For a brief moment in May 2016, it seemed the data protection landscape was clear. After years of clients receiving marketing from some (over) eager data protection lawyers informing them they really must start planning for the implementation of the new European General Data Protection Regulation (GDPR) despite the lack of a finalised text or implementation date, finally, we got there. The text of the GDPR had been agreed the month before and an implementation date was set (25 May 2018). The GDPR became a reality.
Then Brexit. We cried into our cornflakes. Informing our clients about how they needed to change their data handling practices because of EU legislation, when we had just opted out of the whole shebang, was about as appealing as a Trump election rally.
The way ahead is not crystal clear to any data protection lawyer, purely because none of us yet knows the deadline by which we must exit the EU or what the government plans in terms of replacing the European GDPR when we exit Europe and how long any ‘transitional’ period will be.
What we do know is that the GDPR will automatically come into effect on 25 May 2018 and we will almost certainly still be part of the EU then and therefore we will be bound by it even for a time-limited period. It will still apply to business data handling practices in the other countries across Europe. It still represents, in many ways, what is the ‘best practice’ interpretation of our current UK data protection rules which are ambiguous, which do not always reflect the intention of the EU Directive preceding them and which have not kept up with technological change. It also helps us become more compliant with the current rules in a climate where non-compliance has become a front-page story causing many millions of pounds of brand damage. The UK regulator has also issued a public statement which was fully supportive of the GDPR concepts and the need to overhaul UK data protection law.
What do we need to do now?
It makes sense to implement some of the GDPR now because of the factors described above and because many of the changes are relatively straightforward and inexpensive to implement. You do need a plan and to cost the changes for your business over the next 24 months. However, this can be categorised as follows (this is not exhaustive):
Category 1: Clarifications/changes you should have done anyway in an ideal world and which should not require business transformation These are changes that the GDPR makes which can be viewed as clarifications of what the UK data protection law should have said in the beginning and what the ICO has been guiding businesses (politely) to do all along:
- Consent: When you get ‘consent’ for the numerous ways in which your business uses personal data (including IP addresses), you need to be clear to consumers what you are doing with the data and it requires affirmative action. No pre-ticked boxes. Your opt-outs need revising. Your privacy policies, websites and forms which obtain customer consent need checking (and the less compliant ones need re-working).
- Data sharing and breaches: Check that your staff/contractors do not send out large volumes of encrypted personal data. Contractors’ contracts should prohibit this and be tightened.
- IT design: Build data protection into systems’ design (you will need to give this a bit more than a glancing nod). Ensure your systems limit the risk of accidental breaches. Improve penetration testing but also review your staff practices (human error is often to blame for data breaches as often as hackers). Audit your data and understand where it is obtained, held and where it goes.
- Review your supply chain: Conduct diligence on suppliers who handle your business’s customer data. Ideally, audit them and build this into their contract with you. You need to know where in the world your business data is going when you engage suppliers.
- Make it count: Data protection should be a standing item on your board’s agenda. All business unit heads must understand data protection responsibilities.
- Handling breaches: You need to have a clear plan on how to deal with breaches and practise it. You may consider engaging lawyers and a PR team so that you can react to a data breach as quickly and efficiently as possible. You may also consider drafting a template statement for release to the public in the event of a data breach.
Category 2: Training on new staff obligations:
Training staff should not require much business change, but it will require some staff time. For example, do HR and customer support teams need training to ensure they are up to speed with data protection obligations? Do they know how to handle customers’ new ‘right to be forgotten’ if relevant? Does each business unit have someone responsible for ensuring their unit is compliant with data protection rules?
Category 3: Changes that will not need action per se but which you need to know about to assess the risks to your business:
This category includes the increase in the level of fines (from £500k up to 2–4% of global turnover depending on the breach). Getting the consent requirement wrong has, to date, not been a major area of enforcement action by the regulator and is therefore relatively low risk to non-compliant businesses. Post-GDPR, getting the consent mechanisms wrong could cost you 4% of your global turnover. Businesses who wish to carry on with current non-compliant practices will have to ‘watch and wait’ to see examples of how the fines are implemented by the regulators in practice, but this carries risk and will not be attractive to investors.
Although it is possible that these fines will not ‘carry through’ to our national laws if we leave Europe, this seems very unlikely. The regulator has long called for increased powers and monetary penalties for breaching the rules, and fines are the best way to motivate compliance.
Category 4: Potentially more expensive /difficult GDPR changes:
Some businesses (not many) may need to appoint a trained Data Protection Officer. This depends on the nature of the data processed by your business. This role is entirely different to the current data protection officers who in smaller businesses are often either an individual who has been ‘lumped with’ the role due to the lack of available alternatives or who in larger ones are often information security officers with excellent technical backgrounds. It may be that those in the second category will fulfill the new role, but the role requires a much greater understanding of detailed data protection law than would be normal to expect from this role (akin to an experienced data protection lawyer). Because data protection lawyers will be busy themselves advising clients of the new rules, we expect there to be a limited supply of experienced individuals to take on this role and accordingly, salaries may be high. They must account to the regulator directly and have direct reporting to your board.
There is also a large increase in record keeping. Although some businesses do have diagrams of various data flows within their business, the record-keeping obligations are now more detailed and therefore costly.
Businesses that send data to other countries need to review what mechanism they are relying on to validate the international data transfers. This is particularly important where the consent mechanisms used are not ‘best practice’, where there are no ‘model contracts’ in place between the transferring parties or where there are data transfers to the US which need review under the new ‘Privacy Shield’ replacing the previous and now debunked Safe Harbour regime. Large multi-national companies may wish to re consider whether they choose the more expensive and time-consuming ‘Binding Corporate Rules’ route to legitimise their data transfers as this may be the best long-term way to validate repeated global high-volume data transfers.
Those companies whose business is based around processing clients’ customer data (data processors) will see some of the most changes because for the first time, data processors’ compliance with data protection law isn’t just an indemnity in a contract; it is now a statutory obligation which leads to fines for non-compliance. It imposes many more detailed record-keeping and diligence obligations on suppliers and data flows than was previously the case. Data processors may wish to review their charging structure to reflect their increased burden when handling client data.
Multi-national companies with any kind of management operations in Europe will need to consider where their ‘main establishment’ is in the EU and some may be caught by the rules for the first time.
It is these final category 4 changes where some caution needs to be exercised. These changes are potentially transformational to a business, depending on what they do and where they are located, and so once these are costed, it will be a decision for each business to carefully consider (with advice) as to whether they implement them before the DP/Brexit (and certainly single market) argument is more settled.