A failure to comply with the Data Protection Act 1998 (DPA) can lead to a fine of up to £500,000, but the reality is that any failure will have far greater implications for a business in terms of its reputation and costs than just the fine. The real cost of dealing with a breach can easily exceed the fine and will invariably include the internal time costs, legal fees, forensic expert fees and the cost of implementing measures in a hurry to ensure future compliance.
A recent study by the Symantec and Ponemon Institute reported that the average cost to a business of a data protection breach in the UK per record is $124. Based on those statistics, the real cost to a FTSE 100 company, which was recently fined £250,000 by the Information Commissioner's Office (ICO) following the hacking of millions of customer records, was billions of pounds. Even so, its directors got off lightly when compared to Deustche Bahn, where its senior officer was jailed for "monitoring" telephone calls by Deutsche Bahn in breach of data protection legislation and Germany's telecoms rules.
While such examples emphasise the importance of data protection compliance, avoiding potential pitfalls is no easy task given the myriad of conflicting rules faced by UK businesses operating on a global scale. For instance, in the UK, the DPA implements the European Data Protection Directive into local law, but in each member state it has been implemented and enforced differently.
An example of different approaches taken by different countries in Europe is demonstrated by the way in which new "cookies" laws have been implemented. In the UK, the regulator allows implied consent for "cookies", whereas in many other EU member states, actual explicit consent is needed. These and other differences in approach are complicated further by other local laws that impact on data protection issues; for example, the Regulation of Investigatory Powers Act 2000, or the Privacy and Electronic Communications Regulations 2003 in the UK.
To a certain extent, the position across the EU will be harmonised with the introduction of a new data protection regulation which will have direct effect, probably from 2016 (although it would not be surprising if the European Commission cuts short the implementation period and brings it into force sooner). The regulation is still in draft form, but, based on the current draft, it will significantly raise the bar as far as compliance standards and costs of compliance in the UK are concerned.
At the same time, risks of non-compliance will significantly increase. This being the case, how best can an accountancy practice prepare for the new legislation and, importantly, how can it ensure compliance now? These were the main topics of discussion at the latest Wragge & Co breakfast briefing on 'Managing key data protection risks for professional service providers', which was held on 2 May 2013.
What is personal data?
The DPA governs personal data but it can sometimes be difficult to identify exactly what does and does not fall into that category. Personal data will be anything that allows a third party to identify an individual from the data, such as address, salary or an opinion about an individual. It's useful to apply a "stalker" test i.e. could a "stalker" put two and two together to identify that individual? If they could, then even if that data appears to be anonymised, it will still be personal data and, therefore, regulated.
There are two key categories of data for professional services firms to consider - employee data and client data.
An accountancy practice will be the data controller in relation to its own employee, potential employee, partner and consultant's data. When acting as data controller, a firm is regulated by the DPA and must abide by the key data protection principles.
These principles require that personal data is: fairly and lawfully processed; obtained fairly and processed only for specified and lawful purposes; adequate, relevant and not excessive; accurate and up-to-date; kept as long as necessary; processed in accordance with rights of data subjects; protected by appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss, destruction and damage; and not transferred outside of the European Economic Area (EEA), unless adequately protected.
Hints and tips:
- Ensure you tell employees, potential employees, partners and consultants what personal data of theirs you will be processing and why (i.e. make sure you have a sufficiently detailed employee privacy notice). Do not forget to flag any monitoring of employee communications and CCTV, as well as any intra-group data sharing (such as talent databases) in employee, partner and recruits' privacy notices.
- Get consent if necessary for any vetting or health data processing not required by employment law.
- It sounds simple, but ensure that HR files are kept in lockable cabinets and that access to electronic files is controlled and regulated.
- Check that your data retention policy addresses retention periods for employees, partners, consultants and potential recruits and make sure those retention periods are implemented.
- Review any employee data inherited through TUPE transfers. Carry out data cleansing and ensure all employees TUPE-d across receive appropriate privacy notices and training on data protection.
Data processing encompasses anything that can be done with personal data including holding or deleting the data. Accordingly, an accountancy practice is also likely to be the data processor in respect of client data held for the purposes of carrying out work on behalf of clients. For example, personal data copied for the purposes of carrying out audit, pensions, tax or payroll work. It may also be acting as data controller when holding client data for its own purposes, for example, in order to invite those clients to events.
As data controller, a firm must comply with the DPA. As data processor, however, the main risk for firms in relation to client data is a contractual risk. Data processors are not subject to the DPA, but clients (as data controllers) nevertheless have an obligation to ensure that any retainer contains certain minimum requirements which oblige the data processor to implement security measures.
These measures include: acting only on the instructions of the data controller when processing the data controller's data and ensuring reliability of staff who have access to personal data. In reality, clients will usually ask for greater comfort than this on data protection issues and for uncapped liability for data protection breaches.
Hints and tips:
- The UK's data protection regulator, the Information Commissioner's Office (ICO), does not prescribe security standards but it "likes" ISO27001 and ISO27002 and recommends encryption of mobile devices. If the personal data on a laptop is lost but encrypted, this may not be considered a data protection breach by the ICO.
- Keep IT security as up-to-date as practicable for your business. The more substantial the business the higher the ICO's expectations will be in terms of IT security.
- Having said that, don't just focus on IT security. Poor attention to data security by employees is a top reason for ICO action and mishandling a breach can significantly increase costs. Good practice can be as simple as making sure personal data is locked away, not taken out of the office unless necessary and securely destroyed (not left in a skip - you may laugh - it happens!).
Make sure that you have data protection policies in place and can demonstrate effective roll out to your staff. Set up a taskforce to deal with data protection breaches quickly and effectively.
- Data controllers must ensure that adequate measures are in place if transferring data outside the EEA. If client data is held as data controller and a decision is taken to sub-contract services - for example, to other members of your network outside the EEA - ensure that you can use one of the model contracts approved by the European Commission in the prescribed form.
Take care, however, before entering into a model form of agreement on a standalone basis; they contain no caps on, or exclusions of, liability. Instead consider appending them as schedules to the main retainer (although data controllers might object to this on the grounds that this could be a watering down of the model contract terms which could invalidate the 'adequate protection' which the use of model contracts is deemed to give).
- Don't try to 'future proof' your business in advance of publication of the finalised data protection regulations (expected at the end of this year); you may find that any measures you take are unnecessary or do not go far enough. In the meantime, do your best to prepare by taking steps to ensure that you understand your organisation's current personal data processing, upcoming projects and data protection contracting arrangements and close down any compliance gaps, including gaps in security.
Data protection - the future
So what lies in store for the future? It's not entirely clear. Draft data protection regulations were issued in January 2012, but were heavily criticised by the Article 29 Working Party (the European Commission's data protection committee) and various data protection regulators in Europe. Given that the regulations are not expected to be implemented until 2016, there is plenty of time yet for the European Commission and the regulators to amend or supplement the draft.
In the meantime, the most significant changes look set to be:
- Fines of up to €1 million or 2% of global annual revenue.
- The introduction of a 'one stop shop' approach to regulation, so multiple jurisdiction organisations are answerable to a single data protection authority.
- Regulation of data processors and also non-EEA data controllers who offer goods and services to EEA residents or carry out behavioural advertising in the EEA.
- No materiality threshold for reporting data protection breaches and strict timelines within which breaches must be reported (the current draft regulation allows 24 hours). At present, the ICO recommends notification and will only issue fines for "serious" breaches of the DPA.
- A "first offence" get out of jail free card for non-profit making organisations and small entities with fewer than 250 employees where personal data processing is ancillary to its main activities.
- A mandatory requirement to appoint a data protection officer (DPO) if you employ more than 250 people, are a public body or your core activities involve operations which by their nature, scope or purpose require regular and systematic monitoring of data subjects. The DPO will have prescribed tasks, must be able to operate 'independently' and be appointed for a prescribed minimum period (giving them a 'whistleblower' - like status).
- New rights for individuals to object to the processing of their personal data and also a new 'right to be forgotten', allowing individuals to ask data controllers to purge the individual's information from their records.