Implementation of the new General Data Protection Regulation (GDPR) regime is only eight months away and, like other providers of professional services, lawyers need to get to grips with the impending regulation to ensure both their own firm’s compliance and to advise clients on complex new obligations.
The government’s recently published statement of intent on a new Data Protection Bill underlined that the GDPR is here to stay, even after Brexit. The government wants the bill to highlight not only its commitment to bringing data protection law up to date, but also the need to address rapid technological advances and unprecedented scale of data flows that have taken place since the Data Protection Act 1998 (DPA) was introduced.
The bill will repeal the DPA and implement the GDPR in full. It will also contain a number of GDPR derogations, including the introduction of new criminal offences. The government’s objectives in reforming the legal framework are threefold. First, it wants to maintain trust between organisations and the public around use of personal data. Second, it wants to enable the continuance of data-flows between the UK, EU and the rest of the world, which is critical for global trade and the economy. Finally, it aims to ensure that the UK can continue to share and receive data with other member states for security and law enforcement purposes.
The government has said the new bill will ‘allow the UK to continue to set the gold standard on data protection’ so that consumers have ‘confidence that Britain’s data rules are fit for the digital age in which we live’.
Despite the government’s statements, however, guidance from the Information Commissioner’s Office (ICO) on the GDPR is still slow to emerge. While there are six lawful bases for processing personal data, there has so far only been guidance on one of these (consent), and that is only draft guidance with the final version not expected until later this year.
The full text of the proposed Data Protection Bill will probably not be available until the beginning of October, and even then there will be substantial debate. All of this presents organisations with a dilemma. When should they gear up for compliance? Should they wait until more guidance is issued and further details of the bill are published, or should they start now?
Despite the lack of clarity, hesitating could be a mistake. With the introduction of a new accountability principle requiring organisations not only to comply but also to demonstrate compliance, and to embed privacy into their data-processing activities, there is much to be done. The GDPR is undoubtedly more onerous than existing data protection legislation, and the concepts of privacy by design and privacy by default require a shift in the mindset of organisations towards data protection.
Organisations need to be proactive. The GDPR calls for organisations to review practices, systems and procedures and to put comprehensive but proportionate governance measures in place for all data protection activities. The requirement for transparency and enhanced data subject rights mean that the interests of data subjects need to be prioritised. There is no ‘quick-fix’ solution.
Scaremongering and real risks
But there is no need to panic. While there has been much publicity around the substantial fines, the ICO launched a PR campaign in August aimed at ‘sorting the fact from fiction’. That the ICO is favouring a ‘carrot’ as opposed to a ‘stick’ approach is underlined by its rejection of ‘scaremongering’ reports that claimed early examples would be made of organisations committing even minor breaches and that the ICO would be dishing out massive fines as the norm.
It is easy to forget among all the noise around GDPR that the regulation requires organisations to put into place comprehensive but ‘proportionate’ measures. A balancing exercise is needed to examine the processing and the effect of the activity on an individual’s rights and freedoms. That being said, the ICO is unlikely to be sympathetic towards an organisation which displays complete ignorance about data protection.
So if the ICO is going to adopt a measured approach to imposing fines, using them ‘proportionately and judiciously’ as a last resort, what is the real risk to organisations? The answer is probably reputation, as in the case of the fines handed down to TalkTalk. What GDPR will do is hand back control to data subjects in a power shift that could be likened to the ‘Tripadvisor effect’ in the hospitality and leisure sector.
Consumers are able to drive business through their reviews on websites such as TripAdvisor. Businesses that have embraced the review system have succeeded, while those that hide or do not take note, will be affected. The same is true of the GDPR. Those that see the GDPR as an opportunity to clean up their systems and processes, to be transparent in the way that they handle personal data and to be accountable, can derive real benefits through enhanced reputation. The trusted businesses will be those that give consumers back control of their data.
Where to start
Awareness is key and buy-in is needed from those at the top. Without this it will be difficult to convince others in the organisation that GDPR is a priority. It is important to remember that data protection is not just an issue for IT or legal departments – otherwise it can be very difficult to embed data protection principles within an organisation.
There needs to be an understanding of the requirements throughout an organisation, from the boardroom, across the HR, marketing, sales, procurement and IT departments. It is therefore advisable to have a privacy team comprised of representatives from different departments and to implement a training programme for staff that gives them information in a digestible format tailored to their requirements.
Carrying out a data audit is crucial. Unless the firm knows what personal data it holds and what is done with it, it will be difficult to make any inroads towards compliance. How can an organisation be transparent and comply with the data protection principles if it does not know what personal data it holds, who can access that data, what it does with it and where it goes? An organisation should map the flows of personal data internally as well as in its supply chains and maintain records of their data processing activities, even if not strictly required under the GDPR.
Supplier contracts that involve the processing of personal data need to be reviewed because it is unlikely that they will contain the contractual provisions required by the GDPR, and renegotiation of contracts will not be an easy task. Protracted negotiations are inevitable as both sides try to shift the liabilities.
This underlines that organisations need to consider their approach to risk and liability in light of the significantly increased financial penalties. The party designated as a ‘controller’ under the regulation will likely demand that the party established as the ‘processor’ accepts unlimited liability for data breaches. This is due to the risk that, despite the direct liability of processors under the GDPR, the regulator will pursue the controller rather than the processor.
And as for the lawyer’s favourite – indemnity clauses – these will be making a frequent appearance. Over time it will be interesting to see the approach that lawyers take to liability for data protection. In the meantime, organisations should revisit insurance policies to check whether they are covered for data protection and security breaches and the extent of the cover. This should be considered when negotiating liability.
Not a ‘tick-box’ exercise
Procedures and systems should also be reviewed to ensure that the organisation can comply with the breach-notification requirements and that there are processes in place to deal with data subject rights requests.
Security measures such as encryption and ‘pseudonymisation’ need to be considered. Policies will need updating to ensure that data subjects are given the required data processing information at the appropriate time. The drafting of such information notices will present a challenge to lawyers as they try to set out all of the information in a clear and concise manner. A layered approach to the drafting of such notices is one that will be favoured by many.
While lawyers are used to dealing with sensitive personal information, and confidentiality is a matter of professional conduct for them, there will be few firms which already fully comply with the GDPR requirements. Data protection is no longer just a tick-box exercise. The accountability principle and the concepts of privacy by design and default mean that firms will need to get up to speed quickly and get a handle on the data that they hold, the security measures and policies that they have in place, along with the procedures for dealing with the breach notification requirements and enhanced data subject rights.
The array of terminology and concepts may make the path ahead appear complex and full of risk, but if the GDPR can achieve its stated objectives of ‘free movement of personal data’ and ‘data protection as a fundamental right’, there can be little doubt that it will lead towards a more robust personal data environment with benefits for all.
Sarah Williamson is a partner in the commercial and technology team at Boyes Turner.