This article first appeared in Privacy Laws & Business UK Report, September 2016.
The UK withdrawal arrangements from the EU are expected to take at least two years from the point when Article 50 is triggered. But the GDPR will apply in the UK on 25th May 2018 – so what now?
Following the Brexit vote many organisations are left grappling with an unwelcome conundrum: prepare for the General Data Protection Regulation (GDPR) knowing that it might not take effect in the UK or wait and see and then risk an almighty scramble to get ready if it is going to come into force. In other words, stick or twist?
Brexit and GDPR
Clearly, Brexit has led to a period of uncertainty which extends well beyond data protection and until we have clarity on the UK’s position in the withdrawal negotiations that uncertainty will continue.
Some organisations had embarked on GDPR projects prior to the Brexit vote and many of them have taken the decision to continue with them because they are offering goods and services to individuals within other parts of the EU and GDPR will apply to personal data processing in relation to these activities anyway. Others have taken the view that GDPR will be the de facto gold standard for data protection and, therefore, if they comply with it, they will comply with any regime that is likely to apply in the UK.
Most organisations, however, had not started GDPR projects at the time of the Brexit vote and, whilst some may have taken the decision to embark on one since, most will not. The reasons will be varied. Many would not yet be thinking about GDPR even if Brexit hadn’t come along, others will hold off because of Brexit. Why prepare for GDPR if it may never happen? Better to wait and see. Meanwhile, budget and resource that might have been allocated to GDPR is being diverted elsewhere or even withdrawn.
So what do we know?
We know that:
- GDPR will take effect on 25 May 2018 throughout the EEA and unless the UK has withdrawn from the EU beforehand or some form of exemption is negotiated through the withdrawal process, it will take effect in the UK on that date.
- The Information Commissioner’s Office (ICO) considers that there is a strong case for data protection reform regardless of what happens in the Brexit negotiations.
Given the free trade rhetoric coming from the UK Government, it appears reasonable to assume that the UK will not want data protection to be a barrier to trade with the EU. GDPR might continue to apply directly if the UK seeks to become a member of the EEA with full access to the single market, although politically that is looking increasingly unlikely. More likely is that the UK will adopt a regime for data protection that allows the EU Commission to make an adequacy finding, thereby allowing the free movement of personal data between the UK and the EEA to all intents and purposes as if the UK were still part of the EEA.
GDPR seeks to provide a “stronger and more coherent framework” for data protection than the current regime. It seems unlikely, therefore, that the Commission will give an adequacy finding to a regime based on the previous 1995 Directive. So, the Data Protection Act 1998 is unlikely to be good enough but whether the UK seeks to implement all of the GDPR through national legislation (almost as if GDPR were a Directive) or seeks to cherry pick bits of it for a so-called ‘GDPR lite’ regime is unclear. The UK Government could also choose to do something else entirely but that appears unlikely.
It appears a reasonable assumption, therefore, that the status quo is not really an option. Something will happen and it will still probably happen in 2018.
Wait and see?
For those not minded at this stage to prepare for GDPR, what can usefully be done?
Here are my top five areas where organisations can and should be doing something now so that the groundwork is laid for whatever follows – whether that is GDPR or something else.
1 - Resource
Whatever happens in the next couple of years, it is pretty clear that privacy is going to become an increasingly important area of law. Any reform of data protection law is likely to strengthen, not weaken, the protection afforded to individuals and the sanctions for non-compliance are likely to be tougher.
Against that backdrop, organisations should be thinking now about how they are going to resource privacy compliance. Many large organisations – particularly those operating on a multi-national basis – will already have specialist privacy compliance capability but many others do not, either because it is dealt with through legal or general compliance functions or, alternatively, through the IT or finance functions. This is unlikely to be sustainable. The greater demands of GDPR or an upgraded UK data protection law will require specialist (and dedicated) knowledge and leadership from someone who sits at senior management level. In other words, many organisations are going to need to appoint specialist data protection officers (DPOs) for the first time.
GDPR mandates the appointment of DPOs for public authorities and others whose core activities involve large scale processing .. Even if GDPR does not come into force in the UK, and any UK alternative legislation does not make it a requirement to appoint a DPO, it will simply make good sense to have one, both in terms of driving good data management practice but also in protecting the organisation from a reputational and risk management perspective.
Good DPOs are likely to be in high demand so waiting for the rush is unlikely to be sensible. Equally, for those who already have a good DPO, retention is likely to be a key issue.
2 - Data mapping - laying the foundations
Any strategy for data protection compliance that isn’t based on a clear picture of the personal data held, where it comes from, what it is used for and where it goes is built on shaky ground. Getting this information is a must for any organisation that is serious about data protection compliance – regardless of whether data protection reform is on the agenda or not. Constructing a detailed data map or register allows an organisation to:
- assess compliance (or non-compliance) with current data protection law;
- create a gap analysis between what is done now and what might be required under GDPR or any new UK legislation; and
- prioritise key areas for action.
Unfortunately, for organisations of any size, the exercise is a project in itself, which can require significant resource and time to properly execute. However, ultimately, a detailed data map gives not only a solid foundation for a compliance programme, it also may provide the opportunity to fundamentally re-engineer data structures and flows that no longer make sense, thereby delivering greater efficiencies and reducing risk.
3 - Data minimisation
Data collected should be:
- limited to what is necessary for the purposes for which they are obtained (what the GDPR calls “data minimisation”); and
- kept for no longer than is necessary for the purposes for which they are retained (which the GDPR calls “storage limitation”).
Data minimisation and storage limitation have always made sense. Aside from breaching the data protection principles, obtaining excessive amounts of data and holding data for longer than is needed just means that you have to keep it up to date and safe, you may have to disclose it under subject access and, commercially, it may contribute to increased storage costs.
Unfortunately, implementing both concepts in practice has often been frustratingly difficult. Persuading colleagues that they shouldn’t ask for information they don’t really need, just because it might prove useful in future, has often been a battle with privacy teams. Many organisations have simply never got to grips with the concept of storage limitation, in part because they’ve never actually engaged in a data mapping exercise to understand the underlying data that they hold and why they hold it.
Whilst, until now, there have been no effective sanctions and, thus, little incentive to take data minimisation and storage limitation seriously, GDPR will change this. Looking to minimise the volumes of personal data held by tightening any lax practices that allow excess data to be captured whilst reviewing (or introducing) and enforcing data storage retention practices makes a lot of sense.
4 - Processing justifications
Under GDPR, there are a number of areas where the justifications for personal data processing are tightened:
- Consent – GDPR is far more prescriptive as to how consent should be properly obtained.
- Children – specific additional requirements are included for consent-based processing of children’s data.
- Legitimate interests – those relying on legitimate interests to justify processing will need to be clear as to what those interests are and communicate them to data subjects. Legitimate interests can no longer be relied on as a justification for processing by public authorities.
If you process personal data using consent or legitimate interests as a justification, these are areas you should be looking at closely. If the basis on which you’ve obtained consent may become invalid then you will need to devise a strategy to refresh that consent. This may not be straightforward, given that consent requires clear affirmative action and attrition rates on getting positive engagement are invariably high. Allow as much time as possible. Similarly, where processing has been grounded on the basis of a general but unspecified legitimate interests justification, then careful thought will need to be given as to what those legitimate interests actually are and whether they are justifiable and stand up to scrutiny.
5 - Contract reviews
Ask anyone tasked last year with finding Safe Harbor-reliant contracts post-Schrems and they will tell you that, without a decent searchable contract management system, it is a resource-intensive and time-consuming task Still, just like data mapping, finding all impacted contracts will be an essential element of any planning exercise. These will include:
- Contracts under which personal data are processed – processing contracts that will remain in effect after GDPR or any UK alternative comes into force will need to comply with the new requirements. This will cover not only simple data processing agreements but also more complex arrangements for sharing personal data.
- Technology contracts – contracts for the procurement of technology solutions which host, or are used, to process personal data will also need to be reviewed. Aside from any processing aspects, will the solutions allow users to comply with the new laws when they come into force? As a first step, it is worth speaking with vendors to find out what their development plans and timelines are. You will also need to look to your contracts to understand (a) whether the vendor has any contractual obligations to keep its solution compliant with applicable law on an ongoing basis, and (b) assuming it does, who is responsible for bearing the development costs. In this context, particular care will need to be taken in reviewing any ‘applicable law’ definitions, to see whether they cover GDPR but also the possibility of any UK data protection legislation that does not emanate from EU law. Whilst it may yet be too early to renegotiate major contracts to address GDPR / possible new UK data protection legislation, it is worth understanding now, which contracts/vendors are likely to be problematic when the time comes with a view to developing strategies and tactics to address any issues.
Finally, many organisations are developing new contractual styles based around the requirements of GDPR. In terms of basic approach, many of the requirements of GDPR can be expressed in general contractual terms that should work when coupled with a well drafted definition of ‘data protection law’ (or similar) to give enough flexibility to cover a scenario where the UK does its own thing. Over the coming months, market practice and norms will emerge no doubt, but, for now, having contract documents on the stocks that are futureproofed as far as they can be is an investment worth making.