20 September 2017

Don’t panic about data protection! 9 tips to steer organisations in the right direction

Data protection is a hot topic at the moment.  Some organisations may be  ahead of the game and already implementing internally some of the changes that compliance with the GDPR (General Data Protection Regulation) requires. There will be others who have not quite turned their attention to this issue. If you haven’t yet thought about data protection issues in your organisation, now is a good time to start. 

Background: Very briefly, the GDPR is an EU regulation that increases the burdens on companies that process personal data. And to avoid any doubt – all organisations, big or small, will be processing personal data. Compliance with the GDPR is required from 25 May next year. The new rules enhance and extend existing DP law.  DP used to be on the periphery of most businesses; now it is seen as fundamental and the GDPR places DP firmly at the core of any business.  

Brexit (for once) is a non-issue.  It is unlikely to have a significant impact on the GDPR  because firstly, Brexit is scheduled for after the GDPR start date and secondly, assuming Brexit happens, all indications are that new UK specific data protection legislation will not be fundamentally different. The GDPR applies in most cases, to any organisation processing the data of an EU national or transferring data to an EU member state so it would not make commercial sense for the UK to disengage from the GDPR after Brexit. 

There are lots of horror stories about the increased fines applicable to a GDPR breach that can potentially amount to €20 million/4% of turnover (whichever is the higher), but it is important to keep this in perspective. The Information Commissioner (the UK’s DP regulator) has indicated that it will be imposing fines on a discretionary basis. It looks likely that organisations that are doing their best and can demonstrate careful and considered organisation of their data and a clear effort to comply with the GDPR shouldn’t be overly concerned about the heavy fines that are making the headlines. The IC is not intending to try to catch people out. That said, there is still quite a bit to be done to meet the new standards set by the GDPR.  But DON’T PANIC.  

There is time to review internal DP processes. But keep in mind the ticking clock – 25 May 2018 is the deadline so DO PROGRESS things now.  

Within organisations, DP needs a consolidated and coordinated approach.  Internally, this requires  buy in from: management  (to ensure resources), HR, IT, marketing, legal, compliance teams and  any relevant business specific areas. It also requires internal training to all individuals within an organisation about the value of personal data and the internal processes that protect it.

So where to start?!
One of the new principles introduced by the GDPR is an organisation’s accountability. Every organisation is required to be responsible for and demonstrate compliance with the GDPR and this means having internal documentation in place to show that you have thought about why you hold the data that you do.  

1. What is your lawful justification for processing data? 
Critical to any organisation’s right to process and hold the personal data of an individual is identifying  the organisation’s lawful right to do so. There is a list in the GDPR specifying the lawful justifications. An important exercise to undertake is to assess the data you are holding and match it to the respective lawful ground. In some cases, there may well be different justifications for different types of data held for different categories of individuals (e.g. employees, customers, prospective customers etc).  

A useful justification for processing data is that it is “necessary for the legitimate interests of the business.” But this justification needs to be supported by reasoning to justify what are the “legitimate interests” of the business. Other possible justifications include: 
  • That the processing is necessary for the performance of a contract; or 
  • That the processing is necessary for the compliance with a legal obligation to which the data controller is subject.  
And of course, it is possible to process personal data with the individual’s consent BUT organisations must check the way that they obtain consent (e.g. through the company website or over the phone) as it is highly plausible that existing consent mechanisms do not meet the higher standards of the GDPR to demonstrate freely given consent from every individual and to demonstrate that the data subject has the right to withdraw consent at any time.  

Importantly, consent is invalid unless separate consents are obtained for different processing activities. For example, a catch all tick box on a website that purports to give consent to marketing, newsletters and transfers of personal data to third parties will not be valid consent. 

2.      Enhanced data subject rights
Having established the appropriate justification, this needs to be communicated to the relevant individual. The most appropriate place to deal with communicating your data processing justifications is in a privacy policy. This is something that most organisations will need to revisit – both in terms of their privacy policy addressing customers and prospective customers and their internal employee privacy policy.  

A privacy policy will need updating to include new specifics about a data subject’s rights to include: 
  • The lawful justification for processing;
  • If processing is “necessary for the legitimate interests of the business”,  what those legitimate interests are;
  • Any recipients of the data;
  • Envisaged storage period of data types  or criteria for assessing this (see below);
  • Rights to access data, to rectify any incorrect data and in certain circumstances, to erase data;
  • Whether there is any automated decision making and profiling that produces a significant effect on the individual;
  • Rights to complain to the regulator;
  • Legal basis for the transfer of the data to a non EEA third country (if that happens) and what legal method you rely on in order to do this.   
3.      Internal data analysis
The rather long list of extra information to be given to data subjects listed above hopefully underlines the need for organisations to conduct some sort of data mapping or data audit so that you have a clear understanding of what data you have on individuals, why you have it, what you do with it, where you keep it, and how long you will keep it for so that you can communicate all this to each individual through a policy document. This is required to comply with the GDPR and demonstrates accountability and transparency  to show that you have considered and integrated data protection into your processing activities. And it is a way of actively demonstrating compliance.  

Organisations need to look inwards to data belonging to employees, freelancers, contractors and job applicants. And organisations also need to look outwards, to all data held by an organisation about any individuals – whether this is marketing data, user data, historic data etc. 

4. System design 
Data protection should be built into system design. For example, if you are contemplating a new automated marketing or payroll system, to what extent can DP be built into the design?  

5. Duration of data storage
As part of the data analysis, and once different data types and processing justifications are identified, organisations need to have in place a system for reviewing all categories of data and then working out how long you should be holding it. This is quite a complex balancing exercise between DP principles on the one hand, and a commercially sensible approach to the valuable data you hold, on the other. There may also be legislative requirements to comply with too, in terms of holding onto particular categories of data, for example, employee tax data.  

The important message here is to assess data retention in light of different data categories and to have a clear and reasoned policy explaining why you hold the different data for the periods that you do. It is also important to have an internal process whereby the data held actually gets deleted securely after the appropriate period.  

6. Data processing relationships
Organisations should only use data processors which provide sufficient guarantees that they can and will implement measures to meet the GDPR requirements themselves. If you have external service providers processing personal data on your behalf, you must review agreements with them which will almost certainly need updating with mandatory provisions as required by the GDPR.

These mandatory provisions include obligations that:
  • The processor will only act on instruction from you;
  • The processor  will maintain confidentiality; and 
  • The processor will ensure security and will permit audit and inspection from you. 
Another takeaway point is therefore to review processing agreements with third parties and ensure that new mandatory written contractual terms are in place.

7. Data breach reporting systems 
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. This could mean that your IT system has been hacked or that one of your employees has left their work laptop on the train.  

Under the GDPR, if you discover a breach of this nature you must notify the Information Commissioner within 72 hours or provide a reasoned justification for any delay. The notification requirement does not apply if the breach is unlikely to result in a risk to data subjects (e.g. laptop data was encrypted).  

Therefore, organisations need to ensure that internally they have a clear process for dealing with any potential data breach and should specify defined roles for individuals who are involved in this process.  

And looking externally, and having seen how Equifax has handled the response to its hack of 143 million individuals’ data, it is absolutely critical to have an external facing data breach response plan too, to manage this properly from a PR perspective. Hacking is not a problem that is going to go away fast and so organisations need to acknowledge that the data they hold is at risk and that even with the best IT security in the world, hacks will happen. It is therefore vital to have a response plan in place outlining what steps an organisation should take, internally, externally and with the Information Commissioner, should the worst happen.  

8. Data security
There is an obligation to implement appropriate technical and organisational measures to ensure the level of security is appropriate to the risk of processing particular types of personal data. Organisations need to ensure that IT teams are aware of new GDPR obligations and are ensuring security of IT systems at the appropriate level. In particular, if data is not already encrypted, consider this and also review insurance policies to assess whether the extent of cover is appropriate in the event of a breach.  

9.     Transfer of data outside the EU
The transfer of personal data from the UK to the US is a challenge for many organisations and it is not one with which the GDPR really assists. The current sticking plaster that is the EU-US privacy shield (seeking to provide for the safe transfer of data between the EU and the US) is unlikely to last for long – and the recent Equifax disaster will bring this issue to the fore again. The transfer of data outside the EU is an area where large scale overhaul is still required. In the mean time, in respect of data transfer outside the EU, relying on standard contractual clauses (approved by the European Commission) or binding corporate rules, is likely the safest way to ensure compliance with the GDPR. 

And to finish...
There are many aspects of DP that this note doesn't cover. This note is intended to give organisations a broad-brush view of the internal systems that should be put in place before May 2018. It is not a substitute for specific legal advice. We would, of course, be very happy to help if you would like to discuss how Temple Bright can assist your company with the challenges of GDPR compliance.

No comments:

Post a Comment