This year sees the adoption of the new EU Data Protection Regulation, which is set to radically change the dynamic around storage of personal data. Firms that suffer a data breach could incur vastly increased fines based on their global turnover. Ian De Freitas, Tamara Quinn and Jamie Drucker consider the upcoming Regulation alongside other key developments which could completely change organisation’s data storage practices.
Data, Data Everywhere
Your firm has been amassing stockpiles of electronic information for many years. Structured, unstructured, emails and text messages – data is literally everywhere.
Typically, there are three reasons why organisations are collecting and storing personal data:
- Collection and retention is mandated by regulatory regimes;
- Personal data has intrinsic or commercial value for the firm;
- Storage is the status quo – a default position mandated by firm-wide data storage policies and procedures.
However, the rationale for storing ever increasing amounts of data is beginning to be undermined by the risks of doing so. We have been following three key developments that are driving a fundamental reassessment of existing practices – reframing personal data storage as a business driver, as opposed to a default position:
- Impending changes to EU rules on data protection;
- Increasing risk of claims if data is lost or misused; and
- A data-savvy and empowered citizenry, determined to police what is being done with their data.
Individually each of these developments will, to a greater or lesser extent, impact firm-wide and/or departmental business strategy, internal policies and internal training for thousands of organisations. Collectively they have the potential to bring about irreversible change in favour of the individual. Let’s look at each of them in turn.
The EU Data Protection Regulation
The EU data agenda continues to trundle on towards the adoption of the EU Data Protection Regulation, widely expected in 2016. This is a game-changer in terms of enforcement, with regulatory fines likely to be in a range between 2% and 5% of worldwide turnover for serious breaches. Delving into more of the detail, the Regulation will inevitably be pro-privacy with the current draft versions giving greater rights to individuals to demand that their data be deleted, returned or passed to a new service provider.
Mapping and locating all of that data will be no easy task. The dynamic around data storage is also set to radically change, with the application of EU data protection laws to parties established outside the EU. In addition, direct obligations will now be placed on data processors, not just data controllers, meaning that the organisations to whom you outsource data storage will be caught by the new Regulation.
Paying Out: Compensation Claims for Data Misuse
Allied to the pro-privacy agenda of the draft Regulation are moves by the English Court to liberalise compensation claims for breaches of data protection law. In the last year, the case of Google –v- Vidal-Hall has continued to make its way through the courts. The Court of Appeal has now endorsed the view that individuals can seek compensation for distress arising out of the misuse of their personal data, regardless of any actual pecuniary loss.
This is a radical departure from the prevailing view, enshrined in Statute, that such claims should not be allowed. The point is to be tested by the UK Supreme Court, but if upheld it would make group litigation claims by affected individuals realistic for the first time. Each “distress” claim might only be worth a few thousand pounds, but multiply that by a few hundred or thousands of claims and it looks viable to claimants and the lawyers representing them. For example, we have already noticed law firms seeking to sign up claimants following recent data breach incidents in the UK.
The Rise of the Datavist
Finally, we have also seen individuals being more pro-active in policing their own data. To an extent this has been as a result of the so-called “right to be forgotten” ruling against Google from the Court of Justice of the European Union in 2014, but it was a trend even before then.
Perhaps the most notable “Datavist” is Max Schrems, an Austrian law student who took on Facebook and the European Commission and won, with the Court of Justice of the European Union declaring invalid the “safe harbour” agreement between the US and the EU, which for fifteen years had allowed companies to transfer data of European citizens to the US. This development alone is forcing thousands of companies to re-think transatlantic data transfers to avoid breaching data protection law.
However, Max Schrems is only one of thousands of individuals who are increasingly asking questions about how their data is collected, whether it is securely stored and how it is used. If they do not get satisfactory answers, they are reporting this to Data Protection Authorities who will typically investigate.
Time for a Fundamental Rethink?
We are at a cross-roads. Simply throwing more capacity at the personal data problem is no longer an option for organisations. The default position of storing data is being seriously tested because of the costs and risks involved in doing so.
This represents a fundamental shift in thinking. Organisations must reconsider what it is necessary to store, the inherent and potential value of their data, whether it is secured and managed efficiently and the associated risk in continuing to hold it. This is not an easy conversation as it engages so many different parts of the organisation. Apart from the legal team, typically it involves information security, information technology, procurement, human resources and the business units. Each is likely to have their own agenda and aligning an approach is not straightforward.
However, the three risk factors we have highlighted emphasise the increasing need to assess whether the organisation should continue to default to data storage – or defuse a ticking time-bomb.