Data protection law in the UK is set for a radical overhaul in 2018 and companies should be preparing now for the changes and the compliance challenges that this will bring.
Smartphones, social media and other new digital technologies have transformed how data is collected and current legislation is out of date. The EU General Data Protection Regulation (GDPR) is an attempt to harmonise data protection laws across Europe. The UK's recently announced Data Protection Bill (which will replace the current Data Protection Act) will transpose the GDPR into UK law and will be applicable despite Brexit.
The new enhanced regime, which will be in force from 25 May 2018, has been described by the Information Commissioner as "a game-changer for everyone" since it will affect all businesses that process (i.e. collect, record, use or disclose) data relating to an identified or identifiable natural person ("personal data").
Companies will not escape the need for compliance with the GDPR regime since they will frequently process personal data as part of their core business activities, hold personal data on their employees (including sensitive personal data such as ethnicity and criminal convictions data when DBS checks are carried out) and possibly use personal data for marketing purposes. Any company (inside or outside the EU) that holds and processes data about EU citizens will have to comply.
With maximum fines of up to the higher of €20m or 4% of annual turnover, companies cannot afford to be complacent. So what should company directors and risk managers be doing now to prepare for the new legislation, to minimise the risk of incurring significant fines and potential reputational damage if they are held to be non-compliant? What are the insurance implications if they fail to prepare? This article gives practical insight on how companies can best prepare themselves over the coming months.
GDPR Compliance Programme
The GDPR has introduced a new principle of accountability, which will require companies to comply with the law and have appropriate records to demonstrate compliance. Therefore companies should incorporate a compliance programme to put in place a suite of policies, procedures and audit controls to monitor and ensure compliance. A successful programme is likely to require HR, IT, Business Development, senior executives, risk managers and input from all other areas of the business to work together to raise awareness of the new regime and its impact on day-to-day business, and to assist with risk assessments and record keeping.
How data is captured and used is more prescribed in the GDPR and therefore, companies should undertake a detailed review of their personal data processing activities. In particular:
- companies should assess the legal basis for processing personal data (e.g. consent, legitimate interest, compliance with law or to perform a contract) and keep a record of the basis.
- companies relying on consent from individuals to process their personal data will need to meet the new, higher standard requiring consent to be informed, specific, freely given, unambiguous and revocable. Pre-ticked boxes, silence or inactivity will not meet the new standard. Accordingly, companies should review letter templates and marketing materials and, where appropriate, ensure consent is renewed.
- The new requirement for transparency means companies need to be open about how they process personal data. Privacy notices must be shared with all individuals you process personal data about and in essence, should include informing those individuals what information you hold on them, how you use it and who you share it with. Under the GDPR, privacy notices are required to provide a greater level of information and will be far more specific and granular. The most prominent new requirement is that privacy notices must detail the legal bases of processing (e.g. consent, necessary for performance of a contract, legitimate interests). For most organisations, this will mean that existing privacy notices will need to be updated.
- Individuals will have a new right to require firms to erase their personal data – the so-called "right to be forgotten". This may arise if, for example, the data is no longer necessary for the purpose it was collected for or if the individual withdraws his/her consent. Companies may be able to reject an erasure request if, for example, the data is needed to establish, exercise or defend a legal claim, or where the company is required by law (including a regulatory obligation) to retain the data. Companies should consider in advance the circumstances in which they would reject a request to erase data, as well as working out how to give effect to any request. Practically this will also require companies to review their retention practices generally as data should not be kept longer than is necessary.
Client data and HR
Many companies will store personal data on clients and employees.
- Client databases – many companies have databases which may store personal data on former, existing or potential clients for marketing purposes. Organisations need to consider how client consent was given for processing purposes and, as noted above, recognise that pre-ticked boxes or silence will no longer constitute consent. Organisations may wish to prepare new standard templates to obtain consent for marketing purposes, which clearly explain how the data will be used and for how long it will be stored.
- HR databases – these will store personal data on employees (former, current and prospective) and their pensions. Companies should consider what the most appropriate legal basis for processing personal data on employees is and should also carry out period reviews to remove data no longer required on former and prospective employees.
Data security and breach
Under the new law, any data breach which is likely to result in a risk to the rights and freedoms of individuals must be reported within 72 hours to the ICO. In these circumstances, such individuals will additionally have to be notified without undue delay.
Companies should review their existing IT security measures. Do they meet the highest security settings of "data protection by design and default" which the GDPR requires for personal data? Is there an appropriate data breach response procedure to manage a major data breach? Is this procedure tested regularly? Do employees know who to report breaches to?
Companies should identify what people within the business know about data protection measures and the new enhanced regime. Do they know: what constitutes personal data and sensitive personal data? What personal data they hold? How data moves around the firm? How data is processed? How long data is retained for? Regular internal training on the GDPR should be given to all staff so that they understand the new legislation and the implications for the firm if it is non-compliant.
Outsourcing to third parties
There may be occasions where companies need to send documents to third parties for review. When defending allegations of misconduct or when responding to regulatory investigations, directors of companies may need to forward documents to their solicitors for advice. Companies may wish to use an external document review agency to review large volumes of data and documents (including personal data) to identify only those documents which are relevant to a transaction. Companies may instruct translators in an international transaction to translate foreign language documents into English. What should companies do to ensure they are GDPR compliant in these situations?
Companies will need to carefully review relationships with third parties and consider what additional provisions may need to be included in these contracts to help ensure compliance with the GDPR. It should ask questions such as: how does the third party process personal data? How long does it store it for? What data security does the third party have in place? Do they have cyber and data breach insurance? In short, organisations need to satisfy themselves that any third party handling outsourced data is also complying with the GDPR regime.
Board liability for breaches of the GDPR
Directors need to take the GDPR seriously by reviewing internal procedures and the company's cyber security and data breach response.
Directors should ensure they have appropriate D&O insurance to respond to claims against them by the company/shareholders for non-compliance with the GDPR. The costs of defending claims against them for their personal failure to ensure compliance should be covered.
Companies which store large amounts of personal data should also ensure they have an effective cyber policy with appropriate indemnity limits. The financial consequences of a data breach can be significant. Notifying all individuals affected that there has be a data breach can be expensive and time consuming and these costs can be insured under a cyber policy. The policy should also cover liability claims brought by individuals who seek compensation for damage (including distress) as a result of the breach, as well as the associated defence costs of responding to these claims.
With just over 6 months until the new data protection legislation comes into force, companies need to be actively preparing to ensure they are GDPR compliant. For many businesses, it will be a matter of identifying what measures are already in place, identifying what steps are needed to comply with the regime, and then filling any gaps.
The legislation is coming in and companies should not be complacent. Clients will expect the companies they do business with to comply with the new regime; the fines could be crippling for the business; there is a serious risk of reputational damage for those companies which fall foul of the legislation.