The recent Ransomware attacks should have provoked at least some renewed focus amongst business leaders, company directors and LLP members on the standards of information security being adopted; as well as ensuring the minimum of disruption to trading. One such potential cause of disruption, which is fast approaching, comes in the form of the change to EU rules on data protection on 25 May 2018. Whilst some companies have acted on previous calls to action, for those who have been pre-occupied with the small number of other macro-economic challenges facing the UK, with one year until its implementation, attention on this subject now will be timely.
To be clear - Brexit will not affect the introduction of GDPR. Following its introduction, this law is unlikely to be materially amended because the UK will wish to remain at the forefront of digital evolution. To fulfil that wish requires uncomplicated international data exchange, including with remaining EU Member States.
Whether or not a business is established in the EU, if you process personal data relating to EU citizens, then the GDPR will apply to you, and it will apply to data you hold now as much as it applies to data you will collect in the future.
1. I haven’t done anything about this – am I too late? What do I need to do?
It is certainly not too late, but you ought not to lose much more time to avoid this project becoming too rushed. Changes in law mean that you need to be aware of what personal data you are collecting and processing now, as well as what you want to do with it. You also need to be aware of the security measures you are applying to keep that personal data safe. To achieve that understanding requires some form of survey or internal audit; this in turn generates a form of “data map” identifying where and how personal data comes into your business, what happens to it internally and then how (if ever) it leaves.
2. What next?
The GDPR focuses heavily on transparency – enabling individuals whose information is collected (data subjects) to know far more clearly what is collected, when it is collected, how it is collected and what then will happen to it. The consequence of this is that a review of various data-related documents must be undertaken to ensure compliance with the new rules, including as appropriate:
• data collection notices and privacy policies; • customer and subscription agreements; • supplier relationships; and • investor documentation.
all of which will need to reflect the new responsibilities which the GDPR places on both the collector (controller) of such personal data as well as the recipient (processor). In particular, collection notices and privacy policies will need to be enhanced to reflect the increased information fields which are now required. Whether data is inputted directly into a website or comes to you in the form of a business card at a coffee shop, the analysis will need to be done. A key change to the regime is the direct responsibility of processors to the data subjects themselves, and amendments will be needed to supply chain relationships to ensure that any processor to whom personal data is transferred in the course of operations is fixed with managing that data in such a way as to limit exposure to the data controller. Such amendments ought not to be controversial, although any requests for (disproportionate) indemnity protection are bound to be made and contested.
3. Maximum fines
The approach of encouraging compliance by sanction has occupied the lion’s share of headlines to date – the existing maximum penalty of £500,000 will be increased up to a maximum of 4 per cent of global turnover for certain breaches. Each business based in the EU will have a lead supervisory authority (for businesses headquartered in the UK this will in most cases be the ICO) to which it will answer in the case of problems.
4. Data Breaches – Infosec and culture
As a result of the intersection of cyber-security and regulatory pressures, there will be increased pressure to react swiftly and effectively to data breaches and/or losses. Technology plays a major part in managing the risk here, but so too does culture. Training and the raising of general awareness amongst those who work around personal data is critical in the ongoing fight against data loss.
5. Be prepared for more paperwork
Consistent with the need for transparency is the need for processors of data to hold evidence to justify their actions. That means that a paper record of any significant changes to the manner in which personal data is processed will need to be held. This will serve as a material mitigating factor should anything untoward occur, so the immediate burden of compliance may well prove to be time well spent at a later date. Conclusion
In summary, it is not too late to start work on a compliance process to move from the current Data Protection Act-led position to a regime designed to better suit the use of data in a digital era, and the comfort of not having to do this in a rush next Spring will invariably repay itself later. Relevant data authorities are producing increasing guidance on the subject so there is indeed some benefit to allowing that thinking to be more fully formed before implementing a programme of work to take advantage. Finally, data privacy does not stand in an isolated tower – the practical implementation of technical solutions to comply with, for example, MiFID II on the recording of electronic communications generates an interesting debate regarding the use of private mobiles in the work environment.