GDPR: down to the wire

Anyone hoping to leave Chancery Lane with a cut-and-paste guarantee of conformance with the new data protection regime coming into force on 25 May would have been disappointed. During an often lively debate, speakers at the Law Society’s final GDPR readiness event emphasised that compliance with the General Data Protection Regulation coming into force in 19 working days is not a matter of ticking boxes. Rather, it is unique to each individual enterprise – and involves cultural changes that will continue long after the regulation comes into force.

Even the organisation with the job of enforcing the new regime, including its massive new maximum penalties (of which more later), admits to uncertainties. ‘We won’t have all the answers on day one,’ Richard Nevinson, policy and engagement manager at the Information Commissioner’s Office (ICO) told the event. He characterised the regulation as ‘principles-based legislation’, with not necessarily a right or a wrong way of achieving those principles. ‘Following a template is not necessarily going to guarantee that you are going to meet the requirements,’ Nevinson said.

The picture is complicated by the fact that legislation to replace the 1998 Data Protection Act with legislation that will mirror and extend the GDPR is still going through parliament.

Of course, some certainties about the new regime do exist, and authoritative free information is available to set firms on the road to compliance (see checklist, right).

The first certainty is that the GDPR takes direct effect as an EU-wide law on 25 May, with no period of grace.

The second is that the UK government is determined to preserve alignment during and after the Brexit process. It was not always so enthusiastic: an aide to David Cameron once described the regulation as a ‘demented’ piece of legislation which would cripple Europe’s already sluggish digital economy. However, the climate has changed and the Data Protection Bill is one of a handful of pieces of new legislation granted time in the parliamentary calendar alongside the EU withdrawal bill. The aim, of course, is to maintain the UK’s ‘adequacy’ status so that personal data can continue to flow to and from the EU after March next year. However, the bill also includes some UK-specific extensions and protections, including a derogation for legally privileged material from subject access requests.  As the Gazette went to press the bill was awaiting a date for its report stage.

A final certainty is that the new regime will tilt the balance of the law more towards the interests of people whose personal data is stored and processed – data subjects – rather than data processors or controllers. While the principles of data protection remain the same as under the 1998 legislation, the GDPR introduces a raft of new obligations on the way data subjects are informed of their rights and on dealing with their requests for information, alteration or deletion. For example, the time allowed to comply with subject-access requests for data is cut from 40 to 30 days.

At the Law Society’s preparatory half-day event, aptly named ‘down to the wire’, Nevinson was careful to deliver a reassuring message. The change in regime is ‘evolution not revolution’, he said – a line that has emerged repeatedly from the ICO over the past year. Nevinson’s boss, information commissioner Elizabeth Denham, has said: ‘I have no intention of changing our proportionate and pragmatic approach after 25 May. Voluntary compliance is the preferred route.’ Echoing that message, Nevinson noted that the number of fines the ICO levies annually is only in double figures. ‘We don’t anticipate any change to that,’ he said. The regulator would reserve its punitive powers for ‘those organisations who choose not to cooperate, or show deliberate disregard for the law.’

On the possible multi-million-euro fines, he said: ‘It is not our aim to put organisations out of business. If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR.’

So far, so good. The big snag, however, is that the GDPR regime introduces a whole new spectrum of misdemeanour.

The key concepts are accountability, with a new requirement to document how you are complying, transparency and ‘data protection by design’.

Subjects must be told the basis on which their information will be processed. Thanks to the barrage of ‘opt-in’ emails currently filling up inboxes, the most familiar is consent. However, Nevinson stressed that consent is only one of six lawful bases and will not be appropriate for many law firm purposes. (The other five are performance of a contract, compliance with a legal obligation, the vital interests of the data subject, legitimate interests of the data controller and public interest of exercise of official authority.) The Law Society’s guidance notes that the GDPR makes the consent criterion significantly more stringent than in the past: firms can no longer rely on pre-ticked boxes, infer consent from the lack of objection or rely on one consent to cover a range of processing activities. Consent must also be capable of being withdrawn as easily as it is given.

An important new duty is timely breach notification: the ICO must be notified no later than 72 hours where a breach is likely to result in risk to rights and freedoms of individuals. Data subjects must be notified ‘without undue delay’. However Nevinson noted that ‘high risk’ was ‘quite a movable target – you will have to exercise judgement’.

Hard-pressed partners and sole  practitioners already coping with an unforgiving regulatory regime could be forgiven a sense of frustration at having to chase ‘movable targets’.

The conference heard calls for the publication of compliance material, such as privacy notices, that would be specific to the sector. However, when asked by the Law Society’s technology policy adviser Tim Hill whether specific guidance would be forthcoming, Nevinson said: ‘I wouldn’t like to commit to that at the moment.’ In the interim, Hill commended the ICO’s 12-step guidance and the Law Society’s own checklist: ‘As we move into the next phase the work we have done will start to crystallise into sector-specific guidance.’

In the meantime there is an important safety net. Both the ICO and the Law Society stressed that firms that document their decision-making about data privacy will be in a much better position if their decisions subsequently turn out to be at odds with the way the regulation is being enforced. For example, the Law Society has advised that most firms will not be required to appoint a data protection officer under the GDPR – but that they should evaluate their data processing against the criteria for the mandatory appointment, document their decision and continuously review the decision. Nevinson agreed: ‘It is important to document that decision [not to appoint], and the reasons,’ he said. He also noted that there are ‘certainly advantages’ to appointing a data protection officer voluntarily.

Conference attendees also had the chance to question representatives of a range of organisations about their experiences in drawing up action plans: a high street firm, an international giant and a large local authority. A common concern appeared to be the risk of falling foul of the GDPR’s provision that personal data be kept ‘no longer than is necessary for the purposes for which the personal data are processed’. (Though of course this already exists as the fifth data protection principle.)

Chair Peter Wright of specialist firm DigitalLawUK responded that the key words were ‘necessary for the purposes’ – no one would get into trouble for keeping a will indefinitely. Judith Gower, a solicitor in the commercial law group at Hertfordshire County Council, mentioned another special case – children’s services records, which are kept for 99 years in case of later investigations or inquiries. At the opposite end of the spectrum are some HR records such as unsuccessful job applications.

Mark Pentecost, of Berwick firm Sanderson McCreath & Edney, found that his information uncovered that most files were being kept for 12 years. ‘We’re having a major clear-out, it’s amazing what you find,’ he said. However, the conference heard that some firms had discovered that older case management systems do not allow a ‘hard delete’ of out-of-date files. At global firm CMS Cameron McKenna Nabarro Olswang the situation is complicated by systems inherited with recent mergers, Valentina Zoghbi, head of risk and compliance, said. ‘We close a file automatically if it has not had any work done for six months,’ she noted. Any lawyer requesting reactivation will have to explain what they intend to do with the information – in itself a good discipline.

Again, the important thing is to document what you are doing, said Wright. ‘If your policy says keep data six years and it turns out you’ve been keeping it for 20 years, that’s a problem.’

DigitalLaw consultant Heather Anson summed up the overall lesson. ‘What the ICO is demanding from you is to think about it – and write down what you thought about it. We all want specific answers,’ she said – while reminding delegates that the most common answer lawyers give to clients asking for yes or no is: ‘It depends… This is a process, not something you have to do right as of 24 May. Do the best you can until you know better, and when you know better, do better.’