you give to young aspirants interested in data laws?

Bowers: I have always wanted to be a lawyer from my childhood. I was motivated by shows such as Perry Mason and Paper Chase and other legal dramas on television as I was growing up. I saw and understood that law reigned in every aspect of our lives. As a child I was brought up on the laws of the bible. The Ten Commandments as we all know them and as an adult, I saw how the lawyers of the land affected our transactions and dealings with each other. So I was inspired to be a lawyer. 

I commenced my career as a Private Client Lawyer, as I wanted to help people navigate the real world.  I am still motivated by that desire. For example I have written a book “ How to Write a Tax Efficient Will” to help people understand how to save inheritance tax when writing their Wills. I then became a Crown Prosecutor in London and after 9 years in that role it became clear to me that I just needed a world where there were no crimes.

As that appeared to be a desire for the impossible I took voluntary redundancy and moved on. I then got an opportunity to work in telecommunications law with a Regulator. This was an exciting time in my life as I learnt about OTP, over the top services, 5G and the Internet of things. I truly enjoyed that role for 4 but sometimes life gets in the way and I had to move on.

I looked around and realized that Data Protection was the way forward. It required an understanding of cyber security, law and sought to preserve the rights of others. It fitted within what motivates me as a lawyer and I got Certified with IAPP. Completed my CIPP/E and CIPM and also my EU GDPR Practitioner Program. 

The advice I would give to those interested in data law is to understand that data protection is broad. There is the aspect where you can work as a lawyer, negotiating commercial contracts and ensuring that the legal requirements are met, whilst at the same time balancing risk to your organization. This involves negotiating an indemnity based on the risk appetite of the organization should a data breach occur etc. 

The other aspect is the skill of drafting policies and procedures. It is more within the administrative parameters of data protection. The keeping of records, responding to data subject concerns etc. 

The third aspect is the technical side. This involves the knowledge of cyber security, understanding how phishing works, spam, etc. 

You need an understanding of all three areas, but you can specialize in any one of these areas.  

Q2: Drafting policies and procedures for data protection for SMEs seems a bit complicated. What key elements do you prioritize while doing so?

Bowers: One of the key things I learn from working in this area is understanding what is the policy of the organization you are going to be drafting the document for. This is the vision and mission at Board level. Once that has been understood, one is able to identify and document what values the company holds.

The next step is to navigate how the company will ensure that its vision, mission and values are adhered to through the procedure which is being drawn up. The procedure identifies who will be responsible for within the organization. It provides direction to new joiners should they need assistance or guidance in relation to the procedure to address a matter within the organization. 

The key elements which I prioritize are based on the gaps identified and the level of risk associated with that gap. For example, if I have conducted a data protection audit and have identified that the company has no data subject rights policies and procedures, I know that this is a key compliance issue. Your Privacy Notice should inform data subjects as to what their rights are.

Not having a policy or procedure to address data subject rights is a serious regulatory breach, which could result in fines, loss of reputation etc. I therefore set about resolving that as it posed the highest immediate risk and continued from there. 

Q3: You've authored a booklet on "Stress-Free Data Protection Impact Assessments." What inspired you to create this resource?

Bowers: My book A Guide to Stress- Free Data Protection Impact Assessments was inspired by my observation that people shy away from DPIAs. You just mention the word and it is presumed to be complicated. I wrote the book to help people understand their role in the preparation of the DPIA.

By this I mean, if we are trying to assess how effective a procedure within the company is in relation to the protection of personal data and that process starts with the receptionist,  we need the assistance of the receptionist in preparing the DPIA. We need to know what she does with that data when she picks up the phone and says hello to the client who has called it.

Does she record the data anywhere, does she take the name, address, contact details of the customer? Where does she record it? Why does she need it? Who does she pass it on to? Which department uses that data? Who will have access to the data? Where will it be stored?

What security measures are we going to apply to protect that data once it comes into our possession? Do we need consent to hold this data? Are we required to keep it by law or are we keeping it in our legitimate interest? How long will we retain it? How will we dispose of it? Etc.

You see from this simple example that the receptionist was an important part of the DPIA. I wanted staff to realize that anyone who comes into contact with that data is of importance in the preparation of the DPIA, not just the technical team or the managers, the book seeks to demonstrate that in the simplest way possible. 

Q4: What challenges have you encountered when advising companies on data protection matters, and how have you overcome them?

Bowers: I absolutely love advising on the law related to data protection. There are so many aspects to think through, the law, the risk, the liability, but what I have found is that my training in other areas such as criminal law, commercial law and telecommunications law have all contributed to me giving the best advice possible.

For example I had to advise a foreign data protection authority requesting data from a website because one of the website subscribers was breaching the law and committing a crime in the foreign jurisdiction. During my advice, I recalled that there were provisions in law for dealing with international crime. This meant that the procedure which that authority had followed by coming directly to the website was incorrect.

They should have followed the International Crime Prevention Protocols. Then I looked at the terms and conditions for the use of the website to see whether any of those terms had been breached. That would be another way to resolve this matter, by finding a breach of the terms and conditions of use. 

In the end I advised the company to redirect the foreign government agency to the International Crime Protocols thereby avoiding breaching the rights of the data subject. The website was however free to address the matter under the terms and conditions of use.  

Bowers: My diverse legal experiences have certainly given me an edge in my field. Whilst I am working on an issue, it dawns on me that it is connected with another aspect of law which may assist me in resolving the issue. I am then able to draw upon all those areas to my advantage. 

Q6: How do you effectively communicate complex data protection concepts to clients with varying levels of understanding?

Bowers: To communicate complex concepts, I use everyday and commonly shared experiences. We all know that if you want to protect your money you do not walk around with an open wallet. Data is like your money in your wallet. People can use your data, pretend to be you to gain access to goods and services. We therefore do not walk around providing our data to everyone, not knowing how they intend to use it and once they have it how they intend to protect it.  

Bowers: There is always the risk of legal challenge about anything. Sometimes it is well founded, sometimes it is malicious or vexatious. I would say that customer service is key in this regard. People want to be and feel respected when dealing with an organization, give them that due regard by so doing reduce the possibility of any nuisance which may follow. 

Q8: The New Data Protection & Digital Information Bill, mentions changes in obligations, including regulations made by the Secretary of State and adjustments to reporting timeframes. How do you think these changes will impact data protection compliance and enforcement?

Bowers: The changes are positive in that they require more Board participation. Under the current law, Board participation is not demanded, save for the DPO having access to the Board or reporting directly to them. Under the new Bill the Senior Responsible Individual (SRI) must be a member of the Board. This person can then delegate the task of the role to ensure compliance. 

Having the Secretary of State amend the law allows for shortfalls or loopholes to be dealt with in a speedy manner. For example the Department of Works and Pensions was experiencing the challenge of needing the consent of persons who wanted to claim benefits to obtain details from their former employer. This is no longer required and the DWP can now obtain that information without consent of the data subject to enable it to assess eligibility to benefits. 

Future challenges of this kind will be easily and swiftly resolved by the Secretary of State. 

Q9: The bill introduces exemptions for accessing sensitive personal data about political opinions for democratic engagement. What considerations should organizations keep in mind when utilizing this exemption?

Bowers: This exemption is limited to direct marketing for the purposes of political engagement, recall of petitions, accredited campaigns etc. People are passionate about their causes and this exemption for democratic engagement allows persons to be marketed to within areas of their interest.

The restrictions of the provision must be adhered to as the marketing must not be commercial. Should there be any loopholes being exploited the Secretary of State may amend the rules surrounding this level of engagement appropriately. 

Q10: What do you think would be the European Commission's response to the bill? What factors will influence the Commission's evaluation, and what outcomes are you expecting?

Bowers: To my mind the Bill does not do away with or water down the requirements of Data Protection.  It still applies to Controllers and Processors, and public bodies which carry out processing likely to result in a high risk to the rights and freedoms of data subjects accept courts or tribunals in their judicial capacity.

The initial purpose of the legislation was to guard against high risk and that remains at the heart of this new Bill. Changes in terms used to is more evident, that changes in substance. For example the use of: 

  1. The Senior Responsible Person has replaced the Data Protection Officer. 
  2. Identifiable natural person has been replaced with Identifiable living individual 
  3. Respond within a month has been replaced with before the end of the applicable time period 
  4. Data protection impact assessment has been replaced with Assessment of High Risk processing. 

Q11: The new bill is the talk of the town. How do you think the amendments proposed by the bill will impact data subjects' rights and expectations regarding their personal data?

Bowers: I have not seen anything in the Bill which diminishes their rights of access, rectification etc. What I have noticed is the granting of greater rights to organizations such as the DWP to enable them to perform their role, and greater emphasis on national security. 

Q12: Lastly, what’s your go-to strategy to stay motivated about your work? 

Bowers: This area of work is dynamic and continuously developing. When I face the day I never know that I will come across for the day. Now it is AI, tomorrow it may be blockchain and data protection, or a twisted legal scenario which I must unwind to find the solution. Once it causes me to think deeply about the parameters of the law I remain motivated. A dull day is one which has not challenged my thoughts on matters of the law. 

Deborah Bowers is a Senior Privacy Consultant in the UK with 20+ years of experience focusing on Data Protection and Telecommunications Regulation. You can reach out to her on LinkedIn.