By Timothy Hill, technology policy adviser, Law Society
OK. It’s true that under the EU’s General Data Protection Regulation (GDPR) you could be subject to administrative fines for a personal data security breach of up to 20m EUR or 4% of total worldwide annual turnover (whichever is higher). So was the Information Commissioner, Elizabeth Denham right in her first ‘sorting the fact from the fiction’ GDPR blog to identify myth #1 as “The biggest threat to organisations from the GDPR is massive fines”?
It’s not so fine now
The current EU data protection framework revolves around the EU Data Protection Directive. The directive was passed in 1995 and transposed into UK law in the Data Protection Act 1998 (DPA). It’s supplemented by a 2002 Directive on Privacy and Electronic Communications (E-Privacy Directive) which was implemented as the UK Privacy and Electronic Communications Regulations 2003 (PECR). PECR covers such matters as marketing calls, emails and texts. The entire framework is underpinned by Article 8 of the EU Charter of Fundamental Rights under which every citizen has the right of personal data protection.
Under the DPA, data controllers including law firms are already obliged to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (seventh data protection principle). Under the E-Privacy Directive communications service providers must inform the relevant supervisory authority, and in certain circumstances, affected individuals, about personal data breaches including the nature of the breach and measures to mitigate possible adverse effects.
The gloss to the seventh data protection principle in the DPA explains that the level of security should be appropriate to the harm that might result from a security breach and the nature of the data to be protected. Data controllers should have regard to the state of technological development and the cost of implementing security measures. They should also take reasonable steps to ensure the reliability of any employees who have access to personal data and there are particular provisions concerning processing carried out on their behalf which include the need for a contract made or evidenced in writing. These are the basic current requirements under UK data protection legislation and organisations can be fined up to £500k by the ICO for data breaches.
Recent penalties include £70k from a London Council for failing to keep up to 89,000 people’s information secure on its parking ticket system website and £100k from a telecom company for failing to look after customers’ data which risked it falling into the hands of scammers and fraudsters.
Enter the EU GDPR
EU data protection reform was initiated in 2012 to update a legal framework for data protection that pre-dated the rise of social networking, cloud computing and behavioural advertising. In the words of the GDPR recital ‘rapid technological developments and globalisation have brought new challenges’ and ‘the scale of the collection and sharing of personal data has increased significantly’. Through the instrument of a regulation (directly enforceable as law in member states) a further aim was to achieve greater harmonisation between states than had been achieved through use of a directive.
The outcome in 2016 was the GDPR and a complementary Law Enforcement Directive (protecting individuals’ data when they are processed by authorities for the purpose of the prevention, detection and investigation etc. of criminal offences). A revised E-Privacy Directive is currently being finalised. Brexit is of course a factor in relation to the GDPR but the government announced early on that since the UK will be still be a member of the EU in May 2018 we would implement the GDPR and in August they issued a statement of intent concerning a new Data Protection Bill.
Why do I need to be reminded about any of this?
Maybe you don’t. You got the bit about massive fines for data breaches under the GDPR and you think it’s a big threat even if the Information Commissioner doesn’t. You’ve already asked your information security people (or external consultants / suppliers) to make darn sure the practice doesn’t get fined or suffer reputational damage – now under the DPA or in the future under the GDPR. Of course you realise that GDPR and the new E-Privacy Directive will have a significant impact on your firm but that’s something your data protection people are project managing. Even if GDPR wasn’t coming you’d take cybersecurity, data protection and client confidentiality seriously. How much do you really need to piece together about the complex background architecture of European data protection law when you’re thinking about practical cybersecurity issues?
Information management and information security
Most senior managers in service delivery organisations would accept that information is at the heart of their decision-making and, often, at the heart of the service they deliver. This is obviously true of professional services. The intimate link between information management and information security is equally obvious. The Cabinet Office security policy framework spells it out: ‘the effective management of information is critical to safeguarding it. Government organisations will consider good information management practice as the basis for their information security arrangements.’ After all, it’s not just security breaches that attract fines. A comparison website was fined £80,000 for emailing customers who didn’t want to be contacted by email and an Essex local authority was fined £150,000 for publishing sensitive personal data in online planning documents.
Of course information management is not just about personal data. However, personal data will be at the heart of your marketing efforts (and impacted by revised e-privacy rules), your HR and finance systems, and your matter management. Your information management strategy will determine (or be constrained by) your choice of practice management, CRM or knowledge management systems. It should inform your approach to information provision on the web and your social media strategy. Making an explicit link between information security, data protection and information management in your strategic planning can therefore yield enormous benefits.
The GDPR encourages this holistic approach to data protection. In particular, Article 25 addresses data protection ‘by design and by default’ – a concept usually described by the ICO as privacy by design. In the ICO’s paper Big data, artificial intelligence, machine learning and data protection (v2) the main elements of privacy by design have both information management and information security implications. They include anonymisation, access controls and audit logs, data minimisation methods, purpose limitation and segregation measures ‘so that, for example, personal data is kept separately from data used fro processing intended to detect general trends and correlations’ and keeping metadata records of individuals’ privacy preferences.
The strong link between information management, data protection and information security was also a theme of the Department for Digital, Culture, Media and Sport (DCMS) Cyber Security Regulation and Incentives Review. This review concluded that the GDPR would be key to ensuring strong organisational data protection regimes supported by strong cyber security. It announced stronger links between the ICO and the National Cyber Security Centre (NCSC) and said that government would look to ‘build formal links between the Cyber Essentials scheme and any new GDPR privacy seal’.
So, to return to the question of practical cybersecurity and the complex background framework. Arguably lawyers have some competitive advantage through being in a better position than most to understand the background framework and craft appropriate and robust information management systems that align with it.
Michael Lonergan, policy adviser in the Law Society’s regulation team, has a more straightforward view of why good security is good business. ‘You should consider the following’ he says ‘you want to install new phone and internet services when you hear that a company has just had a massive data breach. Thousands of its customers’ data has been spread on the internet. Will you go to that company? So good information security in turn may also be good business. Customers and clients in other sectors are already more data aware than they were just a few years ago, so it would not be a surprise if data security becomes a real issue in deciding which law firm to choose.
So are massive fines a ‘myth’?
Yes and no. Cybersecurity is not an issue to consider in isolation but as part of good data protection and information management. That said, if you do get a massive fine under the GDPR it will be real not mythical.
Timothy Hill, technology policy adviser, Law Society