Preparing to comply with The EU General Data Protection Regulation

The new European General Data Protection Regulation (GDPR) will come into force throughout the European Union on 25 May 2018. The GDPR will have a wide ranging impact on businesses around the world, irrespective of where they operate.

A few of the key changes that will affect your business are:

European data protection law will now apply worldwide. Organisations that are located outside the EU that process personal data in relation to the offer of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will now have to comply with European data protection law.

Tougher sanctions for non-compliance. The maximum fine for a breach of European data protection law will be increased to 4% of an enterprise’s worldwide turnover or €20 million per infringement, whichever is higher.

A new data breach notification obligation. Organisations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.

New data privacy governance, data mapping and impact assessment requirements. Organisations will now need to appoint a data protection officer to be responsible for implementing and monitoring that organisation’s compliance with the GDPR and to carry out assessments of an organisation’s data processing in certain circumstances.

Implement ‘privacy by design’. Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed.

Enhanced requirements for the supply chain. Businesses must only use other parties to process personal data that provide sufficient guarantees that they will implement appropriate security measures to satisfy the requirements of the GDPR. 

Employee interview notes are not protected by legal advice privilege

As a corporation can only act through its employees, it is often assumed that all employees’ communications with the corporation’s lawyers count as client-lawyer communications and will therefore be privileged. However, the decision of the High Court in the RBS Rights Issue Litigation provides a useful reminder that this will not always be the case and corporates should bear this point in mind, particularly when performing internal investigations.

RBS tried to resist the disclosure of transcripts, notes and other records of interviews with RBS employees and ex-employees made as part of two separate internal investigations (the “Interview Notes”), on the basis that these: (i) were subject to legal advice privilege (“LAP”); or, alternatively (ii) were lawyers’ working papers and therefore, by their nature, privileged.

The Judge was bound to apply the Court of Appeal ruling in the well-known but somewhat controversial case of Three Rivers DC v Bank of England [2003], which confines LAP to communications between lawyer and client, and also provides that “the fact that an employee may be authorised to communicate with the corporation’s lawyers does not constitute that employee the client or a recognised emanation of the client”. Whilst the documents in question recorded direct communications between employees and RBS’s lawyers, such communications were for the purpose of gathering factual information and were not communications between client and legal adviser. Accordingly, RBS was not entitled to claim LAP in respect of the Interview Notes. In addition, RBS failed to sufficiently demonstrate that the Interview Notes revealed the “trend of legal advice given” by its lawyers and this claim to privilege also failed.

The decision highlights the importance of identifying who is the client for the purposes of providing legal advice and keeping this under review as the matter progresses. Where litigation privilege is not available, verbatim notes of interviews with employees or third parties made during a corporate internal investigation will not be protected by LAP, even if the interview is conducted by an internal or external lawyer. As such, if a corporate believes a regulatory issue may have arisen which requires further investigation before it can determine what substantive action to take, consideration should be had as to whether there is a need to make a written or taped record of employee interviews, in light of the nature and purpose of the investigation being carried out. However, it should also be noted that the SFO and FCA have criticised firms for not recording such information to avoid disclosing it to the regulator. Therefore businesses may wish to seek legal advice with respect to this issue.

In addition, businesses should be aware that in the context of cross-border investigations and litigation, a document which is privileged in one jurisdiction may not necessarily be privileged in another. The Interview Notes were actually privileged under US law but the Judge held that in the English courts the law of the forum applies to the question of privilege – in this case, English law.

Disclosure of Tax Avoidance Scheme (DOTAS)

The DOTAS regime, introduced in 2004, requires the notification to HMRC of certain tax avoidance arrangements. In February 2016 a new “hallmark” relating to “financial products” was brought in. This made many advisers think that arrangements commonly used to allow managers in PE investee companies to get entrepreneurs’ relief in relation to their holdings of sweet equity may now be notifiable. This was confirmed in part when HMRC released guidance in October indicating that they thought certain of these arrangements would be notifiable. However, there still appear to be arguments that, providing the arrangements are properly structured, there would be no obligation to notify.

Following notification HMRC may issue a scheme reference number (SRN), which the taxpayer will need to include in their tax return. Whilst notification in itself does not mean that the arrangements do not work, or will be challenged, the consequences of notification have increased since the introduction of the regime. There has always been the concern that notifying an arrangement could increase the chance of HMRC investigating participant’s tax affairs. Now however, where an SRN is issued, and HMRC opens an inquiry, it can require the taxpayer to make upfront payment of the disputed tax, pending the dispute’s resolution, amongst other new consequences.

We understand from a recent meeting with HMRC that they want notifications of entrepreneurs’ relief arrangements such as referred to above for information gathering purposes. They do not appear to be challenging the availability of the relief, provided the conditions are met (although it is possible that the information gathering process may lead to a change in the rules going forward). They also mentioned that in many cases where these arrangements are notified, they may not issue an SRN, with the consequence that no reference to the DOTAS disclosure needs to be made on the users’ tax returns.

Given the uncertainty around notification, and the potential consequences of notification, we would recommend that taxpayers discuss DOTAS notification with their advisers where entrepreneurs’ relief may be in point.