Root and branch data protection reform is coming under the General Data Protection Regulation (GDPR) and it is likely to be one of the big topics that in-house counsel have to grapple with in 2017 and 2018.
Even though the GDPR is European legislation and following the triggering of Article 50 divorce proceedings with the EU, the Government has confirmed that the GDPR will still be implemented in the UK. The GDPR will be in full effect in the UK from 25 May 2018. Whilst this may sound a long way off, in light of its wide ranging effect the clock is now ticking for businesses to ensure that they are compliant in time. In-house counsel are likely to be at the coal face of advising the business on what the requirements of the GDPR look like, what the main risk issues are and driving forward a compliance program - either leading it or working in conjunction with the regulatory and compliance team. The job of data protection officer may also fall on a member of the in-house team.
The GDPR will apply to all businesses that process personal data i.e. information about individuals, which will affect more businesses than might first be thought. The perception is that it will only apply to consumers, but it has a far wider application than that. It will also apply to the use of personal data in the HR and IT fields as well as in a business context e.g. if you deal with any suppliers or customers who are sole traders or partnerships.
There is a stick and carrot in relation to GDPR compliance. There are some hefty fines for non-compliance of up to €20 million or 4% of annual worldwide turnover, whichever is greater. But there are also some positives. You can use your compliance to build trust and confidence with your customers and clients. In addition, if you get the right permissions you can shape your offering to clients and take advantage of Big Data, making your data work for your business. The GDPR should not therefore be seen as all doom and gloom. There are positives to be taken from compliance – and it could possibly even save or make your business money.
Some of the key changes to be introduced:
Compulsory notification of data breaches to both the regulator and the individuals affected within 72 hours of the breach happening. Breaches can range from a customer database being hacked to putting a letter in the wrong envelope.
The need to ensure that any consents are compliant and refreshed appropriately. Consents must be explicit and freely given. Each purpose needs a separate consent and individuals must be given simple easy-to-access ways to withdraw their consent at any time. Recent draft guidance issued by the ICO indicates that the ICO will take a hard line with consent and it will not be easy to obtain. This is a key area for businesses to look at.
A key provision of the GDPR is the obligation to be more transparent with individuals as to how their personal data is used – this requires a review of your privacy policies and fair processing notices. An individual should be informed of every activity and purpose for which their personal information is used, as well as information on anyone who you may be sharing the data with. The information must be provided in any easy to understand and accessible way and must be tailored for its audience.
Increased rights given to individuals to access the data held on them. Individuals already have a right to access their data under the subject access procedure. Under the new changes you will not be able to charge a fee for these requests and will have to respond in a shorter timescale.
The introduction of new rights including the right to be forgotten, which can require you to erase an individual’s information from your systems, and the right to data portability, where individuals have the right to receive their personal data from you in a commonly used and machine readable format. The right to be forgotten is not as wide ranging as you might think and businesses need to understand its scope and be prepared for any requests they may receive.
There will be obligations for some data controllers and processors to appoint a data protection officer (DPO). The DPO must be independent and have the ability to report to the highest management level. Their role will include monitoring the implementation and application of the data protection policies, dealing with requests and acting as a contact point with the ICO.
Obligations to ensure that tighter contracts are in place with businesses who process on your behalf the personal data you hold on individuals.
One size does not fit all. Compliance for each business will look different in that the data they collect and how they use it will be different. One thing which is common to all, however, is that virtually all businesses need to take action in relation to this reform, and soon. Businesses will be in a far better position if they have proactively tried to implement procedures to comply with the GDPR rather than bury their heads in the sand.
Businesses should be looking at this now, action points include:
What personal data do you have and are there any rogue (and non-compliant) databases in the business.
How do you collect personal data and what are the individuals told about how that data will be used. Is the information given sufficiently transparent? This will involve a review of privacy policies and fair processing notices.
What is the legal basis of using the personal data. Can the business bring its use into one of the lawful purposes laid down by the GDPR?
Where any data is processed on the basis of consent, the consents will need looking at to make sure that they comply with the GDPR and the new (currently in draft) guidance issued by the ICO. This will make consent tough to obtain, particularly where data is to be shared. As drafted each third party the data is to be shared with will need to be named.
The retention periods for data need to be looked at as does how often consents are refreshed. Retention policies need to be reviewed and updated.
Businesses should review how personal data is kept, whether this is by paper or electronic files, and how secure these systems are.
Data breach policies and procedures as to how a data breach would be detected and dealt with need to be put in place. These should be tried and tested well in advance of a data breach happening.
Processes need to be put in place to deal with the enhanced rights individuals have e.g. the right to be forgotten.
Reviewing contracts relating to data processing including contracts with cloud providers, mailing houses, analytics businesses.
Joanne Bone – Partner
Published: 21 April 2017
IM Connect Newsletter - Update for In-house Counsel
Sign up to receive quarterly updates > Spring 2017
For general enquiries
0370 1500 100
Or we can call you back at a time of your choice
Request a call back
Phone lines are open 24/7, 365 days a year